Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojans, Vundos, Trats, Virtumond And More


  • This topic is locked This topic is locked
30 replies to this topic

#1 cenzaman

cenzaman

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 29 May 2008 - 06:49 PM

My computer has been lagging lately so I did a deep virus scan with Avanquest Fix-It and found no viruses. Searching through my files to see if anything seemed out of the ordinary I saw a number of pos*.tmp files in the C: Hard drive. I used Fix-It to remove these files and it only got worse. When my computer boots up my windows .wav file plays slow and distorted as does the shutting down .wav file. My music files all play slow and distorted and any music played on websites is the same. I also found that when I went into the properties of my wireless internet connection and found that I cannot access my firewall settings. This message appears:

Windows cannot display the properties of this connection. The Windows Management Instrumentation (WMI) information might be corrupted. To correct this, use System Restore to restore Windows to an earlier time (called a restore point). System Restore is located in the System Tools folder in Accessories.

I went to my system restore to find it was not turned on and I had no restore points. My fiance had purchased this laptop from a coworker and I have been dealing with viruses and minor problems since we got it but nothing this serious. It now takes eight to ten minutes for the computer to fully boot up where before it was within a minute or two. I have since turned on system restore but in the condition the computer is now in there is no good restore points to go back to. I have ran the Kaspersky Online Scanner and here is the log:

KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 6:16:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 813037


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 47129
Number of viruses found 27
Number of infected objects 119
Number of suspicious objects 0
Duration of the scan process 01:13:48

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\sprt_ads.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.r skipped

C:\WINDOWS\system32\nsiA.dll Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

C:\WINDOWS\system32\nnnllkk.dll Infected: Trojan-Downloader.Win32.Small.hlf skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\Temp\sqlite_XvkgceMdWcSHI5K Object is locked skipped

C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{21050C1B-1797-4B04-A42D-9F13120A2053}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\xmljacodec.dll Infected: not-a-virus:AdWare.Win32.Agent.zr skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7626709D.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\762D4496.exe Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E324888.exe Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1E536C64.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72B836A7.exe Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72D3068A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15F16075.exe Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\679A7519.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\67A71D0B.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-29_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DF6E84.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DFAFB8.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DFAFBF.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\Logs\MySpaceIM-20080529-174049.log Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\SkypeCache\myspace#3abeautifulfairyella\index2.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\SkypeCache\myspace#3abeautifulfairyella\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\SkypeCache\myspace#3abeautifulfairyella\profile256.dbb Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\SkypeCache\myspace#3abeautifulfairyella\user256.dbb Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\MySpace\IM\SkypeCache\myspace#3abeautifulfairyella\user1024.dbb Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\nwncocys.dll.QUAR00 Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\vtstr.exe.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\windows.QUAR00 Infected: Trojan.Win32.Zapchast.dt skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\mrofinu1000106.exe.tmp.QUAR00 Infected: Trojan-Downloader.Win32.Homles.ar skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\mrofinu1188.exe.QUAR00 Infected: Trojan-Downloader.Win32.Homles.ar skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\cpnghnan.exe.QUAR00.QUAR00 Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\gamadril20071203[1].QUAR00.QUAR00 Infected: Backdoor.Win32.Agent.dbm skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\ltfemchs.exe.QUAR00.QUAR00 Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\lyexabxc.exe.QUAR00.QUAR00 Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\MySpaceIM.exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\ovfbarkw.exe.QUAR00.QUAR00 Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qrjatydi.exe.QUAR00.QUAR00 Infected: not-a-virus:Downloader.Win32.WinFixer.ba skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\qttask.exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\srrxrngt.exe.QUAR00.QUAR00 Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\vtstr.exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\Application Data\Avanquest\Fix-It\Quarantine\YahooMessenger .exe.QUAR00.QUAR00 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444[1].exe.bac_a01700/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444[1].exe.bac_a01700 NSIS: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444[1].exe.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\vibyno4444.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\vibyno83122.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054368.DLL.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054369.exe.bac_a01700/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054369.exe.bac_a01700 NSIS: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054369.exe.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054400.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054407.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053540.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053674.exe.bac_a01700/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053674.exe.bac_a01700 NSIS: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053674.exe.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053938.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444.exe.bac_a01700/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444.exe.bac_a01700 NSIS: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TTC-4444.exe.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\gyreo83122.exe.bac_a01700/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\gyreo83122.exe.bac_a01700 NSIS: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\gyreo83122.exe.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\ZYMIHAZU.DLL.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\zymihazu979.dll.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054366.dll.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053534.DLL.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053535.dll.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0045201.exe.bac_a01700 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054276.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054436.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054528.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054590.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053573.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053639.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053971.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054001.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054089.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054122.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\vtstr.exe.bac_a01700 Infected: Virus.Win32.Trats.d skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0045204.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\TMP84.tmp.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054248.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054434.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053451.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053452.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053530.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053571.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053637.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053664.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054146.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\00jj99uuii66ddxxqqq.zip.bac_a01700/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\00jj99uuii66ddxxqqq.zip.bac_a01700 ZIP: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\00jj99uuii66ddxxqqq.zip.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\Crack.exe.bac_a01700 Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\a.zip.bac_a01700/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\a.zip.bac_a01700 ZIP: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\a.zip.bac_a01700 CryptFF.b: infected - 1 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\tk58[1].exe.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0054367.exe.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0053675.exe.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\tk58.exe.bac_a01700 Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\aroblcidr31z.exe.bac_a01700 Infected: Trojan-Downloader.Win32.Small.buy skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\bumebrpl5.exe.bac_a01700 Infected: Trojan.Win32.Pakes.bvs skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0045203.dll.bac_a01700 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\83122[1].exe.bac_a01700/data0004 Infected: Email-Worm.Win32.Zhelatin.zb skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\83122[1].exe.bac_a01700/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\83122[1].exe.bac_a01700 NSIS: infected - 2 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\83122[1].exe.bac_a01700 CryptFF.b: infected - 2 skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\winlogon.exe.bac_a01700 Infected: not-a-virus:PSWTool.Win32.PassView.p skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\A0045202.exe.bac_a01700 Infected: not-a-virus:AdWare.Win32.WebHancer.e skipped

C:\Documents and Settings\Ashlee Laptop\.housecall6.6\Quarantine\core.sys.bac_a01700 Infected: Rootkit.Win32.Agent.sg skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped

C:\Program Files\xxx.xxx\xpa.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.hr skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\change.log Object is locked skipped

Scan process completed.


