Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Logs: Need Info On Removal Of Ctfmona.exe


  • This topic is locked This topic is locked
22 replies to this topic

#1 fairbanks

fairbanks

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 18 May 2008 - 10:26 PM

Today while using Internet Explorer version 6.0.2900.2180.xpsp.050622-1524 my Dell PC with Windows XP Professional 5.1 build 2600.xpsp.050622-1524: (service pack 2) became infected by ctfmona.exe.

I have McAfee Virus Scan, Spyware detector and Firewall. It did not prevent this infection. It also did not find this infection on a Scan. Instead I saw that ctfmona.exe was the most recent change made to the PC and I began searching for it. I found a wallpaper bitmap that had replaced my wallpaper and the ctfmona.exe file in C:\Windows\system32. ctfamona.exe seemed to cause the replacement wallpaper and caused the screen to slowly develop blue holes with bugs crawling over it.

I immediately opened Netscape(an old version) and started searching for a solution.

Before I found this web site, I found information on daniweb.com through google on removing this malware and I started the process they outlined. This is what I have done to date, I need to know what do I do next to be sure everything is cleaned up and fixed on my PC.

1) Per those in daniweb forum, McAfee and Spybot could not find or fix the ctfmona.exe problem. Instead there were instructions to download HijackThis and scan and create a log and save it. I did this, the log appears at the end of this post as the first log I ran.
2) The instructions said to then look for certain lines in the log that agreed with a list provided. I only had one of these lines in the log which as shown below was:
O4 - HKLM\..\Run: [ctfmona] c:\WINDOWS\system32\ctfmona.exe
3) Then I was to and did go back into HijackThis and check the box next to this line and then selected the "Fixed checked" button. There was no obvious problem doing this, it seemed to run ok.
4) I then again scanned using HijackThis and created and saved a log. This log appears at the end of this post as the second log. It also appears that the O4 line listed above is no longer there.
5) Next I was to delete ctfmona.exe from C:\Windows\system32. I could not do this, so the next instruction said to reboot using Safe Mode. I did this and then was able to delete ctfmona.exe. It is currently in my Recyle Bin.
6) Next I was to run combofix.exe. That was when I found this website as a means to download combofix.exe and I started to look around more and found that I needed more instruction before I felt comformable running this program. At this point, the screen no longer has blue holes and bugs and I manually changed the wallpaper back and deleted the ctfmona wallpaper bitmap file(also now in the Recycle bin).
7) I did download combofix.exe and it is now located on my PC desktop

So, I need help. Can anyone tell me by looking at the HijackThis logs if I got read of ctfmona entirely and is my PC fixed? Or what else do I need to do to complete the fix? Also, what do I need to do to ensure that my PC doesn't get this malware downloaded to it again, since McAfee can't recognize it. This occurred while on the Zenith web site, which I will not be visiting again through Internet Explorer. I plan to download Firefox to use as a browser, would that help?

Thanks so much for your help.

Fairbanks

LOG 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:13 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
c:\ux8ewb.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://support.earthlink.net/"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11222 bytes


LOG 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:57 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
c:\ux8ewb.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://support.earthlink.net/"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10990 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 10 June 2008 - 12:26 PM

Hello fairbanks. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)

We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

If you still would like help, please follow the following instructions:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 13 June 2008 - 12:58 AM

Hello Billy,

I just saw your reply late tonight. Yes, I still need help. I may have fixed some pieces of the problem, but I don't know how to be sure I got all of it. I wanted to let you know, I may not be able to get everything in your instructions done until this weekend. I will start the DSS download tomorrow.

Thanks again!

Fairbanks

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 13 June 2008 - 07:27 PM

Hello, fairbanks

Please ignore the instructions above, the kaspersky scanner changed just yesterday night. Follow these instead:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please make sure the following reports are present:
  • The Kaspersky scan report
  • DSS's Main.txt
  • DSS's Extra.txt

(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 14 June 2008 - 01:51 PM

Hello Billy,

I ran Deckard's and Kaspersky(had to install ActiveX control J2SE and Java Plug-in 1.5 to run Kaspersky). The only thing that I recognized in Deckard's files, from my attempts to clean up the PC, was a reference to ctfmona in a backup(?). And in the Kaspersky report the infections reported all seemed to be in old Netscape Mail Trash folders saved/transferred from an old PC that ran Windows 2000.

