Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
13 replies to this topic

#1 rs123

rs123

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 18 May 2008 - 08:11 PM

I have no idea what is wrong with my PC. I have a laptop that is wireless but we use it pretty much only for web and email. I don't really want to do much else with the PC but it's practically impossible to use because it's SO slow. It takes 20 min just to boot up and then the browser barely works. I've followed all the logs and this as best I can but still stuck. There are lots of programs loading in background etc. but I have no idea what to turn off or even how - so all I want is web and email, everything else can go. Here is the hijack log - can someone help - I'm fairly illiterate with registry etc. but I've run Spybot, Adaware, CCleaner with no major issue.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:17 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://sctcdm04.extra.daimlerchrysler.com/iNotes6W.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180831951690
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7297 bytes

Thanks
rs123

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 10 June 2008 - 12:47 PM

Hello rs123. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)

We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

If you still would like help, please follow the following instructions:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by Billy O'Neal, 10 June 2008 - 12:50 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 18 June 2008 - 05:30 AM

Thanks, Bill. I appreciate your help. I did overtype my PC's IP address and MAC address out of the Kapersky scan report becase that is not information I want posted on an internet website. I verified the IP is the one assigned to this computer from my router and the MAC address is this PCs wireless card. I overtyped with (** comment **).

Deckard's System Scanner v20071014.68
Run by Rob on 2008-06-17 22:24:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-18 02:25:01 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:01 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Rob\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rob.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Xvtfmz] C:\Program Files\Yopf\Kpfhii.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Etujt] C:\Program Files\Psyu\Chehmpw.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Fifgp] C:\Program Files\Wccyo\Ocuae.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Gddqkd] C:\Program Files\Ygqrm\Ztwwa.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Dstqgcp] C:\Program Files\Uoouci\Xvbx.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Mlrbvrqt] C:\Program Files\Bpkybqd\Zpmycwf.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ivicfye] C:\Program Files\Kjuz\Icow.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Gmmilqaw] C:\Program Files\Ydtrpe\Kmss.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Lrzgtyw] C:\Program Files\Tjgwhq\Eizp.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Iggcuo] C:\Program Files\Coyp\Axgzlfh.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Csarsg] C:\Program Files\Nhvvfgj\Nerikt.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Jkpyh] C:\Program Files\Jotgw\Gumkoxg.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Gslfi] C:\Program Files\Trjsgf\Wjwqk.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Witcghsp] C:\Program Files\Pzhe\Vtsicni.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ckczu] C:\Program Files\Wadi\Caxu.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Fjztl] C:\Program Files\Bljiy\Mbpjjq.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Kcgzs] C:\Program Files\Nyubwxy\Apoai.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Lqfeikv] C:\Program Files\Rgkn\Mvpz.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Bzhnqana] C:\Program Files\Xmbt\Ctsibcg.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Kbdsdvug] C:\Program Files\Jzmmty\Ukzhr.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Osvzrlh] C:\Program Files\Sqeipn\Dtjaf.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Mndvu] C:\Program Files\Xuiwbq\Thugc.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Hxywxx] C:\Program Files\Ztvry\Dlsaka.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Gekwex] C:\Program Files\Vziw\Hroghi.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Senzt] C:\Program Files\Fdqq\Mamty.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Smquru] C:\Program Files\Ijed\Zohhfsh.