I also ran Deckard's System Scanner and HijackThis and here are those logs:

Deckard's System Scanner v20071014.68
Run by Ashlee Laptop on 2008-05-29 18:19:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ashlee Laptop.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:00 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Ashlee Laptop\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ashlee Laptop.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CDNSCacheObj Object - {376892AE-1825-4E5F-9F85-23F9640051CC} - C:\WINDOWS\xmljacodec.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKUS\S-1-5-21-4003139764-195983140-516462983-1009\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184773785843
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8619 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
2 int15.sys - c:\acer\empowering technology\erecovery\int15.sys
3 NAVENG - c:\progra~1\common~1\symant~1\virusd~1\20070407.017\naveng.sys (file missing)
3 NAVEX15 - c:\progra~1\common~1\symant~1\virusd~1\20070407.017\navex15.sys (file missing)
3 NdisFilt (OSA NdisFilter Protocol) - c:\windows\system32\drivers\ndisfilt.sys <Not Verified; OSA Technologies; >
3 NETMNT (Acer NetMonitor Protocol) - c:\windows\system32\drivers\netmnt.sys
3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
1 OsaFsLoc - c:\windows\system32\drivers\osafsloc.sys <Not Verified; OSA Technologies; >
2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; OSA Technologies, An Avocent Company; Windows ® 2000 DDK driver>
2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows ® 2000 DDK provider; OSA int15 Driver>
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - c:\program files\winpcap\rpcapd.exe" -d -f "%programfiles%\winpcap\rpcapd.ini" (file missing)
2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
3 SQTECH905C (DaulCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
3 USB11LDR (M-Audio USB Uno Loader) - c:\windows\system32\drivers\usb11ldr.sys <Not Verified; MIDIMAN; Midiman USB MidiSport 1x1 Loader>
3 USBMN1X1 (M-Audio USB Uno MIDI Driver) - c:\windows\system32\drivers\usbmn1x1.sys <Not Verified; M-Audio; M-Audio USB Midi 1x1 Midi Interface>
3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 AWService (AdminWorks Agent X6) - c:\acer\empowering technology\admserv.exe
2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - c:\program files\acer\acer arcade\kernel\tv\clcapsvc.exe
2 CLSched (CyberLink Task Scheduler (CTS)) - c:\program files\acer\acer arcade\kernel\tv\clsched.exe
2 CyberLink Media Library Service - c:\program files\acer\acer arcade\kernel\clml_ntservice\clmlserver.exe
2 Fix-It Task Manager - c:\program files\avanquest\fix-it\mxtask.exe
2 GEARSecurity (Gear Security Service) - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
2 MA_CMIDI_InstallerService (M-Audio Series II MIDI Installer) - c:\program files\m-audio\m-audio series ii midi\ma_cmidi_inst.exe <Not Verified; ; MA_CMIDI USB MIDI Installer Service>
4 NSCService (Norton Protection Center Service) - c:\program files\common files\symantec shared\security console\nscsrvce.exe
2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
2 RichVideo (Cyberlink RichVideo Service(CRVS)) - c:\program files\cyberlink\shared files\richvideo.exe
3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - c:\program files\winpcap\rpcapd.exe
2 Viewpoint Manager Service - c:\program files\viewpoint\common\viewpointservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-05-23 20:00:02 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Wendy.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 18:21:30 0 d-------- C:\Program Files\Trend Micro
2008-05-29 16:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 16:22:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 16:22:51 0 d-------- C:\WINDOWS\LastGood
2008-05-26 18:36:59 0 d-------- C:\Program Files\xxx.xxx
2008-05-06 12:25:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-06 12:25:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-18 01:05:30 0 d-------- C:\Program Files\InterActual
2008-04-16 23:52:38 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-04-07 11:35:48 0 d-------- C:\Program Files\Ligos
2008-04-07 11:34:52 0 d-------- C:\Program Files\ffdshow
2008-04-07 11:33:26 0 d-------- C:\Program Files\NimoCodec Pack
2008-04-07 11:33:26 0 d-------- C:\Program Files\DivX
2008-04-07 11:32:58 0 d-------- C:\Program Files\AC3Filter
2008-03-10 11:23:02 223744 --a------ C:\WINDOWS\system32\b4fm.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376892AE-1825-4E5F-9F85-23F9640051CC}]
11/08/2007 10:36 AM 130048 --a------ C:\WINDOWS\xmljacodec.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [11/16/2005 08:27 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 03:43 AM C:\WINDOWS\Alcmtr.exe]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-29 18:23:02 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 49%
Physical Memory (total/avail): 1014.05 MiB / 508.37 MiB
Pagefile Memory (total/avail): 2440.37 MiB / 2014.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.16 MiB