Since my original post I did find and delete a screen saver that seem to be the source of the "bugs" and blue holes in the screen, but whatever my original fix using Hijack this did, had already apparently disabled it. Also, I later received an update of my McAfee Virus Scan software, that on a scan finally recognized possibly some other piece associated with ctfmona and quarantined it. Since then I updated Windows XP with all of the Microsoft security fixes prior to service pack 3(except a malware program, an outlook express item and IE 7). I did not update to service pack 3 as yet. I also want to install Firefox, but did not do that yet.

Thanks so much for taking the time to review all these reports and for your expert help! I don't have any idea how to be certain that I got rid of all the problems.

Fairbanks

Here are the files:

MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-13 21:58:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-06-14 01:58:29 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2008-05-31 18:26:31 UTC - RP17 - Software Distribution Service 3.0
16: 2008-05-28 06:01:57 UTC - RP16 - Software Distribution Service 3.0
15: 2008-05-28 05:35:32 UTC - RP15 - Software Distribution Service 3.0
14: 2008-05-28 02:54:05 UTC - RP14 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-18 08:44:36 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:21 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://support.earthlink.net/"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10806 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080518-071334-363 O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>
R2 NTService1 (MaxSyncService) - "c:\program files\maxtor\onetouch\utils\syncservices.exe" <Not Verified; ; SyncServices>
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-01 01:00:00 368 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-05-23 18:30:00 350 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (REESER-ellen).job
2008-03-15 02:08:27 366 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-05-27 22:54:15 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-27 04:10:18 0 d-------- C:\Program Files\MSXML 4.0
2008-05-27 00:17:50 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 22:54:37 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-18 06:35:14 0 d-------- C:\Program Files\Trend Micro
2008-05-18 06:32:48 0 d-------- C:\HiJackThis


-- Find3M Report ---------------------------------------------------------------

2008-06-13 02:03:51 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2008-06-13 02:03:51 384 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2008-05-24 23:02:06 0 d-------- C:\Program Files\SiteAdvisor
2008-05-18 04:44:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\SiteAdvisor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [06/17/2005 08:56 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 10:05 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [11/01/2005 04:12 AM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [09/17/2003 11:43 AM]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [06/18/2003 02:00 AM]
"CTHelper"="CTHELPER.EXE" [03/11/2004 04:50 PM C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/18/2006 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/18/2006 12:43 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 04:30 PM]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [08/16/2005 09:05 PM]
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe" [09/08/2005 08:20 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"@"="" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [04/26/2002 01:53 PM]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [11/09/2005 04:19 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [10/17/2005 04:24 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [08/24/2007 05:57 PM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 5:44:06 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/18/2006 12:37:10 AM]
Lotus Organizer EasyClip.lnk - C:\lotus\organize\easyclip.exe [8/8/2002 8:49:20 PM]
Lotus QuickStart.lnk - C:\lotus\wordpro\ltsstart.exe [8/8/2002 8:23:48 AM]
Lotus SmartCenter.lnk - C:\lotus\smartctr\smartctr.exe [7/23/2002 5:33:44 PM]
Lotus SuiteStart.lnk - C:\lotus\smartctr\suitest.exe [7/23/2002 5:32:12 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""




-- End of Deckard's System Scanner: finished at 2008-06-13 22:01:03 ------------



EXTRA.TXT


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2046.07 MiB / 1477.27 MiB
Pagefile Memory (total/avail): 3938.02 MiB / 3484.56 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 108.57 GiB total, 75.85 GiB free.
D: is Fixed (NTFS) - 36.34 GiB total, 36.28 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ARRAY - 149 GiB - 4 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 108.57 GiB - C:
\PARTITION2 - Installable File System - 36.34 GiB - D:
\PARTITION3 - Unknown - 4.04 GiB