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Nytajsdf] C:\Program Files\Wwobrqd\Jgvug.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Mzchjl] C:\Program Files\Cyjxixl\Wckp.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wdipt] C:\Program Files\Tbsmixd\Eyreowz.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ibmrgb] C:\Program Files\Gcgnjn\Egaaqe.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Yevsw] C:\Program Files\Hiuub\Oxuezk.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wudouxy] C:\Program Files\Dpkgsv\Btkwa.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wxoznonf] C:\Program Files\Qlpgz\Osvkzh.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Aqmoucdq] C:\Program Files\Tlqy\Icmxwrg.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Fildu] C:\Program Files\Aumu\Qjjk.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Iwflc] C:\Program Files\Owgnlfm\Zien.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ltabji] C:\Program Files\Aoduie\Mnbp.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Zmkpyawh] C:\Program Files\Jaus\Tozf.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Anmsdsud] C:\Program Files\Awhvb\Xojosvs.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ccpadj] C:\Program Files\Rahkt\Pnrk.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Epddsxa] C:\Program Files\Ouaun\Uqij.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Dbtauy] C:\Program Files\Sbqgmf\Uypw.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Qraqx] C:\Program Files\Oigj\Cfyxvtr.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ffgfoxz] C:\Program Files\Xykfyw\Wpdeczz.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Tiybsu] C:\Program Files\Reuy\Srzabi.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Yykjlo] C:\Program Files\Tkjfplu\Onizfgu.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Dutdrfsh] C:\Program Files\Ilqboy\Esynrs.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Rpgzmtzm] C:\Program Files\Omtxff\Jfmct.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Fowlazv] C:\Program Files\Kukieue\Eszqo.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Kywleu] C:\Program Files\Hnutydb\Usakbui.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Thslo] C:\Program Files\Yrdhqdt\Uohrke.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Qjema] C:\Program Files\Pvmwqdl\Vkoyt.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Xjujk] C:\Program Files\Xknxjpj\Krfniik.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Xautij] C:\Program Files\Tsdji\Grixcd.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Xuqgqjjo] C:\Program Files\Xhtugt\Uzdzab.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Jwygxhcz] C:\Program Files\Eisn\Dczgo.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wblwedme] C:\Program Files\Vxeqa\Lpkyos.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Lqltdk] C:\Program Files\Zmcbzn\Tjelp.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Ufnlgx] C:\Program Files\Elwfx\Dmzh.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Qdhadbo] C:\Program Files\Frlm\Bffomy.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Naxaz] C:\Program Files\Byjyhq\Imrv.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Qxrrrvvk] C:\Program Files\Sgbvi\Rbqto.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Hxtyvec] C:\Program Files\Giifch\Ponxf.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Nlnzvn] C:\Program Files\Mznk\Gedvq.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Kxywtp] C:\Program Files\Atmujj\Zule.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Qhegap] C:\Program Files\Gosf\Ninsfn.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Lupfy] C:\Program Files\Bsecja\Jsiqtf.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wgdoa] C:\Program Files\Hthgiig\Fwfvm.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Wwsipirr] C:\Program Files\Yxiuai\Ggsmcn.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Djorp] c:\Program Files\Xyjxs\Isgdmny.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Cdfqhp] c:\Program Files\Bewk\Uvmuk.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [Dqqudnxw] c:\Program Files\Extr\Saxic.exe (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Paula')
O4 - HKUS\S-1-5-21-1847895262-1599059188-2008684643-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Paula')
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://sctcdm04.extra.daimlerchrysler.com/iNotes6W.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180831951690
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 15510 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys

S3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"
R2 HPConfig (HP Configuration Interface Service) - c:\windows\system32\hpconfig.exe <Not Verified; Hewlett-Packard; HPConfig Module>
R2 HPWirelessMgr - c:\program files\hpq\notebook utilities\hpwirelessmgr.exe <Not Verified; Hewlett-Packard Co.; HPWirelessMgr Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-17 00:00:00 256 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-12 18:37:43 0 d-------- C:\9729c485c5656ddfe4be6b56849894a7
2008-05-27 21:27:53 0 d-------- C:\Documents and Settings\Rob\Application Data\Hewlett-Packard
2008-05-18 19:32:47 0 d-------- C:\Program Files\Trend Micro
2008-05-18 18:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 18:06:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 18:04:37 0 dr-h----- C:\Documents and Settings\Rob\Recent
2008-05-17 18:00:28 0 d-------- C:\Program Files\ToniArts
2008-05-17 17:34:22 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-17 17:34:05 0 d-------- C:\Program Files\SpywareBlaster


-- Find3M Report ---------------------------------------------------------------

2008-05-27 21:26:08 0 d-------- C:\Program Files\Web Publish
2008-05-27 21:24:37 0 d-------- C:\Program Files\Microsoft Money
2008-05-27 21:22:50 0 d-------- C:\Program Files\Symantec
2008-05-27 21:22:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-27 20:50:44 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-27 20:47:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-27 20:44:17 0 d-------- C:\Program Files\Easy Internet signup
2008-05-27 20:42:23 0 d-------- C:\Program Files\Common Files
2008-05-27 20:37:16 0 d-------- C:\Program Files\Broderbund
2008-05-27 20:34:24 0 d-------- C:\Program Files\a2 Free
2008-05-27 20:33:24 0 d-------- C:\Documents and Settings\Rob\Application Data\Aim
2008-05-27 20:32:40 0 d-------- C:\Program Files\AIM Toolbar
2008-05-18 18:09:31 0 d-------- C:\Program Files\Lavasoft
2008-05-18 18:09:29 0 d-------- C:\Documents and Settings\Rob\Application Data\Lavasoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [08/15/2002 06:18 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [05/21/2003 03:35 PM C:\WINDOWS\system32\carpserv.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/26/2003 07:25 PM]
"ATIPTA"="atiptaxx.exe" [06/11/2002 10:56 AM C:\WINDOWS\system32\atiptaxx.exe]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 05:34 PM]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [01/30/2003 06:53 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03/14/2003 08:56 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/14/2003 08:56 AM]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [08/15/2002 10:26 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 05:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 02:57 PM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [08/20/2003 05:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [12/4/2005 9:19:15 PM]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [8/19/1997 1:00:00 AM]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [8/19/1997 1:00:00 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-17 22:30:34 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: mobile AMD Athlon™ XP2800+
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 190.48 MiB / 58.35 MiB
Pagefile Memory (total/avail): 849.83 MiB / 422.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.14 MiB

C: is Fixed (NTFS) - 27.94 GiB total, 20.2 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2030AT - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.94 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob
LANG=C
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Rob
USERPROFILE=C:\Documents and Settings\Rob
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob (admin)
Paula
Nicole
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HPQ\Software Setup\Uninst.isu" -c"C:\Program Files\HPQ\Software Setup\CPQUNST.DLL"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
--> MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant 56K ACLink Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C\HXFSETUP.EXE -U -Ihpm08505.inf
Conexant AC-Link Audio --> CIAunwdm.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Wireless LAN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E1D54D7-47EB-11D5-AE90-00D0590FFE27}\SETUP.EXE" -l0x9
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
McAfee VirusScan --> MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Microsoft Excel 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeXl.exe /w Excel97.stf
Microsoft Word 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Notebook Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8F2DCDE-AE4E-4AC9-BECD-496FB80FBF6A}\Setup.exe" -l0x9 UNINSTALL
One-Touch Buttons --> C:\WINDOWS\UnInst32.exe QT4HPOT.UNI
Photo Organizer --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PHOTOO~1.8\DeIsL1.isu"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PrintMaster --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PRINTM~1\DeIsL1.isu" -c"C:\PROGRA~1\BRODER~1\PRINTM~1\psfinst.dll"
PSpice Student 9.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OrCAD_Demo\DeIsL1.isu"
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The GIMP 2.2.11 --> "C:\Program Files\GIMP-2.0\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2121 / Error
Event Submitted/Written: 06/11/2008 07:24:43 PM
Event ID/Source: 4517 / McUpdate
Event Description:
Download of sdat5312.exe failed.

Event Record #/Type2120 / Error
Event Submitted/Written: 06/11/2008 07:24:41 PM
Event ID/Source: 4513 / McUpdate
Event Description:
The .ZIP Update to .DAT version 5312 failed because the new .ZIP archive (dat-5312.zip) cannot not be downloaded.

Event Record #/Type2112 / Error
Event Submitted/Written: 06/03/2008 06:06:42 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2079 / Error
Event Submitted/Written: 05/18/2008 05:54:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x11c07426.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type2078 / Error
Event Submitted/Written: 05/18/2008 05:10:33 PM / 05/18/2008 05:10:34 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe took longer than 35000 ms to complete a request.

The process will be terminated.
Thread id : 216 (0xd8)

Thread address : 0x12020bc9

Thread message :

Build Nov 7 2001 22:53:54 / 5200.2160
Object being scanned = \Device\HarddiskVolume1\Program Files\Microsoft Office\Office\FINDFAST.EXE
(@ 10003(11406)
10003(10765)
10003(8582)
10003(8342)
10003(7811)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37570 / Error
Event Submitted/Written: 06/17/2008 08:23:44 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the HPWirelessMgr service.