C: is Fixed (FAT32) - 44.37 GiB total, 12.29 GiB free.
D: is Fixed (FAT32) - 44.86 GiB total, 43.35 GiB free.
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ashlee Laptop\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ACER-D8E77F41BE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ashlee Laptop
LOGONSERVER=\\ACER-D8E77F41BE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ASHLEE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ASHLEE~1\LOCALS~1\Temp
USERDOMAIN=ACER-D8E77F41BE
USERNAME=Ashlee Laptop
USERPROFILE=C:\Documents and Settings\Ashlee Laptop
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ashlee Laptop (admin)
Administrator.ACER-D8E77F41BE (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13E613EF-BB55-11D9-9D77-000129760D75}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4F90EC-B1DA-11D9-9D77-000129760D75}\setup.exe" -uninstall
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Acer Arcade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.EXE" -uninstall
Acer eDataSecurity Management 1.00.23 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E431C518-2EE2-471E-9234-BE995C36D513}\setup.exe" -l0x9 -removeonly
Acer eLock Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}
Acer Empowering Technology framework --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{15B70821-7893-4607-805A-BB80F3EA8279}
Acer eNet Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\Setup.exe" -l0x9
Acer ePerformance Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DEE08946-40F0-4890-853E-60A6C3306041}
Acer ePower Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer ePresentation Management --> C:\WINDOWS\UnInst32.exe AcerePrj.UNI
Acer eSettings Management --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Acer Screensaver --> MsiExec.exe /I{D458BBDC-0363-42E0-8FF9-4736E3CB3CA2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
CA Yahoo! Anti-Spy (remove only) --> "C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
Fix-It Utilities 8 Professional --> MsiExec.exe /I{5158974E-2D28-4018-9335-7694C2974746}
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_AcrS009E\HXFSETUP.EXE -U -IAcrS009E.inf
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Indeo® XP Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\UninstXP.isu"
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
M-Audio Series II MIDI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{379BD39E-F13E-458F-96D8-56BD7F2CC516}\setup.exe" -l0x9 -removeonly
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola Driver Installation --> MsiExec.exe /I{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NAVShortcut --> MsiExec.exe /I{F325CF11-27CE-4872-8022-6E9EB27DF24F}
Nimo Codecs Pack v5.0 (Remove Only) --> "C:\Program Files\NimoCodec Pack\uninstall.exe"
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Readiris 7.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}\setup.exe" -l0x9
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The Extractor --> C:\WINDOWS\iun6002.exe "C:\Program Files\The Extractor\irunin.ini"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Search Protection --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
YOU DON'T KNOW JACK Volume 2 --> c:\windows\YDKJ2\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type21117 / Error
Event Submitted/Written: 05/29/2008 02:37:14 PM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type21105 / Error
Event Submitted/Written: 05/29/2008 11:38:54 AM
Event ID/Source: 1512 / Userenv
Event Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.


DETAIL - Insufficient system resources exist to complete the requested service.

Event Record #/Type21103 / Error
Event Submitted/Written: 05/29/2008 11:34:30 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type21091 / Error
Event Submitted/Written: 05/29/2008 01:47:07 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Event Record #/Type21076 / Error
Event Submitted/Written: 05/29/2008 01:27:41 AM
Event ID/Source: 28 / WinMgmt
Event Description:
WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type26762 / Warning
Event Submitted/Written: 05/29/2008 04:42:52 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type26759 / Warning
Event Submitted/Written: 05/29/2008 03:45:52 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00166F10F252. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type26757 / Warning
Event Submitted/Written: 05/29/2008 03:43:41 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00166F10F252. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type26755 / Warning
Event Submitted/Written: 05/29/2008 02:37:18 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.132.117 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type26751 / Warning
Event Submitted/Written: 05/29/2008 11:38:55 AM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.



-- End of Deckard's System Scanner: finished at 2008-05-29 18:23:02 ------------

Any help will be greatly appreciated. Thank you for your time.

--Rick

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 30 May 2008 - 02:05 PM

Hi Rick

We can clean out the malware, but you biggest problem may be the corrupt (WMI) Windows Management Instrumentation ...

This is an integral part of windows and almost impossible to repair manually ... I've tried ... with only about a 50% success rate ... with no restore points, then uninstalling and reinstalling SP2 would be worth a try ... SP2 downloads a new repository (WMI) ...

Or alternatively, is a format & reinstall an option for you ?

Go to start > Run > type msinfo32 & press Ok ... does system information open ? ... I doubt it ...

I'll get you to run a couple of programs & then let me know how you want to proceed ?

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 30 May 2008 - 08:15 PM

Malwarebytes' Anti-Malware 1.14
Database version: 807

7:37:45 PM 5/30/2008
mbam-log-5-30-2008 (19-37-45).txt

Scan type: Quick Scan
Objects scanned: 39736
Time elapsed: 16 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (StartMenu.Hijack) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\xmljacodec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sprt_ads.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\x.dat (Worm.Alcra) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\z.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnllkk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ACER-D8E77F41BE\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ashlee Laptop\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