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=REESER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\REESER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Microsoft SQL Server\80\Tools\Binn
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=REESER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

nancy (new local, admin)
ellen (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\Ctzapxx.EXE" /W /U /S
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CinepPlayer 30 Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C41F4616-44B6-4E8D-BFC7-4267862A2CE1}\setup.exe" -l0x9 -L0x9 /SMAINT
Classic PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java Web Start --> "C:\Program Files\Java\j2re1.4.2_03\javaws\uninst-javaws.exe"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E38300409}
Maxtor Backup --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9C3F9580-F5CF-4288-894E-9FF0EB24A21C} /l1033
Maxtor OneTouch III --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{60EEB642-E9E0-45A2-A676-B9D8FE17C4A9} /l1033
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstaller --> C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft Office Outlook 2003 with Business Contact Manager Update --> MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton Ghost 10.0 --> MsiExec.exe /X{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Radio@Netscape Plus --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Radio@Netscape Plus\uninst.isu" -c"C:\Program Files\Radio@Netscape Plus\program\uninst.dll"
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Advanced Decoder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{46C73DE4-E96D-4F7C-8371-F28052183B12}\setup.exe" -l0x9
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\setup.exe" -l0x9
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type7849 / Warning
Event Submitted/Written: 06/13/2008 09:37:55 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type7841 / Error
Event Submitted/Written: 06/13/2008 01:25:14 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application netscp.exe, version 7.1.0.0, faulting module gklayout.dll, version 1.4.20030.62408, fault address 0x0001e172.
Processing media-specific event for [netscp.exe!ws!]

Event Record #/Type7835 / Warning
Event Submitted/Written: 06/13/2008 00:18:41 AM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type7822 / Warning
Event Submitted/Written: 06/09/2008 10:38:18 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type7810 / Warning
Event Submitted/Written: 06/07/2008 10:48:20 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTSMLBIZ
Event Description:
(SpnRegister) : Error 1355



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14052 / Error
Event Submitted/Written: 06/13/2008 10:00:28 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type13857 / Warning
Event Submitted/Written: 06/01/2008 01:34:58 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type13226 / Warning
Event Submitted/Written: 05/24/2008 03:59:55 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type13182 / Warning
Event Submitted/Written: 05/23/2008 04:06:10 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type13112 / Warning
Event Submitted/Written: 05/23/2008 00:19:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-06-13 22:01:03 ------------


The Kaspersky scan report


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 03:05:40
Records in database: 862537
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 123008
Threat name: 1
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 03:21:29


File name / Threat name / Threats count
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application Data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Trash Infected: Trojan-Spy.HTML.Paylap.ev 2
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Trash Infected: Trojan-Spy.HTML.Paylap.ev 2
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Trash Infected: Trojan-Spy.HTML.Paylap.ev 2
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\Mail\Local Folders\Local Folders Win2000.sbd\Communicator 4.x Mail.sbd\Trash Infected: Trojan-Spy.HTML.Paylap.ev 2

The selected area was scanned.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 15 June 2008 - 10:43 AM

Hello again, Fairbanks.

We need to move some files..
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please set your system to show hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select the "Show hidden files and folders" radio button.
  • Uncheck the "Hide file extensions for known file types" checkbox.
  • Uncheck the "Hide protected operating system files (Recommended)" checkbox.
  • Click OK to confirm.
  • Close/exit My Computer.
We need to see if some files are malware.
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to each of the following files and click Submit.
    • C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat <-- This file
      C:\WINDOWS\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat <-- This file
    Note: You will have to scan each file individually.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
  • Please post back the results of the scan in your next post.
Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

When you are finished, please post a new HijackThis log here in a reply. Also, please let me know of any problems you may have encountered.

Please reply with a new HJT log.


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 15 June 2008 - 10:02 PM

Hi Billy,

I tried to follow your instructions as much as possible. I encountered a problem with running OTMoveIt2. It seemed to move some files and then ask me to reboot the PC, which I did. After reboot, I was immediately ask to run OTMoveIt2 again which I did. However, the log still seemed to say that files would be moved after reboot. It didn't ask me to reboot again, so I didn't. The log is shown below.

