Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.tncore-installer And Maybe Trojans Etc


  • Please log in to reply
13 replies to this topic

#1 wxwindmill

wxwindmill

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 07 June 2008 - 07:07 PM

Referred here by quietman7. For background and things done so far...
http://www.bleepingcomputer.com/forums/t/148633/cannot-navigate-far-in-ie-to-access-bleepcomp-instructions-to-fix-malware-problems/

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 07, 2008 16:46:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 744817
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 61698
Number of viruses found: 11
Number of infected objects: 35
Number of suspicious objects: 1
Duration of the scan process: 01:10:54

Infected Object Name / Virus Name / Last Action
C:\bs.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip/UnInstall.exe Infected: Trojan.Win32.Small.oa skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeWinPop.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\windmill\.housecall6.6\Quarantine\51.tmp.bac_a03848/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\windmill\.housecall6.6\Quarantine\51.tmp.bac_a03848 NSIS: infected - 1 skipped
C:\Documents and Settings\windmill\.housecall6.6\Quarantine\51.tmp.bac_a03848 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\windmill\.housecall6.6\Quarantine\deliver46860[1].htm.bac_a03848 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\windmill\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\windmill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\windmill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\windmill\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\windmill\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat Object is locked skipped
C:\Documents and Settings\windmill\Local Settings\Temp\tmp26.tmp/data0003 Infected: Trojan.Win32.BHO.cmd skipped
C:\Documents and Settings\windmill\Local Settings\Temp\tmp26.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\windmill\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\windmill\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\windmill\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1845\A0075829.exe Infected: Backdoor.Win32.DsBot.ox skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1845\A0077871.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1845\A0077890.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1845\A0078895.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1845\A0079896.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0080892.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0080958.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0080970.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0081058.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0081067.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0081093.exe Infected: Trojan.Win32.Qhost.aod skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083396.old Infected: Trojan.Win32.Agent.gna skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083440.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083440.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083440.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083440.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083440.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083467.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083467.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1846\A0083475.dll Infected: Trojan.Win32.Agent.gnw skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1847\A0083699.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1848\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B4BF6376\update[1].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XSD2ZOO3\update[1].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XSD2ZOO3\update[2].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XSD2ZOO3\update[3].upd Infected: Trojan.Win32.Agent.gnw skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped

Scan process completed.


Deckard's System Scanner v20071014.68
Run by windmill on 2008-06-07 18:14:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
71: 2008-06-07 23:15:21 UTC - RP1849 - Deckard's System Scanner Restore Point
70: 2008-06-07 19:00:29 UTC - RP1848 - Installed Sunbelt Personal Firewall.
69: 2008-06-06 17:15:03 UTC - RP1847 - Installed SUPERAntiSpyware Free Edition
68: 2008-05-22 20:12:37 UTC - RP1846 - System Checkpoint
67: 2008-05-17 16:59:48 UTC - RP1845 - Last known good configuration


-- First Restore Point --
1: 2008-03-10 05:11:51 UTC - RP1779 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-07 18:17:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Norton AntiVirus\Navapw32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\windmill\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache2.midco.net:3128
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {154A6FDE-A344-819A-4B10-898DCB5087C9} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {3A4F5C68-9086-4316-8B7E-D5DB2D37EE34} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {8B7E31FC-144C-45C4-8A04-E460817C3D05} - (no file)
O2 - BHO: (no name) - {96e16c7c-c03c-d98b-3930-0262ffb16894} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {BCAC4FDB-8149-FF98-1190-A18F742273C1} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O2 - BHO: (no name) - {be428e6d-d13a-4d42-867b-4621d96b46ee} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {EBF94F87-811A-A8C2-1590-A18F74227296} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{FE-EB-B1-18-DW}] C:\windows\system32\jjwnw64n.exe DWram
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Otaangx] "C:\Program Files\A?pPatch\t?skmgr.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk.disabled = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: SideCar.lnk.disabled = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: Add Content To 92KQRS Web Reader - res://C:\Program Files\92KQRS Web Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (RhapsodyPlayerEngineCtrl Class) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7624.2647916667
O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak01.pictures.aol.com/ygp/aol/plug...der.1.0.9.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayaWMgg - C:\WINDOWS\system32\yayaWMgg.dll (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe


--
End of file - 10174 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 raspptpp - c:\windows\system32\drivers\raspptpp.sys (file missing)
S3 ATWPKT2 - c:\program files\america online 8.0b\atwpkt2.sys (file missing)
S3 DM9XDiag - c:\program files\cnet\pro200wl\dm9xdiag.sys
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe"

S2 Windows Action Script - "c:\windows\system32\scvhost.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-16 20:01:16 470 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2002-10-25 12:58:30 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 14:21:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 14:21:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 14:21:40 0 d-------- C:\WINDOWS\LastGood
2008-06-07 14:00:32 0 d-------- C:\Program Files\Sunbelt Software
2008-06-06 14:04:34 1940 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-06 14:03:45 82944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-06 14:03:44 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-06 14:03:44 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-06 14:03:44 86528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-06 14:03:44 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-06 14:03:44 53248 --a------ C:\WINDOWS\system32\Process.exe http://www.beyondlogic.org; Command Line Process Utility>
2008-06-06 14:03:44 82944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-06 14:03:44 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-06 12:15:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 12:15:05 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 12:15:05 0 d-------- C:\Documents and Settings\windmill\Application Data\SUPERAntiSpyware.com
2008-06-06 12:14:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:50:49 0 d-------- C:\Documents and Settings\windmill\Application Data\Malwarebytes
2008-06-04 00:50:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 00:50:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 14:12:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-23 14:09:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-23 14:09:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-23 14:09:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-23 14:09:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 14:09:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-23 14:09:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-23 14:09:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-23 14:09:15 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-23 14:09:15 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-23 14:09:14 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-23 09:40:04 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-23 00:46:16 892356 --ahs---- C:\WINDOWS\system32\FNXIQXyb.ini2
2008-05-22 13:45:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-22 13:33:26 0 d-------- C:\Program Files\Common Files\??stem32
2008-05-22 13:32:45 894460 --ahs---- C:\WINDOWS\system32\uwyFNXbc.ini2
2008-05-21 08:47:58 0 d-------- C:\Program Files\Enigma Software Group
2008-05-21 08:35:52 0 d-------- C:\WINDOWS\system32\?ymantec
2008-05-21 08:31:05 794046 --ahs---- C:\WINDOWS\system32\GffLmUtv.ini2
2008-05-20 13:22:55 1010899 --ahs---- C:\WINDOWS\system32\Nqrsvyxx.ini2
2008-05-19 18:32:39 17055 --a------ C:\bs.exe
2008-05-19 12:58:30 1004528 --ahs---- C:\WINDOWS\system32\LnoYaccf.ini2
2008-05-19 12:56:29 0 d-------- C:\Program Files\Common Files\?ymantec
2008-05-17 12:32:10 401967 --a------ C:\WINDOWS\system32\g25.exe
2008-05-17 12:29:19 1687 --a------ C:\WINDOWS\system32\clbinit.dll
2008-05-17 11:58:12 10059 --a------ C:\startup.exe
2008-05-17 11:54:02 0 d-------- C:\Program Files\A?pPatch
2008-05-17 11:53:25 0 d-------- C:\WINDOWS\system32\dFrnx06
2008-05-17 11:53:24 0 d-------- C:\Temp
2008-05-17 11:52:45 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-17 11:52:23 0 d-------- C:\WINDOWS\system32\?ppPatch
2008-05-13 13:11:11 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-13 13:11:10 2546 --a------ C:\WINDOWS\unins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-06-06 14:49:44 0 d-------- C:\Documents and Settings\windmill\Application Data\Lavasoft
2008-06-06 13:43:04 0 d-------- C:\Program Files\Common Files\??stem32
2008-06-06 12:14:06 0 d-------- C:\Program Files\Common Files
2008-05-22 13:26:16 0 d-------- C:\Program Files\A?pPatch
2008-05-19 12:56:29 0 d-------- C:\Program Files\Common Files\?ymantec
2008-04-30 15:28:14 0 d-------- C:\Documents and Settings\windmill\Application Data\NCH Swift Sound
2008-04-30 15:28:12 0 d-------- C:\Program Files\NCH Swift Sound