#4 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 30 May 2008 - 09:28 PM

ComboFix 08-05-29.1 - Ashlee Laptop 2008-05-30 20:31:48.1 - FAT32x86

Running from: C:\Documents and Settings\Ashlee Laptop\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\Fonts\'
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\jjlunhbk.dllbox
C:\WINDOWS\system32\kpwghgse.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qiwfdceg.ini
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.ini2
C:\WINDOWS\system32\teeqmygg.ini
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\z1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Documents and Settings\Ashlee Laptop\Application Data\Malwarebytes
2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 19:19 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 19:19 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 19:18 . 2008-05-30 19:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 14:06 . 2008-05-30 14:06 <DIR> d-------- C:\Documents and Settings\Wendy
2008-05-29 18:21 . 2008-05-29 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 18:19 . 2008-05-29 18:19 <DIR> d-------- C:\Deckard
2008-05-29 16:22 . 2008-05-29 16:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 16:22 . 2008-05-29 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 01:43 . 2008-05-29 01:43 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-26 18:36 . 2008-05-26 18:37 <DIR> d-------- C:\Program Files\xxx.xxx
2008-05-09 08:58 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-09 08:58 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-06 14:45 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-06 14:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-06 12:25 . 2008-05-06 12:25 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-18 01:08 . 2008-04-18 01:08 0 --a------ C:\WINDOWS\iPlayer.INI
2008-04-18 01:05 . 2008-04-18 01:05 <DIR> d-------- C:\Program Files\InterActual
2008-04-16 23:52 . 2008-04-16 23:52 <DIR> d-------- C:\Program Files\Instant CD & DVD Burner
2008-04-07 11:35 . 2008-04-07 11:35 <DIR> d-------- C:\Program Files\Ligos
2008-04-07 11:35 . 2000-06-23 14:05 136,704 --------- C:\WINDOWS\system32\iacenc.dll
2008-04-07 11:35 . 2000-06-22 13:09 56,320 --------- C:\WINDOWS\system32\iyvu9_32.dll
2008-04-07 11:34 . 2008-04-07 11:34 <DIR> d-------- C:\Program Files\ffdshow
2008-04-07 11:33 . 2008-04-07 11:33 <DIR> d-------- C:\Program Files\NimoCodec Pack
2008-04-07 11:33 . 2008-04-07 11:33 <DIR> d-------- C:\Program Files\DivX
2008-04-07 11:32 . 2008-04-07 11:32 <DIR> d-------- C:\Program Files\AC3Filter
2008-04-07 11:32 . 2003-08-19 02:20 180,224 --a------ C:\WINDOWS\system32\ac3filter.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-10 16:23 223,744 ----a-w C:\WINDOWS\system32\b4fm.dll
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\dllcache\msctf.dll
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-01 08:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-12-20 01:00 92,064 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmmdm.sys
2007-12-20 01:00 9,232 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmmdfl.sys
2007-12-20 01:00 79,328 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmserd.sys
2007-12-20 01:00 66,656 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmbus.sys
2007-12-20 01:00 6,208 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmcmnt.sys
2007-12-20 01:00 5,936 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmwhnt.sys
2007-12-20 01:00 4,048 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmcr.sys
2007-12-20 01:00 25,600 ----a-w C:\Documents and Settings\Ashlee Laptop\usbsermptxp.sys
2007-12-20 01:00 22,768 ----a-w C:\Documents and Settings\Ashlee Laptop\usbsermpt.sys
.
<pre>
----a-w			94,208 2008-01-01 03:36:02  C:\WINDOWS\system32\igfxtray .exe
----a-w			15,360 2008-01-03 01:43:50  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-01 03:36:04  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-01 03:36:04  C:\WINDOWS\system32\igfxpers .exe
----a-w		   517,768 2008-01-03 01:28:08  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w		 1,694,208 2008-01-08 18:12:36  C:\Program Files\Messenger\msmsgs .exe
----a-w		   102,491 2008-01-01 16:58:36  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w		   692,315 2008-01-01 16:58:38  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   147,456 2008-01-01 16:58:36  C:\Program Files\Acer\Acer Arcade\PCMService .exe
----a-w		   458,752 2008-01-01 16:58:44  C:\Program Files\Launch Manager\QtZgAcer .EXE
----a-w		   132,496 2008-01-01 16:58:46  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   229,376 2008-01-01 16:58:46  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   224,248 2008-01-01 16:58:54  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w		 8,720,384 2008-01-01 16:59:18  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w			36,864 2008-01-01 16:58:56  C:\Program Files\mobile PhoneTools\WatchDog .exe
----a-w		   173,312 2008-01-01 16:58:56  C:\Program Files\Avanquest\Fix-It\MemCheck .exe
----a-w		 2,462,208 2008-01-01 16:58:52  C:\Acer\Empowering Technology\admtray .exe
----a-w			69,632 2008-01-01 16:58:38  C:\Acer\Empowering Technology\eDataSecurity\eDSloader .exe
----a-w		   212,992 2008-01-01 16:58:40  C:\Acer\Empowering Technology\ePower\epm-dm .exe
----a-w		 3,084,288 2008-01-01 16:58:52  C:\Acer\Empowering Technology\ePower\Acer ePower Management .exe
----a-w		   397,312 2008-01-01 16:58:38  C:\Acer\Empowering Technology\eRecovery\Monitor .exe
</pre>


------- Sigcheck -------

2004-08-04 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"midi1"= usbmn1x1.dll
"midi2"= usbmn1x1.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-08 17:33 53096 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-09 20:04 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM .exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Wendy.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 21:22:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-30 21:24:00 - machine was rebooted [Ashlee Laptop]
ComboFix-quarantined-files.txt 2008-05-31 02:23:52

Pre-Run: 13,153,140,736 bytes free
Post-Run: 13,167,493,120 bytes free

206 --- E O F --- 2008-05-27 21:02:50

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 31 May 2008 - 04:58 PM

HI

Please find the following programs & empty their Quarantine folders ...

Norton AntiVirus\Quarantine
Avanquest\Fix-It\Quarantine
.housecall6.6\Quarantine

THEN ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\nsiA.dll

Folder::
C:\Program Files\xxx.xxx

RenV::
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Acer\Acer Arcade\PCMService .exe
C:\Program Files\Launch Manager\QtZgAcer .EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\Program Files\mobile PhoneTools\WatchDog .exe
C:\Program Files\Avanquest\Fix-It\MemCheck .exe
C:\Acer\Empowering Technology\admtray .exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader .exe
C:\Acer\Empowering Technology\ePower\epm-dm .exe
C:\Acer\Empowering Technology\ePower\Acer ePower Management .exe
C:\Acer\Empowering Technology\eRecovery\Monitor .exe


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Then run & post a new KASPERSKY ONLINE SCANNER REPORT

please look back at my previous post and answer my questions :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 01 June 2008 - 12:22 AM

Hi Steam

Again thanks for all this help. I'm posting the combofix.txt and HijackThis logs but first to answer your questions. I ran the System Information and the window popped up and read:

Can't Collect Information
Cannot access the Windows Management Instrumentation software. Windows Management files may be moved or missing.