I also scanned the two files in the order you listed using the Jotti page. I saved the scan results as text. The 2 text files appear below.

I used the Microsoft Windows Update to do a custom update of the High Priority updates, except the following:
Window Malicious Software Removal Tool - June 2008 (KB890830)
Windows Internet Explorer 7 for WIndows XP
Cumulative Security Update for Outlook Express for Windows XP (KB929123)
and Service Pack 3

I had major problems with Microsoft's Malicious Software Removal Tool on my prior Dell PC running McAfee, so I'm reluctant to download this again.
I had attempted to download Service Pack 3, but ran into a problem and since I only have dial-up it takes 4 hours or so to do the download, so before I try this again, I need to read up more on it. I did read that there is some conflict based on the order in which you download and install Service Pack 3 and IE 7. So, until I know more about that, I have also not installed IE 7.
I don't used Outlook Express at all, so unless there is some security issue even if Outlook Express is not used, I wasn't sure that this update would be necessary.

I rebooted the PC after doing all the other Microsoft High Priority updates and then ran another Hijack this log which appears below.

Thanks again for all your help, I'm hoping what I've done will be useful. If I absolutely need to do more with the Microsoft update now, please let me know, but it may take some time for me to complete those that remain.

Fairbanks

OTMoveIt2 log

C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd moved successfully.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd scheduled to be moved on reboot.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd moved successfully.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd scheduled to be moved on reboot.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd moved successfully.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd scheduled to be moved on reboot.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd moved successfully.
C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06152008_211602

Files moved on Reboot...
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd scheduled to be moved on reboot.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd scheduled to be moved on reboot.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd scheduled to be moved on reboot.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd scheduled to be moved on reboot.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd scheduled to be moved on reboot.
Folder move failed. C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd scheduled to be moved on reboot.

Jotti Scan results file 1

Online malware scanJotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: DVCStateBkp-{00000000-00000004}.dat
Status: OK
MD5: 66dc417f024f12a2f0ed6217e8cbdb9d
Packers detected: -

Scanner results
Scan taken on 16 Jun 2008 01:37:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does
not necessarily mean the file is clean. There could be a whole new virus
on the loose. NEVER EVER rely on one single product only, not even this
service, even though it utilizes several products. Therefore, We cannot
and will not be held responsible for any damage caused by results
presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure
this whole thing is by no means scientifically correct, since this is a
fully automated service (although manual correction is possible). We are
aware, in spite of efforts to proactively counter these, false positives
might occur, for example. We do not consider this a very big issue, so
please do not e-mail us about it. This is a simple online scan service,
not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the
fact some scanners use very high levels of (time consuming) heuristics.
Scanners used are Linux versions, differences with Windows scanners may or
may not occur. Another note: some scanners will only report one virus when
scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file.
Please refrain from uploading tons of hex-edited or repacked variants of
the same sample.

Please do not ask for viruses uploaded here, unless you work for an
anti-virus vendor. They are not for trade. This is a legitimate service,
not a VX site. Viruses uploaded here will be distributed to antivirus
vendors without exception. Read more about this in our privacy policy. If
you do not want your files to be distributed, please do not send them at
all.

Sponsored by HotelScraper.com.



Statistics
Last file scanned at least one scanner reported something about:
jmesiuppo.dll_ (MD5: 75dc5319d0f2f2dc3fd37154ddae03c9, size: 275968
bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/PSW.Agent.275968
ArcaVir X
Avast X
AVG Antivirus PSW.Generic6.KYR
BitDefender BehavesLike:Trojan.ShellObject
ClamAV Trojan.Spy-38039
CPsecure Troj.PSW.W32.Delf.bjj
Dr.Web Trojan.Warx.origin
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-PSW.Win32.Delf.bjj
Fortinet W32/Generic.A!tr.pws
Ikarus BehavesLikeWin32.ExplorerHijack
Kaspersky Anti-Virus Trojan-PSW.Win32.Delf.bjj
NOD32 X
Norman Virus Control W32/Delf.BYFI
Panda Antivirus Trj/Delf.AIQ
Sophos Antivirus Mal/Generic-A
VirusBuster X
VBA32 Trojan-PSW.Win32.Delf.bjj