Event Record #/Type37561 / Error
Event Submitted/Written: 06/16/2008 01:31:49 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Event Record #/Type37511 / Error
Event Submitted/Written: 06/15/2008 07:48:08 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address (**ROB DELETED FOR SECURITY -IP ADDRESS OF THIS PC FROM ROUTER**) on the
Network Card with network address (**ROB DELETED FOR SECURITY - MAC ADDRESS OF THIS NETWORK CARD FROM THIS COMPUTER**).

Event Record #/Type37510 / Warning
Event Submitted/Written: 06/15/2008 07:48:08 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address (**ROB DELETED FOR SECURITY - MAC ADDRESS OF THIS NETWORK CARD FROM THIS COMPUTER**). The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type37480 / Warning
Event Submitted/Written: 06/14/2008 03:19:54 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by update.exe.



-- End of Deckard's System Scanner: finished at 2008-06-17 22:30:34 ------------



KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 18, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 18, 2008 03:25:48
Records in database: 877576
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 56902
Threat name: 9
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 02:47:11


File name / Threat name / Threats count
C:\Documents and Settings\Paula\Local Settings\Temp\install.exe Infected: Trojan-Downloader.Win32.Agent.aaf 1
C:\Documents and Settings\Paula\Local Settings\Temp\setup1024.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b 4
C:\Documents and Settings\Rob\.housecall6.6\Quarantine\cassetup.exe.bac_a00736 Infected: not-a-virus:AdWare.Win32.CASClient.a 2
C:\Documents and Settings\Rob\.housecall6.6\Quarantine\mgsSetp.exe.bac_a00736 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak 1
C:\Documents and Settings\Rob\.housecall6.6\Quarantine\optimize.exe.bac_a00736 Infected: Trojan-Downloader.Win32.Dyfuca.ei 1
C:\Documents and Settings\Rob\.housecall6.6\Quarantine\toc_0036.exe.bac_a00736 Infected: Trojan-Downloader.Win32.Agent.jq 1
C:\WINDOWS\system32\atipuixx.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b 1
C:\WINDOWS\system32\Cache\setupone.exe Infected: Trojan-Downloader.Win32.VB.id 1
C:\WINDOWS\system32\Cache\setupone.exe Infected: Trojan.Win32.VB.tg 1
C:\WINDOWS\system32\Cache\setupone.exe Infected: Trojan-Dropper.Win32.Agent.acu 2
C:\WINDOWS\system32\Cache\setuptwo.exe Infected: Trojan-Downloader.Win32.VB.id 1
C:\WINDOWS\system32\Cache\setuptwo.exe Infected: Trojan.Win32.VB.tg 1
C:\WINDOWS\system32\Cache\setuptwo.exe Infected: Trojan-Dropper.Win32.Agent.acu 2
C:\WINDOWS\system32\Cache\setup_test.exe Infected: Trojan-Downloader.Win32.VB.id 1
C:\WINDOWS\system32\Cache\setup_test.exe Infected: Trojan.Win32.VB.tg 1
C:\WINDOWS\system32\Cache\setup_test.exe Infected: Trojan-Dropper.Win32.Agent.acu 2

The selected area was scanned.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 18 June 2008 - 12:24 PM

Hello, rs123.

Thanks, Bill. I appreciate your help. I did overtype my PC's IP address and MAC address out of the Kapersky scan report becase that is not information I want posted on an internet website. I verified the IP is the one assigned to this computer from my router and the MAC address is this PCs wireless card. I overtyped with (** comment **).

I do want to let you know that trying to "hide" your IP address is really paronia. Every time you visit a web page, you ip gets logged not only by the web server machine but also by at least 8 or 9 routers as the message bounces around the internet. IP does not personally identify you. IP addresses also usually change every two weeks or so at a minimum for home users' connections. Therefore hiding it does not really increase your security.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

We need to see if a file is a virus.
  • Please click this link--> http://www.virustotal.com/
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
    • C:\Program Files\Yopf\Kpfhii.exe
  • If VirusTotal is busy, try the same at Jotti
  • Please post back the results of the scan in your next post.
In your next reply, please make sure the following reports are present:
  • VirusTotal report for C:\Program Files\Yopf\Kpfhii.exe

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 03 July 2008 - 12:12 PM

I have removed anything I consider personal from this PC. A reformat would be fine, but for now I'd like to clean it as best possible until I have time to handle reformatting and all that goes along with that.