I'm guessing that was not good news. As for formating and reinstalling, were you refering to just the SP2 or the whole hard drive because I'm not too comfortable with formating the hard drive just yet. I think reinstalling SP2 is a minimal risk and I'd like to go that route first and see what happens. This of course is a used computer and I realized on it's purchase that it would come with some problems, I just never thought they would be this intense. Once again, thank you for all of your help. If it wasn't for techs like you, no one's computer would work! Here are the logs:

ComboFix 08-05-29.1 - Ashlee Laptop 2008-05-31 19:38:35.2 - FAT32x86

Running from: C:\Documents and Settings\Ashlee Laptop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ashlee Laptop\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\nsiA.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nsiA.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Documents and Settings\Ashlee Laptop\Application Data\Malwarebytes
2008-05-30 19:19 . 2008-05-30 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 19:19 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 19:19 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 19:18 . 2008-05-30 19:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-30 14:06 . 2008-05-30 14:06 <DIR> d-------- C:\Documents and Settings\Wendy
2008-05-29 18:21 . 2008-05-29 18:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 18:19 . 2008-05-29 18:19 <DIR> d-------- C:\Deckard
2008-05-29 16:22 . 2008-05-29 16:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 16:22 . 2008-05-29 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 01:43 . 2008-05-29 01:43 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-09 08:58 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-05-09 08:58 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-05-06 14:45 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-06 14:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-06 12:25 . 2008-05-06 12:25 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 06:05 --------- d-----w C:\Program Files\InterActual
2008-04-17 04:52 --------- d-----w C:\Program Files\Instant CD & DVD Burner
2008-04-07 16:35 --------- d-----w C:\Program Files\Ligos
2008-04-07 16:34 --------- d-----w C:\Program Files\ffdshow
2008-04-07 16:33 --------- d-----w C:\Program Files\NimoCodec Pack
2008-04-07 16:33 --------- d-----w C:\Program Files\DivX
2008-04-07 16:32 --------- d-----w C:\Program Files\AC3Filter
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-10 16:23 223,744 ----a-w C:\WINDOWS\system32\b4fm.dll
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-20 01:00 92,064 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmmdm.sys
2007-12-20 01:00 9,232 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmmdfl.sys
2007-12-20 01:00 79,328 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmserd.sys
2007-12-20 01:00 66,656 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmbus.sys
2007-12-20 01:00 6,208 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmcmnt.sys
2007-12-20 01:00 5,936 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmwhnt.sys
2007-12-20 01:00 4,048 ----a-w C:\Documents and Settings\Ashlee Laptop\mqdmcr.sys
2007-12-20 01:00 25,600 ----a-w C:\Documents and Settings\Ashlee Laptop\usbsermptxp.sys
2007-12-20 01:00 22,768 ----a-w C:\Documents and Settings\Ashlee Laptop\usbsermpt.sys
.
<pre>
----a-w			94,208 2008-01-01 03:36:02  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-05-30_21.23.15.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 01:37:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 23:56:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-03 01:43:50 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2004-08-04 10:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-01-03 01:43:50 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-01-01 03:36:04 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2008-01-01 03:36:04 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2008-01-01 11:58 3084288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-01 11:59 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"midi1"= usbmn1x1.dll
"midi2"= usbmn1x1.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= L3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-08 17:33 53096 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-08 13:12 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


*Newly Created Service* - CATCHME
*Newly Created Service* - MAILSCAN
.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Wendy.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 19:40:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 19:40:36
ComboFix-quarantined-files.txt 2008-06-01 00:40:34
ComboFix2.txt 2008-05-31 02:24:04

Pre-Run: 13,295,353,856 bytes free
Post-Run: 13,280,542,720 bytes free

136 --- E O F --- 2008-05-27 21:02:50

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Deckard's System Scanner v20071014.68
Run by Ashlee Laptop on 2008-05-31 21:36:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ashlee Laptop.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:35 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ashlee Laptop\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ASHLEE~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4003139764-195983140-516462983-1009\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-4003139764-195983140-516462983-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184773785843
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8230 bytes

-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-30 20:24:44 0 d-------- C:\cmdcons
2008-05-30 20:23:14 68096 --a------ C:\WINDOWS\zip.exe
2008-05-30 20:23:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-30 20:23:14 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-30 20:23:14 98816 --a------ C:\WINDOWS\sed.exe
2008-05-30 20:23:14 80412 --a------ C:\WINDOWS\grep.exe
2008-05-30 20:23:14 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-30 20:23:13 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-30 20:23:13 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-30 19:19:18 0 d-------- C:\Documents and Settings\Ashlee Laptop\Application Data\Malwarebytes
2008-05-30 19:19:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 19:19:11 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 19:18:30 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-29 18:21:30 0 d-------- C:\Program Files\Trend Micro
2008-05-29 16:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 16:22:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 12:25:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-06 12:25:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-18 01:05:30 0 d-------- C:\Program Files\InterActual
2008-04-16 23:52:38 0 d-------- C:\Program Files\Instant CD & DVD Burner
2008-04-07 11:35:48 0 d-------- C:\Program Files\Ligos
2008-04-07 11:34:52 0 d-------- C:\Program Files\ffdshow
2008-04-07 11:33:26 0 d-------- C:\Program Files\NimoCodec Pack
2008-04-07 11:33:26 0 d-------- C:\Program Files\DivX
2008-04-07 11:32:58 0 d-------- C:\Program Files\AC3Filter
2008-03-10 11:23:02 223744 --a------ C:\WINDOWS\system32\b4fm.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [11/16/2005 08:27 PM C:\WINDOWS\RTHDCPL.exe]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [01/01/2008 11:58 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [01/02/2008 08:43 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)

*Newly Created Service* - CATCHME
*Newly Created Service* - MAILSCAN



-- End of Deckard's System Scanner: finished at 2008-05-31 21:37:36 ------------


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 9:35:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 819549


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 45267
Number of viruses found 6
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 01:05:50

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\Temp\sqlite_JeeGpTjutNZ63Vb Object is locked skipped

C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-31_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DFFEEA.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DFFEF1.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\change.log Object is locked skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000193.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000195.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000197.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000198.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000202.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.hr skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000216.dll Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nsiA.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

D:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\change.log Object is locked skipped

Scan process completed.

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 01 June 2008 - 03:38 PM

HI

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

THEN ...

Run & post a new KASPERSKY ONLINE SCANNER REPORT

Then let me know what problems you are still having ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 June 2008 - 10:09 AM

KASPERSKY ONLINE SCANNER REPORT
Monday, June 02, 2008 10:05:38 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 821471


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 47118
Number of viruses found 6
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 01:06:30

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\Temp\sqlite_yKGq1rORtDw5XDi Object is locked skipped

C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DF6657.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Local Settings\Temp\~DF665E.tmp Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ashlee Laptop\ntuser.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000193.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000195.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000197.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000198.exe Infected: Virus.Win32.Trats.d skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000202.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.hr skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP1\A0000216.dll Infected: not-a-virus:AdWare.Win32.BHO.adj skipped

C:\System Volume Information\_restore{B87F36FC-155B-443C-B65A-D13BE62F944B}\RP2\change.log Object is locked skipped

Scan process completed.