You're free to (mis)interpret these automated, flawed statistics at your
own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this
service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>


Jotti Scan results file 2

Online malware scanJotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: DVCState-{00000000-00000004}.dat
Status: OK(Note: file has been scanned before. Therefore, this file's scan
results will not be stored in the database)
MD5: 66dc417f024f12a2f0ed6217e8cbdb9d
Packers detected: -

Scanner results
Scan taken on 16 Jun 2008 01:43:49 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does
not necessarily mean the file is clean. There could be a whole new virus
on the loose. NEVER EVER rely on one single product only, not even this
service, even though it utilizes several products. Therefore, We cannot
and will not be held responsible for any damage caused by results
presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure
this whole thing is by no means scientifically correct, since this is a
fully automated service (although manual correction is possible). We are
aware, in spite of efforts to proactively counter these, false positives
might occur, for example. We do not consider this a very big issue, so
please do not e-mail us about it. This is a simple online scan service,
not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the
fact some scanners use very high levels of (time consuming) heuristics.
Scanners used are Linux versions, differences with Windows scanners may or
may not occur. Another note: some scanners will only report one virus when
scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file.
Please refrain from uploading tons of hex-edited or repacked variants of
the same sample.

Please do not ask for viruses uploaded here, unless you work for an
anti-virus vendor. They are not for trade. This is a legitimate service,
not a VX site. Viruses uploaded here will be distributed to antivirus
vendors without exception. Read more about this in our privacy policy. If
you do not want your files to be distributed, please do not send them at
all.

Sponsored by HotelScraper.com.



Statistics
Last file scanned at least one scanner reported something about:
in_god_we_trust_dfasdfasdfasdfasdfdasfasdfsa.exe (MD5:
9822c3c70f86b3d027e4e13b3cebaf86, size: 126976 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Agent.VB.AVY
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender Trojan.Agent.VB.AVY
ClamAV X
CPsecure W32.W.AutoRun.dvs
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Worm.Win32.AutoRun.dvs
Fortinet X
Ikarus Trojan.Win32.Malagent
Kaspersky Anti-Virus Worm.Win32.AutoRun.dvs
NOD32 X
Norman Virus Control X
Panda Antivirus Generic
Sophos Antivirus X
VirusBuster X
VBA32 Worm.Win32.AutoRun.dvs


You're free to (mis)interpret these automated, flawed statistics at your
own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this
service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jotti <jotti@jotti.org>


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:29 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\lotus\organize\easyclip.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://support.earthlink.net/"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\zxqtaatk.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus Organizer EasyClip.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O17 - HKLM\System\CCS\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{322F3875-26D4-48A2-9628-E98A50B3F033}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10966 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 16 June 2008 - 01:43 AM

Hello, fairbanks.

Sorry about this, I make a mistake...
Don't worry about the files OTMoveit failed on, those weren't supposed to go anyway :D

We need to restore some files from OTMoveIt
  • Double click OTMoveIt2.exe on your desktop to run the program.
  • Click the purple "Restore" button.
  • You will be asked to open a restore file. OTMoveIt should default to the correct directory. Open the oldest .res file.
  • In the resultant window, check the boxes next the following lines only!

    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd
    C:\Data Only PC_3_Win2000\DocuAndSettingWin2000_061706\Administrator\Application data\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail053006\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZMindspringInSenton05202001_copy.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\EllenA.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DueSouth.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep3.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep2.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\DSKeep1.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\Dsdups.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\BMiller.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd\ATTFile.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailbefore052298OldComp.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\ZATTMailafter052298.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd\EllenSentBox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\Sent.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\NancyInbox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\EllenInbox.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxPGLSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd\DSInbxDgSave.sbd
    C:\Data Only PC_3_Win2000\EllenWin2000\NetscapeMail060206\Mozilla\Profiles\reeser\w5w9lpx8.slt\Mail\Local Folders\Communicator 4.x Mail.sbd
  • Click the Red RestoreIt button
  • Close OTMoveIt2
Please set your system to hide hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select the "Hide hidden files and folders" radio button.
  • Check the "Hide file extensions for known file types" checkbox.
  • Check the "Hide protected operating system files (Recommended)" checkbox.
  • Click OK to confirm.
  • Close/exit My Computer.
fairbanks, you now appear to be clean. Congratulations!