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{154A6FDE-A344-819A-4B10-898DCB5087C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A4F5C68-9086-4316-8B7E-D5DB2D37EE34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B7E31FC-144C-45C4-8A04-E460817C3D05}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96e16c7c-c03c-d98b-3930-0262ffb16894}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCAC4FDB-8149-FF98-1190-A18F742273C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be428e6d-d13a-4d42-867b-4621d96b46ee}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBF94F87-811A-A8C2-1590-A18F74227296}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 15:16]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [02/27/2002 11:27]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.exe" [02/19/2002 03:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/29/2006 15:49]
"{FE-EB-B1-18-DW}"="C:\windows\system32\jjwnw64n.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24]
"Otaangx"="C:\Program Files\A?pPatch\t?skmgr.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

C:\Documents and Settings\windmill\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 10:50:56 AM]
HotSync Manager.lnk.disabled [11/26/2002 10:18:28 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 10:50:56 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/18/2002 2:42:29 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [2/17/1999 10:05:56 AM]
SideCar.lnk.disabled [10/1/2002 5:35:41 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaWMgg]
yayaWMgg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell|Alert"=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

*Newly Created Service* - FWDRV
*Newly Created Service* - KHIPS
*Newly Created Service* - SPF4



-- Hosts -----------------------------------------------------------------------

127.0.0.1 vncsvr.com
127.0.0.1 secdreg.org
127.0.0.1 cdn.atwola.com
127.0.0.1 www.atwola.com
127.0.0.1 www.awaps.net
127.0.0.1 www.fastclick.net
127.0.0.1 www.advancedcleaner.com
127.0.0.1 advancedcleaner.com
127.0.0.1 secure.advancedcleaner.com
127.0.0.1 protect.advancedcleaner.com