Steam,

My computer is still lagging quite a bit. Any sound file (.wav, mp3, etc.) is playing slow and distorted.

Thanks, Rick

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 02 June 2008 - 03:35 PM

Hi

Your log is essentially clean now ...

ALL the entries found by KASPERSKY are in system restore points, when you uninstalled Combofix, Combofix cleans all restore points ... in your case it was not able to do so, because system restore is not working, & system restore is not working because your WMI infrastructure is corrupt.

This is no longer a malware related problem, & your sound problems may be totally unrelated to your WMI problem...

When I suggested reinstalling, I meant wiping the hard-drive & starting again, something you should have done when you first got the computer :thumbsup:

I think your next best course of action will be to uninstall SP2 from add/remove programs & them download & reinstall it, stay away from SP3, many people have had problems with it.... but don't do that yet

But before you do anything else, I want you to get a couple of logs for me, let's see just how bad the problem is ...

-

I want you to create a folder, somewhere easy to find ...you are going to download a self-extracting exe file to it, & then extract the files to the same folder... OK

I suggest the root C:\ folder ...

Click > Start > My computer > C:

right click in the folder and select > new > folder > call it WMIDiag

then ...

Please go here :-

http://www.microsoft.com/downloads/details...;displaylang=en

Click download > save > save it to the folder you created ... C:\WMIDiag

you will then have > C:\WMIDiag\WMIDiag.exe

Go to the folder & Double click the WMIDiag.exe

browse to the C:\WMIDiag folder & click unzip

you should now have 4 files in that folder :-

WMIDiag.exe
WMIDiag.doc
WMIDiag.vbs
WMIDiag.xls

Let me know when you are at this point, or if you have trouble getting here ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 June 2008 - 04:06 PM

Steam,

Ok I did all that and I do have four files in that folder

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 02 June 2008 - 04:57 PM

Hi

go to the C:\WMIDiag folder & ...

Doubleclick the WMIDiag.vbs file

you will get a message saying that WMIDiag will run silently in the background ... if you want to see it running type something ... just ignore this message...

On my computer, the script ran for about 4 minutes ... do not touch the mouse or keyboard during this time

It then popped up the message ... so write down exactly what your message says please and post it in your next post... it may take longer on your computer, please be patient & wait for the popup to say it has finished...

When it has finished & you have made a note of what it says, go to Start > run > paste %temp% to open your temp folder...

the last files in the list will be 3 WMIDIAG-V2.0-XP files... one ending in .LOG one REPORT.TXT & one STATiSTICS.CSV

Highlight all 3 files > right click > copy

go to the C:\WMIDiag folder, where your other files are, > right click > paste ( they could easily have been deleted from the temp folder, now they are safer)

For the moment I just want to see the 2 files ending in .LOG one REPORT.TXT

Now highlight the 2 files > right click on them and zip them... depending on your zip program, there could be several ways to do this .... probably for you > send to > compressed (zipped) folder...

upload the zipped file with your next post...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#12 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 June 2008 - 07:10 PM

Steam,

When I ran the WMIDiag it took all of 30 seconds. Here is the message that popped up:

Error:
WMIDiag detected issues that could prevent WMI to work properly!.
Check 'C:\DOCUMENTS AND SETTINGS\ASHLEE LAPTOP\LOCAL
SETTINGS\TEMP\WMIDIAG-V2.0_XP__.CLI.SP2.32_ACER-D8E77F41BE_2008.06.02_18.59.34.LOG' for details

The log it posted was this:

.1497 18:59:44 (0) ** WMIDiag v2.0 started on Monday, June 02, 2008 at 18:59.
.1498 18:59:44 (0) **
.1499 18:59:44 (0) ** Copyright © Microsoft Corporation. All rights reserved - January 2007.
.1500 18:59:44 (0) **
.1501 18:59:44 (0) ** This script is not supported under any Microsoft standard support program or service.
.1502 18:59:44 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
.1503 18:59:44 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
.1504 18:59:44 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
.1505 18:59:44 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
.1506 18:59:44 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
.1507 18:59:44 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
.1508 18:59:44 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
.1509 18:59:44 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
.1510 18:59:44 (0) ** of the possibility of such damages.
.1511 18:59:44 (0) **
.1512 18:59:44 (0) **
.1513 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1514 18:59:44 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
.1515 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1516 18:59:44 (0) **
.1517 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1518 18:59:44 (0) ** Windows XP - Service pack 2 - 32-bit (2600) - User 'ACER-D8E77F41BE\ASHLEE LAPTOP' on computer 'ACER-D8E77F41BE'.
.1519 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1520 18:59:44 (0) ** Environment: ........................................................................................................ OK..
.1521 18:59:44 (0) ** There are no missing WMI system files: .............................................................................. OK.
.1522 18:59:44 (0) ** There are no missing WMI repository files: .......................................................................... OK.
.1523 18:59:44 (0) ** WMI repository state: ............................................................................................... NOT TESTED.
.1524 18:59:44 (0) ** BEFORE running WMIDiag:
.1525 18:59:44 (0) ** The WMI repository has a size of: ................................................................................... 6 MB.
.1526 18:59:44 (0) ** - Disk free space on 'C:': .......................................................................................... 12600 MB.
.1527 18:59:44 (0) ** - INDEX.BTR, 1130496 bytes, 12/25/2007 10:16:34 AM
.1528 18:59:44 (0) ** - INDEX.MAP, 576 bytes, 6/1/2008 6:09:48 PM
.1529 18:59:44 (0) ** - MAPPING.VER, 4 bytes, 6/1/2008 6:09:48 PM
.1530 18:59:44 (0) ** - MAPPING1.MAP, 3280 bytes, 6/1/2008 6:09:48 PM
.1531 18:59:44 (0) ** - MAPPING2.MAP, 3280 bytes, 6/1/2008 5:49:12 PM
.1532 18:59:44 (0) ** - OBJECTS.DATA, 5414912 bytes, 12/25/2007 10:16:34 AM
.1533 18:59:44 (0) ** - OBJECTS.MAP, 2704 bytes, 6/1/2008 6:09:48 PM
.1534 18:59:44 (0) ** AFTER running WMIDiag:
.1535 18:59:44 (0) ** The WMI repository has a size of: ................................................................................... 6 MB.
.1536 18:59:44 (0) ** - Disk free space on 'C:': .......................................................................................... 12599 MB.
.1537 18:59:44 (0) ** - INDEX.BTR, 1130496 bytes, 12/25/2007 10:16:34 AM
.1538 18:59:44 (0) ** - INDEX.MAP, 576 bytes, 6/1/2008 6:09:48 PM
.1539 18:59:44 (0) ** - MAPPING.VER, 4 bytes, 6/1/2008 6:09:48 PM
.1540 18:59:44 (0) ** - MAPPING1.MAP, 3280 bytes, 6/1/2008 6:09:48 PM
.1541 18:59:44 (0) ** - MAPPING2.MAP, 3280 bytes, 6/1/2008 5:49:12 PM
.1542 18:59:44 (0) ** - OBJECTS.DATA, 5414912 bytes, 12/25/2007 10:16:34 AM
.1543 18:59:44 (0) ** - OBJECTS.MAP, 2704 bytes, 6/1/2008 6:09:48 PM
.1544 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1545 18:59:44 (0) ** INFO: Windows Firewall status: ...................................................................................... ENABLED.
.1546 18:59:44 (0) ** Windows Firewall Profile: ........................................................................................... STANDARD.
.1547 18:59:44 (0) ** Windows Firewall 'RemoteAdmin' status: .............................................................................. DISABLED.
.1548 18:59:44 (0) ** => This will prevent any WMI remote connectivity to this machine.
.1549 18:59:44 (0) ** - You can adjust the configuration by executing the following command:
.1550 18:59:44 (0) ** i.e. 'NETSH.EXE FIREWALL SET SERVICE REMOTEADMIN ENABLE SUBNET'
.1551 18:59:44 (0) **
.1552 18:59:44 (0) ** Windows Firewall application exception for 'UNSECAPP.EXE': .......................................................... MISSING.
.1553 18:59:44 (0) ** => This will prevent any script and MMC application asynchronous callbacks to this machine.
.1554 18:59:44 (0) ** - You can adjust the configuration by executing the following command:
.1555 18:59:44 (0) ** i.e. 'NETSH.EXE FIREWALL SET ALLOWEDPROGRAM C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE WMICALLBACKS ENABLE'
.1556 18:59:44 (0) **
.1557 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1558 18:59:44 (0) ** DCOM Status: ........................................................................................................ OK.
.1559 18:59:44 (0) ** WMI registry setup: ................................................................................................. OK.
.1560 18:59:44 (0) ** INFO: WMI service has dependents: ................................................................................... 2 SERVICE(S)!
.1561 18:59:44 (0) ** - Security Center (WSCSVC, StartMode='Automatic')
.1562 18:59:44 (0) ** - Windows Firewall/Internet Connection Sharing (ICS) (SHAREDACCESS, StartMode='Automatic')
.1563 18:59:44 (0) ** => If the WMI service is stopped, the listed service(s) will have to be stopped as well.
.1564 18:59:44 (0) ** Note: If the service is marked with (*), it means that the service/application uses WMI but
.1565 18:59:44 (0) ** there is no hard dependency on WMI. However, if the WMI service is stopped,
.1566 18:59:44 (0) ** this can prevent the service/application to work as expected.
.1567 18:59:44 (0) **
.1568 18:59:44 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
.1569 18:59:44 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
.1570 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1571 18:59:44 (0) ** WMI service DCOM setup: ............................................................................................. OK.
.1572 18:59:44 (0) ** WMI components DCOM registrations: .................................................................................. OK.
.1573 18:59:44 (0) ** WMI ProgID registrations: ........................................................................................... OK.
.1574 18:59:44 (0) ** WMI provider DCOM registrations: .................................................................................... OK.
.1575 18:59:44 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
.1576 18:59:44 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
.1577 18:59:44 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
.1578 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1579 18:59:44 (0) ** Overall DCOM security status: ....................................................................................... OK.
.1580 18:59:44 (0) ** Overall WMI security status: ........................................................................................ OK.
.1581 18:59:44 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
.1582 18:59:44 (0) ** WMI permanent SUBSCRIPTION(S): ...................................................................................... NONE.
.1583 18:59:44 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
.1584 18:59:44 (1) !! ERROR: WMI ADAP status: ............................................................................................. NOT AVAILABLE.
.1585 18:59:44 (0) ** You can start the WMI AutoDiscovery/AutoPurge (ADAP) process to resynchronize
.1586 18:59:44 (0) ** the performance counters with the WMI performance classes with the following commands:
.1587 18:59:44 (0) ** i.e. 'WINMGMT.EXE /CLEARADAP'
.1588 18:59:44 (0) ** i.e. 'WINMGMT.EXE /RESYNCPERF'
.1589 18:59:44 (0) ** The ADAP process logs informative events in the Windows NT event log.
.1590 18:59:44 (0) ** More information can be found on MSDN at:
.1591 18:59:44 (0) ** http://msdn.microsoft.com/library/default...._log_events.asp
.1592 18:59:44 (1) !! ERROR: WMI MONIKER CONNECTION errors occured for the following namespaces: .......................................... 1 ERROR(S)!
.1593 18:59:44 (0) ** - Root, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1594 18:59:44 (0) **
.1595 18:59:44 (1) !! ERROR: WMI CONNECTION errors occured for the following namespaces: .................................................. 5 ERROR(S)!
.1596 18:59:44 (0) ** - Root, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1597 18:59:44 (0) ** - Root, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1598 18:59:44 (0) ** - Root/Default, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1599 18:59:44 (0) ** - Root/CIMv2, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1600 18:59:44 (0) ** - Root/WMI, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
.1601 18:59:44 (0) **
.1602 18:59:44 (0) ** WMI GET operations: ................................................................................................. OK.
.1603 18:59:44 (0) ** WMI MOF representations: ............................................................................................ OK.
.1604 18:59:44 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
.1605 18:59:44 (0) ** WMI ENUMERATION operations: ......................................................................................... OK.
.1606 18:59:44 (0) ** WMI EXECQUERY operations: ........................................................................................... OK.
.1607 18:59:44 (0) ** WMI GET VALUE operations: ........................................................................................... OK.
.1608 18:59:44 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
.1609 18:59:44 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
.1610 18:59:44 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
.1611 18:59:44 (0) ** WMI static instances retrieved: ..................................................................................... 0.
.1612 18:59:44 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
.1613 18:59:44 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 0.
.1614 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1615 18:59:44 (0) **
.1616 18:59:44 (0) ** 6 error(s) 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found
.1617 18:59:44 (0) ** => This error is typically a WMI error. This WMI error is due to:
.1618 18:59:44 (0) ** - a missing WMI class definition or object.
.1619 18:59:44 (0) ** (See any GET, ENUMERATION, EXECQUERY and GET VALUE operation failures).
.1620 18:59:44 (0) ** You can correct the missing class definitions by:
.1621 18:59:44 (0) ** - Manually recompiling the MOF file(s) with the 'MOFCOMP <FileName.MOF>' command.
.1622 18:59:44 (0) ** Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
.1623 18:59:44 (0) ** (This list can be built on a similar and working WMI Windows installation)
.1624 18:59:44 (0) ** The following command line must be used:
.1625 18:59:44 (0) ** i.e. 'WMIDiag CorrelateClassAndProvider'
.1626 18:59:44 (0) ** - a WMI repository corruption.
.1627 18:59:44 (0) ** Under Windows XP SP2, you can validate the repository consistency
.1628 18:59:44 (0) ** by executing the following command:
.1629 18:59:44 (0) ** i.e. 'WMIDiag CheckConsistency'
.1630 18:59:44 (0) ** Note: Under Windows XP SP2, when the repository is checked and detected INCONSISTENT,
.1631 18:59:44 (0) ** a new repository is automatically re-created based on Auto-Recovery mechanism.
.1632 18:59:44 (0) ** Note that some information can be lost during this process (i.e. static data, CIM registration).
.1633 18:59:44 (0) ** However, the original repository is located at 'C:\WINDOWS\SYSTEM32\WBEM\Repository.001'.
.1634 18:59:44 (0) ** The computer must be rebooted for the system to work with the re-created repository.
.1635 18:59:44 (0) ** Note: The WMI repository reconstruction requires to locate all MOF files needed to rebuild the repository,
.1636 18:59:44 (0) ** otherwise some applications may fail after the reconstruction.
.1637 18:59:44 (0) ** This can be achieved with the following command:
.1638 18:59:44 (0) ** i.e. 'WMIDiag ShowMOFErrors'
.1639 18:59:44 (0) ** Note: The repository reconstruction must be a LAST RESORT solution and ONLY after executing
.1640 18:59:44 (0) ** ALL fixes previously mentioned.
.1641 18:59:44 (2) !! WARNING: Static information stored by external applications in the repository will be LOST! (i.e. SMS Inventory)
.1642 18:59:44 (0) **
.1643 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1644 18:59:44 (0) ** WMI Registry key setup: ............................................................................................. OK.
.1645 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1646 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1647 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1648 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1649 18:59:44 (0) **
.1650 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1651 18:59:44 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
.1652 18:59:44 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1653 18:59:44 (0) **
.1654 18:59:44 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!. Check 'C:\DOCUMENTS AND SETTINGS\ASHLEE LAPTOP\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.SP2.32_ACER-D8E77F41BE_2008.06.02_18.59.34.LOG' for details.
.1655 18:59:44 (0) **
.1656 18:59:44 (0) ** WMIDiag v2.0 ended on Monday, June 02, 2008 at 18:59 (W:47 E:13 S:1).