We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "Bad email files"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!

  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.

  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.

  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.

  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.

  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 17 June 2008 - 10:10 PM

Hi Billy,

When I click the Restore button in OTMoveIt2 and open the restore file, I can't see enough of the pathname to be able to determine which files I'm supposed to check. I might be able to guess that the files after the 1st 19 in the list are the files after the 1st 16 files in the list in your post reply. But I can't see any of the file names of the 1st 19 in the restore file list on either the "from" or the "to" windows. I widened the "from" and "to" windows as much as possible but it won't let me widen it past the actual screen size and that's not enough to show the name. The scroll bar won't scroll to let me widen the windows any further, it jumps from the one window to the next when it reaches the edge of the screen. So, what should I do?

Should I restore all of the files, including what must be 3 files that shouldn't be restored? Or can you tell me what order the files should appear in the windows compared to the order in your posting list so I can tell what to check based on the order?

I didn't get any further than this, cause I don't know what to do with OTMoveIt2.

Thanks for your help.

Fairbanks

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 18 June 2008 - 01:14 AM

Hello, fairbanks.

Every file otmoveit moved should be restored.

It didn't move the bad files, but according to OTMoveIT, the bad files didn't even exist.

The Kaspersky scan is brand new. The old one only pointed infections out, and didn't remove them. It seems the new one can remove what it finds in some cases as well :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 18 June 2008 - 09:01 PM

Hi Billy,

I checked all the boxes to restore all the files in the .res file. It moved a bunch of files, but 6 failed to restore and one couldn't find the source file. And the 3 original folders that contained all these files, do not look like they did before OTMoveIt2 was used the first time to move the original files. The directory tree structure is very noticeably different.

I have backups of the 3 original folders on an external hard drive(which was never connected at the time or after the ctfmona infection). I'd like to just replace the folders as they exist now with my backup unless you know of some reason not to do that. The bad emails were all in the Trash folders and I can delete those manually if needed. In any case they won't ever be opened as emails.

I'd like to put those files back to the way they were, if they really weren't supposed to be moved in the first place.

Please let me know if you think this would cause a problem. Also, is it then safe to run OTMoveIt2 to clean up the tools. Or does this mean there is some problem with OTMoveIt2, since it couldn't restore the files as they were?

Thanks again for your help!

Fairbanks

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 18 June 2008 - 10:08 PM

Hello.

There should be no problem restoring the folders. It is safe to clean up with OTMoveIt. 8-)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 19 June 2008 - 10:52 PM

Billy,

How long does it take OTMoveIt2 to run the Cleanup. It's been running for more than an hour and has never prompted for anything. The hourglass appears in the OTMoveIt2 window and in TaskManager it says Not Responding but it's using CPU at 100%.

Is this ok? Can you tell me anything more about what it's supposed to be doing? Is it some type of scan that takes hours?

Thanks.

Fairbanks

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:44 AM

Posted 19 June 2008 - 11:13 PM

Hello, fairbanks

No, it should take about 30 seconds. Go ahead and kill it, then delete this folder:
C:\_OTMoveIt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 fairbanks

fairbanks
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 19 June 2008 - 11:35 PM

Hello Billy!

Thank you for replying so fast!!! I killed OTMoveIt2 and deleted C:\_OTMoveIt. However in order to delete it I had to shorten one of the folder names. The pathname must have been too long for Windows XP to be able to recognize the files. Maybe this was the reason for the earlier move problem.

I don't know if the Clean Up actually did anything. It looks like all the icons for the tools are still on the Desktop, like dss.exe.

What do you suggest to do next?

Thanks again!

Fairbanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users