Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

180 Solutions, Winfixer,axp, Ctfmona/b And A Bug Screen Saver -help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 crash886

crash886

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 30 May 2008 - 06:08 PM

Hi. I've been having an issue with my computer. I the background of my computer has been changed from my photo to a blue background with a yellow image stating "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. At this point I noticed WinIFixer was installed along with an AdvancedXP program. I went into safe mode, installed nod32 and did a complete scan which removed several bad system restore points and a handful of viruses from 180solutions. This however has not solved the problem as i see ctfmona in my msconfig boot thing and ctfmonb keeps replacing my desktop. In addition to this my screen saver has been replaced with one that has bugs crawling across my screen and after rebooting about 3 times, I had to remove nod32 from my system else it would just freeze at the desktop screen. I really cannot reformat this computer because it just has too much software on it to reinstall and too many files to completely back up. I've hit a brick wall and would appreciate any help that can be given. Thank you!

Deckard's System Scanner v20071014.68
Run by Mary Ann on 2008-05-30 17:39:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-30 21:39:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Mary Ann.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:47 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a la mode\sched\eSched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Mary Ann\Application Data\U3\039111708020A8CC\LaunchPad.exe
C:\Documents and Settings\Mary Ann\Desktop\dss.exe
C:\DOCUME~1\MARYAN~1\Desktop\Mary Ann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realtor.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [The Assistant] C:\Program Files\a la mode\Sched\eSched.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la mode\sched\eSched.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU)
O15 - Trusted Zone: newmls.gsmls.com
O15 - Trusted Zone: *.lsac.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.priv.njmls.xmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} (Vault Files Downloader) - http://vault.alamode.com/cab/vfd.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/...iveX/ofmctl.cab
O16 - DPF: {C118AE9E-3A30-4B96-9C1C-295AA4A1262A} - http://vault.alamode.com/cab/vaultinstall.cab
O16 - DPF: {D3FA53A4-C575-400F-90E5-9AB568E4BC64} (MBAIFSaver Class) - http://www.mbaiforms.net/formflow/gbbrcomm...baicontrol2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://mail01b.shu.edu/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://eraecampus.webex.com/client/T23L/tr...ing/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9FB9616-8E86-4D1D-BC8E-47B7EB5CCEB1}: NameServer = 4.2.2.3
O21 - SSODL: VOQOYl - {44749E48-EEDE-34E2-5716-67106BD051F6} - C:\WINDOWS\system32\uaa.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7589 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\MARYAN~1\Desktop\backups\) ------------

backup-20080521-203841-756 O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe
backup-20080529-202059-202 O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
backup-20080529-202059-597 O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
backup-20080529-202059-953 O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
backup-20080529-203129-302 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...V8A+zDhUohZqsQ=

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S2 vdo_6753-3e0c - c:\windows\system32\vdo_6753-3e0c.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\packet.sys
S3 sysrest.sys - c:\windows\system32\sysrest.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-21 15:39:33 442 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-30 17:38:48 0 d-------- C:\Documents and Settings\Mary Ann\Application Data\U3
2008-05-29 20:58:56 0 d-------- C:\WINDOWS\BDOSCAN8
2008-05-22 09:32:00 0 d-------- C:\Documents and Settings\Mary Ann\Application Data\AXPFixer
2008-05-21 09:24:57 0 d-------- C:\Documents and Settings\Mary Ann\Application Data\AXPDefender
2008-05-20 10:23:29 0 d-------- C:\Documents and Settings\Mary Ann\Application Data\WinIFixer.com
2008-05-18 14:10:05 15328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-05-17 13:29:00 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>