I wasn't sure if this was the same log you had me zip and upload so I posted it just in case. The notepad automatically popped open with this in it after the WMIDiag finished.

Thanks, Rick

Attached Files



#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 03 June 2008 - 11:54 AM

HI

I had assumed that the Windows Management Instrumentation service was not running ... but according to your logs ... it is.

In fact there are very few problems shown in the log ... probably the cleanest one I've seen.

First can you check if that service is running ?

Go to > start > Run > type services.msc > click OK

Scroll down to Windows Management Instrumentation service & see if it has a status of started & a startup type of automatic

If it hasn't, then check these 2 services as well :-

Event Log

Remote Procedure Call (RPC)


let me know if they have a status of started & a startup type of automatic

Also check the system restore service for the same ... let me know ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#14 cenzaman

cenzaman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 03 June 2008 - 01:54 PM

Hi Steam,

They are all started and on automatic. Not sure if this is relevant but when you had me check the Remote Procedure Call (RPC) there was two of them, one having 'Locator' listed after it. That one was not started and set on manual. Again, not sure if it's relevant. Other than that everything you had me check, checks out ok. And what about the WBEM_E_NOT_FOUND?

Thanks, Rick

#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 03 June 2008 - 02:53 PM

HI

Remote Procedure Call (RPC) Locator should be there as well, & it should be set as you say :thumbsup:

The WBEM_E_NOT_FOUND is related to remote access, are you on a network ? anyway it is probably not a problem, & definitely not related to the problems we are looking at.

next

Go to start > run > type CMD > click OK

A command box will open ...

Type > WINMGMT.EXE /CLEARADAP ... exactly as written ( with a space between EXE & /)

press enter....

THEN ...

Type > WINMGMT.EXE /RESYNCPERF ... exactly as written ( with a space between EXE & /)

press enter...

exit the CMD prompt and reboot ...

... run WMIDiag & post the logs again ...

Then try msinfo32 again ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users