278 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-07 18:24:19 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: IntelŪ PentiumŪ 4 CPU 2.00GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 254.8 MiB / 85.26 MiB
Pagefile Memory (total/avail): 624.58 MiB / 432.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 12.08 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Sunbelt Personal Firewall v4.5.916 T (Sunbelt)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"="C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe"="C:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe:*:Enabled:Civ3Conquests"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\windmill\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D1F0PW11
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\windmill
KRBTKFILE=C:\KERB\TICKET.KRB
LOGONSERVER=\\D1F0PW11
NDIR=C:
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\KERB;C:\Program Files\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\windmill\LOCALS~1\Temp
TMP=C:\DOCUME~1\windmill\LOCALS~1\Temp
TZ=CST6CDT
USERDOMAIN=D1F0PW11
USERNAME=windmill
USERPROFILE=C:\Documents and Settings\windmill
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
windmill (admin)
Jeff (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1st Page 2000 2.00 Free --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Evrsoft\1st Page 2000\Uninst.isu"
92KQRS Web Reader 3.0 --> "C:\Program Files\92KQRS Web Reader\unins000.exe"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Aladdin Expander 5.0 --> "c:\Program files\Aladdin systems\Expander\Expander.exe" /u
Broadband Blaster 8012U --> C:\Program Files\Creative\8xxx\uninstall.exe
Civ3 Conquests v1.22 Full --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C2BF3B9-7E8A-49DE-B662-3656FE60BB01}\Setup.exe"
CivAssist II --> MsiExec.exe /I{959908F9-CADC-4422-B91A-01DA305DBF31}
Civilization III --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}\setup.exe"
Civilization III: Conquests --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F31BC49F-AB7B-4A53-A399-EB7331B585BC}\setup.exe" -l0x9
Classic PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0
Dell | Support --> MsiExec.exe /X{91E8A85F-2960-40ED-BA84-7F4567BB00C0}
Dell Modem-On-Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Stylus C42 User's Manual --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD13E50A-9887-4AFB-BA12-D93AF9B7C499}\Setup.exe"
GOTM Full Mod --> "C:\Program Files\Infogrames Interactive\Civilization III\unins005.exe"
Gotm21 Civ3v1.29 Total Cummulative Download Pack --> "C:\Program Files\Infogrames Interactive\Civilization III\unins000.exe"
Gotm22 Civ3v1.29 Add-On Support Pack --> "C:\Program Files\Infogrames Interactive\Civilization III\unins001.exe"
Gotm23 Civ3v1.29 Add-On Support Pack --> "C:\Program Files\Infogrames Interactive\Civilization III\unins002.exe"
Gotm24 Civ3v1.29 Add-On Support Pack --> "C:\Program Files\Infogrames Interactive\Civilization III\unins003.exe"
Gotm25 Civ3v1.29 Add-On Support Pack --> "C:\Program Files\Infogrames Interactive\Civilization III\unins004.exe"
Groove Mechanic --> C:\Program Files\Coyote\GrooveMechanic25a\Uninstal.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
Intellisync Lite --> C:\WINDOWS\UNINST.EXE -fC:\PROGRA~1\ISCLIE\DeIsL1.isu -cC:\PROGRA~1\ISCLIE\ILUNINST.DLL
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LP Recorder --> C:\PROGRA~1\LPRECO~1\UNWISE.EXE C:\PROGRA~1\LPRECO~1\INSTALL.LOG
LP Ripper --> C:\PROGRA~1\LPRIPP~1\UNWISE.EXE C:\PROGRA~1\LPRIPP~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
NCH Toolbox --> C:\Program Files\NCH Swift Sound\ToolBox\uninst.exe
Norton AntiVirus 2002 --> MsiExec.exe /I{3075C5C3-0807-4924-AF8F-FF27052C12AE}
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm Desktop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0F44C2-A883-11D1-AD0A-006097D15E2C}\setup.exe" Uninstall
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PRO200WL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Rhapsody Player Engine --> MsiExec.exe /I{21F6B15F-1198-4FA2-8F31-5A24C1FBE144}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
Sunbelt Personal Firewall --> MsiExec.exe /X{BFD080F6-3BF0-40E1-9507-9CA969C35870}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Switch --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6884 / Warning
Event Submitted/Written: 06/06/2008 05:46:20 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type6877 / Error
Event Submitted/Written: 06/06/2008 11:47:26 AM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type6870 / Error
Event Submitted/Written: 06/05/2008 08:44:05 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type6868 / Error
Event Submitted/Written: 06/05/2008 02:35:23 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type6862 / Error
Event Submitted/Written: 06/04/2008 02:20:39 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22973 / Warning
Event Submitted/Written: 06/06/2008 03:31:46 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type22957 / Error
Event Submitted/Written: 06/05/2008 09:18:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type22956 / Error
Event Submitted/Written: 06/05/2008 08:44:05 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type22955 / Error
Event Submitted/Written: 06/05/2008 08:43:49 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type22950 / Error
Event Submitted/Written: 06/05/2008 03:37:35 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-06-07 18:24:19 ------------

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 13 June 2008 - 10:36 AM

wxwindmill

Sorry for the delay

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 13 June 2008 - 12:58 PM

No apology necessary. Just happy this site/help is available. Appreciate the efforts of all the hjt team and anyone that gives help on bleep.

Believe it completed ok, but nonupdated Norton Anitvirus interfered after reboot. I am not sure I authorized all the combofix scripts thru Norton.