I have checked C:\program files\yopf and there are no files in that folder to upload to either site. What do you suggest?

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 03 July 2008 - 03:01 PM

Hello, Rs123.

We need to run ComboFix.Please include the ComboFix report in your next reply.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 04 July 2008 - 11:14 PM

Ok, here is the log:

ComboFix 08-07-04.2 - Rob 2008-07-04 23:40:29.1 - NTFSx86
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\cas
C:\Program Files\Common Files\uninstall information
C:\Program Files\myglobalsearch
C:\WINDOWS\Downloaded Program Files\rave
C:\WINDOWS\Downloaded Program Files\rave\avirexe.vdm
C:\WINDOWS\Downloaded Program Files\rave\avirscr.vdm
C:\WINDOWS\Downloaded Program Files\rave\base.vdm
C:\WINDOWS\Downloaded Program Files\rave\daily.vdm
C:\WINDOWS\Downloaded Program Files\rave\daily.vdt
C:\WINDOWS\Downloaded Program Files\rave\filters.vdm
C:\WINDOWS\Downloaded Program Files\rave\kernel.vdk
C:\WINDOWS\Downloaded Program Files\rave\keyring.vdk
C:\WINDOWS\Downloaded Program Files\rave\mapi_vdm.vdm
C:\WINDOWS\Downloaded Program Files\rave\modules.vdk
C:\WINDOWS\Downloaded Program Files\rave\rav8def.vdm
C:\WINDOWS\Downloaded Program Files\rave\rufs.vdm
C:\WINDOWS\Downloaded Program Files\rave\rufsplg.vdm
C:\WINDOWS\Downloaded Program Files\rave\unarch.vdm
C:\WINDOWS\Downloaded Program Files\rave\unmail.vdm
C:\WINDOWS\Downloaded Program Files\rave\unpack.vdm
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\inExplorerInstaller.exe
C:\WINDOWS\system32\Cache\mswinstall.exe
C:\WINDOWS\system32\Cache\setup.exe
C:\WINDOWS\system32\Cache\setup_test.exe
C:\WINDOWS\system32\Cache\setupone.exe
C:\WINDOWS\system32\Cache\setuptwo.exe
C:\WINDOWS\system32\Cache\SmartDownload.exe
C:\WINDOWS\system32\zlib.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-03 12:21 . 2008-07-03 12:21 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-17 22:53 . 2008-06-17 22:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-17 22:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-17 22:49 . 2008-06-17 22:51 <DIR> d-------- C:\Program Files\Java
2008-06-17 22:47 . 2008-06-17 22:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-17 22:23 . 2008-06-17 22:23 <DIR> d-------- C:\Deckard
2008-06-12 18:37 . 2008-06-12 18:37 <DIR> d-------- C:\9729c485c5656ddfe4be6b56849894a7
2008-06-11 19:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 01:27 --------- d-----w C:\Documents and Settings\Rob\Application Data\Hewlett-Packard
2008-05-28 01:26 --------- d-----w C:\Program Files\Web Publish
2008-05-28 01:24 --------- d-----w C:\Program Files\Microsoft Money
2008-05-28 01:22 --------- d-----w C:\Program Files\Symantec
2008-05-28 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-28 00:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-28 00:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-28 00:44 --------- d-----w C:\Program Files\Easy Internet signup
2008-05-28 00:37 --------- d-----w C:\Program Files\Broderbund
2008-05-28 00:34 --------- d-----w C:\Program Files\a2 Free
2008-05-28 00:33 --------- d-----w C:\Documents and Settings\Rob\Application Data\Aim
2008-05-28 00:32 --------- d-----w C:\Program Files\AIM Toolbar
2008-05-18 23:32 --------- d-----w C:\Program Files\Trend Micro
2008-05-18 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 22:09 --------- d-----w C:\Program Files\Lavasoft
2008-05-18 22:09 --------- d-----w C:\Documents and Settings\Rob\Application Data\Lavasoft
2008-05-18 22:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 22:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 22:00 --------- d-----w C:\Program Files\ToniArts
2008-05-17 21:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-17 21:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-05 00:31 --------- d-----w C:\Documents and Settings\Nicole\Application Data\U3
2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 19:25 180316]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 17:34 36864]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-30 18:53 106496]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 08:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 08:56 634880]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 10:26 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 17:23 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 14:57 221184]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 17:15 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-15 18:18 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"ATIPTA"="atiptaxx.exe" [2002-06-11 10:56 286720 C:\WINDOWS\system32\atiptaxx.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2005-12-04 21:19:15 442368]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 01:00:00 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-19 01:00:00 51984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys [2001-04-30 04:51]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [2001-11-26 16:51]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 11:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 11:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2002-08-28 20:00]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2001-12-17 07:54]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\system32\DRIVERS\Express.sys [2002-01-18 16:00]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 04:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 23:49:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?5?9?1??????? ??3B?????????????T?B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 23:52:58
ComboFix-quarantined-files.txt 2008-07-05 03:52:42