-- Find3M Report ---------------------------------------------------------------

2008-05-30 09:08:29 32043 --a------ C:\logfile
2008-05-12 09:38:30 0 d-------- C:\Documents and Settings\Mary Ann\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [10/05/2001 08:34 PM]
"The Assistant"="C:\Program Files\a la mode\Sched\eSched.exe" [04/16/2007 10:18 AM]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [07/25/2001 01:00 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/17/2001 12:41 AM]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/23/2001 05:52 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [07/25/2001 01:00 PM]
"a la mode Scheduler Tool"="C:\Program Files\a la mode\sched\eSched.exe" [04/16/2007 10:18 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/21/2007 11:56:14 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 4:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [8/7/2001 7:06:54 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"VOQOYl"= {44749E48-EEDE-34E2-5716-67106BD051F6} - C:\WINDOWS\system32\uaa.dll [04/16/2007 11:52 AM 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 02/15/2002 01:51 PM 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXPFixer]
C:\Program Files\AXPFixer\AXPFixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]
C:\WINDOWS\system32\sysrest32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinIFixer]
C:\Program Files\WinIFixer\WinIFixer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-30 17:46:33 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.40GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 255.01 MiB / 93.2 MiB
Pagefile Memory (total/avail): 617.9 MiB / 372.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.4 MiB

A: is Removable (FAT)
C: is Fixed (NTFS) - 37.24 GiB total, 15.24 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is Removable (FAT)
G: is Removable (No Media)
H: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75CAA0 - 37.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.24 GiB - C:

\\.\PHYSICALDRIVE3 - USB Flash Memory USB Device - 949.15 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 949.35 MiB - H:

\\.\PHYSICALDRIVE1 - eUSB Compact Flash USB Device - 243.17 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 243.96 MiB - F:

\\.\PHYSICALDRIVE2 - eUSB SmartMedia USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"="C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE:*:Disabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Disabled:pcAnywhere Remote Service"
"C:\\WINDOWS\\system32\\VaultFilesDownloader.exe"="C:\\WINDOWS\\system32\\VaultFilesDownloader.exe:*:Enabled:a la mode Vault Tools"
"C:\\Program Files\\Cartoon Network\\To The Eds-treme\\PowerPlay.exe"="C:\\Program Files\\Cartoon Network\\To The Eds-treme\\PowerPlay.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\Cartoon Network\\Downhill Derby\\KNDDownhillDerby.exe"="C:\\Program Files\\Cartoon Network\\Downhill Derby\\KNDDownhillDerby.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\Cartoon Network\\Fast And Flurrious\\powerplay.exe"="C:\\Program Files\\Cartoon Network\\Fast And Flurrious\\powerplay.exe:*:Disabled:Macromedia Projector"
"C:\\Program Files\\Microsoft SQL Server\\MSSQL$ALAMODE\\Binn\\sqlservr.exe"="C:\\Program Files\\Microsoft SQL Server\\MSSQL$ALAMODE\\Binn\\sqlservr.exe:*:Enabled:Aurora MSDE Database"
"C:\\Program Files\\a la mode\\sched\\eSched.exe"="C:\\Program Files\\a la mode\\sched\\eSched.exe:*:Enabled:a la mode Assistant"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mary Ann\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NODE3
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mary Ann
LOGONSERVER=\\NODE3
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\;C:\TPOFFICE\TOPPRO;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MARYAN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MARYAN~1\LOCALS~1\Temp
USERDOMAIN=NODE3
USERNAME=Mary Ann
USERPROFILE=C:\Documents and Settings\Mary Ann
windir=C:\WINDOWS
WT=c:\win2000
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Mary Ann (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a la mode Vault --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{821B7E84-67B0-40EE-8929-C44B20BDB43C} anything
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Aim Plugin for QQ Games --> C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE
AIM Toolbar 5.0 --> "C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
AXPFixer --> "C:\Program Files\AXPFixer\uninstall.exe"
Backup Dell-Installed Programs --> MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CentraOne --> C:\PROGRA~1\CENTRA~1\bin\launcher.exe uninstall
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
deskPDF 2.5 Standard Edition --> "C:\Program Files\Docudesk\deskPDF\unins000.exe"
Docudesk GPL Ghostscript 8.15 --> "C:\Program Files\Docudesk\GPL Ghostscript\unins000.exe"
eNeighborhoods (MARY ANN SGOBBA) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99467157-9FA9-4A33-A85D-BC3EF1AE34E5}\setup.exe" -l0x9 -removeonly
ERA Presentation Edge --> C:\TPOFFICE\TOPPRE~1\uninst.exe
ERA Professional Advantage --> C:\TPOFFICE\TOPPRO\Tp6ui.exe
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
HijackThis 2.0.2 --> "C:\Documents and Settings\Mary Ann\Desktop\HijackThis.exe" /uninstall
HP Business Inkjet 3000 Series Uninstaller --> C:\Program Files\Hewlett-Packard\hp business inkjet 3000 series\Uninstall\setup.exe ciuninst.ini
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_3ee6aae5\Setup.exe /APR-REMOVE
KONICA MINOLTA PagePro 1350W --> MUINST_Q.EXE /PRN:"KONICA MINOLTA PagePro 1350W"
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Mercury AppraisalPort Plug-in --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E2B16335-31F9-4B9C-92DF-61E01BC5467E}\Setup.exe" -l0x9
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft SQL Server Desktop Engine (ALAMODE) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Microtek ScanWizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17A7779A-D23F-11D3-8753-0050BABE1202}\setup.exe"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Network Client Installation --> C:\PROGRA~1\ZIPFOR~1.0\UNWISE.EXE C:\PROGRA~1\ZIPFOR~1.0\INSTALL.LOG
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
PDF-XChange 3 --> "C:\Program Files\Tracker Software\PDF-XChange 3\unins000.exe"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Screensavers Installer Version 2 --> "C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe"
Seagate Crystal Info Analyzer --> C:\WINDOWS\uninst.exe -f"C:\Program Files\CVW\DeIsL1.isu"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
skin0001 --> MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starware316 4.4.1.0 --> C:\Program Files\Starware316\Starware316Uninstall.exe
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Symantec pcAnywhere --> MsiExec.exe /I{D05E8183-866A-11D3-97DF-0000F8D8F2E9}
To The Eds-treme --> C:\PROGRA~1\CARTOO~1\TOTHEE~1\UNWISE.EXE C:\PROGRA~1\CARTOO~1\TOTHEE~1\INSTALL.LOG
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type4966 / Warning
Event Submitted/Written: 05/30/2008 09:01:44 AM
Event ID/Source: 19011 / MSSQL$ALAMODE
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type4960 / Warning
Event Submitted/Written: 05/29/2008 10:09:23 PM
Event ID/Source: 19011 / MSSQL$ALAMODE
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type4956 / Warning
Event Submitted/Written: 05/29/2008 10:03:43 PM
Event ID/Source: 19011 / MSSQL$ALAMODE
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type4946 / Warning
Event Submitted/Written: 05/29/2008 09:45:37 PM
Event ID/Source: 19011 / MSSQL$ALAMODE
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type4940 / Warning
Event Submitted/Written: 05/29/2008 09:40:55 PM
Event ID/Source: 19011 / MSSQL$ALAMODE
Event Description:
(SpnRegister) : Error 1355



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2334 / Error
Event Submitted/Written: 05/30/2008 09:01:47 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The vdo_6753-3e0c service failed to start due to the following error:
%%2

Event Record #/Type2313 / Error
Event Submitted/Written: 05/29/2008 10:09:23 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The vdo_6753-3e0c service failed to start due to the following error:
%%2

Event Record #/Type2309 / Error
Event Submitted/Written: 05/29/2008 10:08:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type2308 / Error
Event Submitted/Written: 05/29/2008 10:07:55 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
awlegacy
Fips
IPSec
MRxSmb
NetBIOS
NetBT
nod32drv
OMCI
Processor
RasAcd
Rdbss
Tcpip
WS2IFSL

Event Record #/Type2307 / Error
Event Submitted/Written: 05/29/2008 10:07:55 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-30 17:46:33 ------------

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 31 May 2008 - 10:06 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 AM

Posted 09 June 2008 - 07:19 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users