Pre-Run: 21,514,399,744 bytes free
Post-Run: 21,956,567,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

153 --- E O F --- 2008-07-03 16:24:11

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 05 July 2008 - 07:43 AM

Hello, Rs123.

Hmm... did you run any sort of virus scans during that 15 day mishap? Lots of the malware seem to have self destructed :D

I would like to check our work.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please make sure the following reports are present:
  • ESET's Log
  • DSS Extra.txt
  • DSS Main.txt

(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 06 July 2008 - 07:21 PM

Here's the info you requested. I'm fairly sure I haven't used the computer at all since posting except to remove files I considered personal. This included some AOL instant messanger folders ...

ESET scan:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3244 (20080705)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5a7597e3e0643943b775f0c342e63045
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-07-06 12:12:34
# local_time=2008-07-05 08:12:34 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=239922
# found=20
# scan_time=4220
C:\Documents and Settings\Nicole\Desktop\AOL Instant Messenger.exe Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nicole\Desktop\AOL Instant Messenger.exe »WISE »WxBug.EXE Win32/Adware.WBug.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Nicole\Desktop\AOL Instant Messenger.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setupone.exe.vir multiple infiltrations (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setupone.exe.vir »NSIS »mbop1-0-4b.exe a variant of Win32/TrojanDownloader.VB.TF trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setupone.exe.vir »NSIS »SysCheckSetup.exe Win32/VB.NHO trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setupone.exe.vir »NSIS »SysCheckSetup.exe »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setupone.exe.vir »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setuptwo.exe.vir multiple infiltrations (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setuptwo.exe.vir »NSIS »mbop1-0-4-3min.exe a variant of Win32/TrojanDownloader.VB.TF trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setuptwo.exe.vir »NSIS »SysCheckSetup.exe Win32/VB.NHO trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setuptwo.exe.vir »NSIS »SysCheckSetup.exe »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setuptwo.exe.vir »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setup_test.exe.vir multiple infiltrations (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setup_test.exe.vir »NSIS »mbop1-0-4a.exe a variant of Win32/TrojanDownloader.VB.TF trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setup_test.exe.vir »NSIS »SysCheckSetup.exe Win32/VB.NHO trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setup_test.exe.vir »NSIS »SysCheckSetup.exe »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\Cache\setup_test.exe.vir »NSIS »linun.exe Win32/VB.NHO trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\atipuixx.exe Win32/Adware.URLSpy application (unable to clean - deleted) 00000000000000000000000000000000


DSS main:

Deckard's System Scanner v20071014.68
Run by Rob on 2008-07-06 20:00:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-07 00:01:13 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-07-05 03:34:23 UTC - RP4 - ComboFix created restore point
3: 2008-07-03 16:18:14 UTC - RP3 - Software Distribution Service 3.0
2: 2008-06-18 02:47:09 UTC - RP2 - Installed Java™ 6 Update 6
1: 2008-06-18 02:26:53 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:53 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Documents and Settings\Rob\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rob.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://sctcdm04.extra.daimlerchrysler.com/iNotes6W.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1180831951690
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JSCDL/jr...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

--
End of file - 7003 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys
S3 SymEvent - c:\program files\symantec\symevent.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"
R2 HPConfig (HP Configuration Interface Service) - c:\windows\system32\hpconfig.exe <Not Verified; Hewlett-Packard; HPConfig Module>
R2 HPWirelessMgr - c:\program files\hpq\notebook utilities\hpwirelessmgr.exe <Not Verified; Hewlett-Packard Co.; HPWirelessMgr Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 212)
2003-02-28 18:26:26 947472 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2003-02-28 18:26:26 286992 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>


-- Scheduled Tasks -------------------------------------------------------------

2008-03-17 00:00:00 256 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-05 18:59:41 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-04 23:39:03 0 d-------- C:\cmdcons
2008-07-04 23:33:21 68096 --a------ C:\WINDOWS\zip.exe
2008-07-04 23:33:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-04 23:33:21 98816 --a------ C:\WINDOWS\sed.exe
2008-07-04 23:33:21 80412 --a------ C:\WINDOWS\grep.exe
2008-07-04 23:33:20 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-04 23:33:20 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-04 23:33:20 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-04 23:33:20 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-17 22:53:12 0 d-------- C:\WINDOWS\Sun
2008-06-17 22:53:12 0 d-------- C:\Documents and Settings\Rob\Application Data\Sun
2008-06-17 22:49:46 0 d-------- C:\Program Files\Java
2008-06-17 22:47:33 0 d-------- C:\Program Files\Common Files\Java
2008-06-12 18:37:43 0 d-------- C:\9729c485c5656ddfe4be6b56849894a7


-- Find3M Report ---------------------------------------------------------------

2008-07-04 23:45:32 0 d-------- C:\Program Files\Common Files
2008-05-27 21:27:53 0 d-------- C:\Documents and Settings\Rob\Application Data\Hewlett-Packard
2008-05-27 21:26:08 0 d-------- C:\Program Files\Web Publish
2008-05-27 21:24:37 0 d-------- C:\Program Files\Microsoft Money
2008-05-27 21:22:50 0 d-------- C:\Program Files\Symantec
2008-05-27 21:22:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-27 20:50:44 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-27 20:47:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-27 20:44:17 0 d-------- C:\Program Files\Easy Internet signup
2008-05-27 20:37:16 0 d-------- C:\Program Files\Broderbund
2008-05-27 20:34:24 0 d-------- C:\Program Files\a2 Free
2008-05-27 20:33:24 0 d-------- C:\Documents and Settings\Rob\Application Data\Aim
2008-05-27 20:32:40 0 d-------- C:\Program Files\AIM Toolbar
2008-05-18 19:32:47 0 d-------- C:\Program Files\Trend Micro
2008-05-18 18:09:31 0 d-------- C:\Program Files\Lavasoft
2008-05-18 18:09:29 0 d-------- C:\Documents and Settings\Rob\Application Data\Lavasoft
2008-05-18 18:06:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 18:00:28 0 d-------- C:\Program Files\ToniArts
2008-05-17 17:34:07 0 d-------- C:\Program Files\SpywareBlaster


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [08/15/2002 06:18 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [05/21/2003 03:35 PM C:\WINDOWS\system32\carpserv.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [02/26/2003 07:25 PM]
"ATIPTA"="atiptaxx.exe" [06/11/2002 10:56 AM C:\WINDOWS\system32\atiptaxx.exe]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 05:34 PM]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [01/30/2003 06:53 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03/14/2003 08:56 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/14/2003 08:56 AM]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [08/15/2002 10:26 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 05:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 02:57 PM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [08/20/2003 05:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [12/4/2005 9:19:15 PM]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [8/19/1997 1:00:00 AM]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [8/19/1997 1:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-06 20:05:43 ------------



DSS extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: mobile AMD Athlon™ XP2800+
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 190.48 MiB / 39.5 MiB
Pagefile Memory (total/avail): 849.77 MiB / 619.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906 MiB

C: is Fixed (NTFS) - 27.94 GiB total, 20.53 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2030AT - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.94 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob
LANG=C
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Rob
USERPROFILE=C:\Documents and Settings\Rob
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob (admin)
Paula
Nicole
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HPQ\Software Setup\Uninst.isu" -c"C:\Program Files\HPQ\Software Setup\CPQUNST.DLL"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
--> MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant 56K ACLink Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C\HXFSETUP.EXE -U -Ihpm08505.inf
Conexant AC-Link Audio --> CIAunwdm.exe
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Wireless LAN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E1D54D7-47EB-11D5-AE90-00D0590FFE27}\SETUP.EXE" -l0x9
Inactive HP Printer Drivers (Remove only) --> RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
McAfee VirusScan --> MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Microsoft Excel 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeXl.exe /w Excel97.stf
Microsoft Word 97 --> C:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Notebook Utilities --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8F2DCDE-AE4E-4AC9-BECD-496FB80FBF6A}\Setup.exe" -l0x9 UNINSTALL
One-Touch Buttons --> C:\WINDOWS\UnInst32.exe QT4HPOT.UNI
Photo Organizer --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PHOTOO~1.8\DeIsL1.isu"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PrintMaster --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PRINTM~1\DeIsL1.isu" -c"C:\PROGRA~1\BRODER~1\PRINTM~1\psfinst.dll"
PSpice Student 9.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OrCAD_Demo\DeIsL1.isu"
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The GIMP 2.2.11 --> "C:\Program Files\GIMP-2.0\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2145 / Error
Event Submitted/Written: 07/05/2008 06:50:55 PM
Event ID/Source: 4517 / McUpdate
Event Description:
Download of sdat5332.exe failed.

Event Record #/Type2144 / Error
Event Submitted/Written: 07/05/2008 06:50:53 PM
Event ID/Source: 4513 / McUpdate
Event Description:
The .ZIP Update to .DAT version 5332 failed because the new .ZIP archive (dat-5332.zip) cannot not be downloaded.

Event Record #/Type2141 / Error
Event Submitted/Written: 07/05/2008 00:03:02 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application Mcshield.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Error in creating result PEAP-TLV in response to received PEAP-TLV (Mcshield.exe!ld!)

Event Record #/Type2139 / Error
Event Submitted/Written: 07/04/2008 11:44:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Event Record #/Type2138 / Error
Event Submitted/Written: 07/04/2008 11:43:33 PM / 07/04/2008 11:43:34 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe took longer than 35000 ms to complete a request.

The process will be terminated.
Thread id : 672 (0x2a0)

Thread address : 0x120e2344

Thread message :

Build Nov 7 2001 22:53:54 / 5200.2160
Object being scanned = \Device\HarddiskVolume1\Program Files\Trend Micro\HijackThis\HijackThis.exe
(@ 10003(24806)
10003(7100)
10003(7100)
10010(7060)
24011(7060)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37681 / Error
Event Submitted/Written: 07/05/2008 00:08:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The McShield service failed to start due to the following error:
%%1053

Event Record #/Type37680 / Error
Event Submitted/Written: 07/05/2008 00:08:53 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the McShield service to connect.

Event Record #/Type37663 / Error
Event Submitted/Written: 07/05/2008 00:05:26 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The AVSync Manager service hung on starting.

Event Record #/Type37636 / Error
Event Submitted/Written: 07/04/2008 11:44:16 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The McShield service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type37588 / Error
Event Submitted/Written: 06/18/2008 07:14:59 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the HPWirelessMgr service.



-- End of Deckard's System Scanner: finished at 2008-07-06 20:05:43 ------------

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 07 July 2008 - 05:17 AM

Rs123, you now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "UNKNOWN!"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    IF YOU USE WINDOWS XP:
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
    IF YOU USE WINDOWS VISTA:
    • Go to Start -> Control Panel -> System and Maintenance -> System.
    • Select "System Protection" in the upper left hand corner.
    • Click the button marked "Create" in the bottom of the window.
    • Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Open Vista's Searchbox (on your start menu) and type in "cleanmgr.exe"
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up", and then "Delete" in the "System Restore and Shadow Copies" section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :)
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :thumbsup:
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :thumbsup:
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :angry:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 07 July 2008 - 07:39 PM

Ok, great. I didn't realize we had actually done the cleaning. I see a lot of 'error while cleaning...' are we done? I already run spybot , spyblaster, etc. Are all the 'running processes' necessary? I'd like to turn off as many as possible without putting my computer at risk. As I mentioned in original post, I basically just want to browse and check email.

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 07 July 2008 - 08:24 PM

Hello, Rs123.

If you wish to turn off optional entries, I suggest you try out a tool called "StartupLite', which you can get from here:
http://www.malwarebytes.org/startuplite.php

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 rs123

rs123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 07 July 2008 - 08:55 PM

Interestingly, my explorer performance is even worse right now. Initial loads are even slower now than before. Thanks anyway for your help. I guess I'll have to go for a reinstall.

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:30 AM

Posted 16 July 2008 - 12:00 PM

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users