ComboFix 08-06-11.7 - windmill 2008-06-13 12:21:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -5:00]Running from: C:\Documents and Settings\windmill\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\windmill\Application Data\FNTS~1
C:\Documents and Settings\windmill\Application Data\macromedia\Flash Player\#SharedObjects\TEGWH3UV\www.broadcaster.com
C:\Documents and Settings\windmill\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\windmill\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\appatc~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\ymante~1
C:\Program Files\smante~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\temp\tn3
C:\WINDOWS\BMef8cd82b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\barinuhp.ini
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\ejasrgeb.ini
C:\WINDOWS\system32\etaksacv.ini
C:\WINDOWS\SYSTEM32\FNXIQXyb.ini
C:\WINDOWS\SYSTEM32\FNXIQXyb.ini2
C:\WINDOWS\system32\g25.exe
C:\WINDOWS\system32\GffLmUtv.ini
C:\WINDOWS\SYSTEM32\GffLmUtv.ini2
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\jprlcgdq.ini
C:\WINDOWS\SYSTEM32\LnoYaccf.ini
C:\WINDOWS\SYSTEM32\LnoYaccf.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\Nqrsvyxx.ini
C:\WINDOWS\SYSTEM32\Nqrsvyxx.ini2
C:\WINDOWS\SYSTEM32\nxpsyiju.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~1\?ppPatch\
C:\WINDOWS\system32\tvrcuqdm.ini
C:\WINDOWS\system32\uqxavnfs.ini
C:\WINDOWS\system32\uwyFNXbc.ini
C:\WINDOWS\SYSTEM32\uwyFNXbc.ini2
C:\WINDOWS\system32\vhkmryaf.ini
C:\WINDOWS\system32\ymante~1

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-07 18:14 . 2008-06-07 18:14 <DIR> d-------- C:\Deckard
2008-06-07 14:21 . 2008-06-07 14:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-06-07 14:21 . 2008-06-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 14:00 . 2008-06-07 14:00 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-06-06 14:04 . 2008-06-06 14:04 1,940 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-06 14:03 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-06 14:03 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-06 14:03 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-06 14:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-06 14:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-06-06 14:03 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-06 14:03 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-06 14:03 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Documents and Settings\windmill\Application Data\SUPERAntiSpyware.com
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Documents and Settings\windmill\Application Data\Malwarebytes
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 00:50 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-04 00:50 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-23 14:09 . 2002-09-18 02:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 14:09 . 2008-05-23 14:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 09:40 . 2008-05-23 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-22 13:45 . 2008-06-06 11:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 08:47 . 2008-05-21 08:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-19 18:32 . 2008-05-23 11:16 17,055 --a------ C:\bs.exe
2008-05-17 11:58 . 2008-05-17 12:54 10,059 --a------ C:\startup.exe
2008-05-17 11:54 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-17 11:53 . 2008-05-23 07:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx06
2008-05-17 11:53 . 2008-06-13 12:23 <DIR> d-------- C:\Temp
2008-05-13 13:11 . 2008-05-13 13:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-13 13:11 . 2008-05-13 13:11 2,546 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 19:49 --------- d-----w C:\Documents and Settings\windmill\Application Data\Lavasoft
2008-05-23 08:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-23 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-30 20:28 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-30 20:28 --------- d-----w C:\Documents and Settings\windmill\Application Data\NCH Swift Sound
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2004-12-01 18:56 62,880 ----a-w C:\Documents and Settings\windmill\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 15:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Otaangx"="C:\Program Files\A?pPatch\t?skmgr.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27 75384]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.exe" [2002-02-19 03:03 74240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-29 15:49 98304]
"{FE-EB-B1-18-DW}"="C:\windows\system32\jjwnw64n.exe" [ ]

C:\Documents and Settings\windmill\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2002-11-26 10:18:28 1596]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-09-18 02:42:29 45056]
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [1999-02-17 10:05:56 65588]
SideCar.lnk.disabled [2002-10-01 17:35:41 1357]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaWMgg]
yayaWMgg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell|Alert"=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S1 raspptpp;raspptpp;C:\WINDOWS\system32\drivers\raspptpp.sys []
S2 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
S3 DM9XDiag;DM9XDiag;C:\Program Files\CNet\PRO200WL\DM9XDiag.sys [2001-07-31 16:15]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-30 01:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 01:01:16 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2002-10-25 17:58:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 12:34:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-13 12:49:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 17:49:17

Pre-Run: 10,889,314,304 bytes free
Post-Run: 10,903,371,776 bytes free

197 --- E O F --- 2008-05-15 22:45:33

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 07:23 AM

wxwindmill

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (Not the word Code)
Driver::
raspptpp
Windows Action Script

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Otaangx"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaWMgg]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hijackthis log as well
Posted Image
Microsoft MVP - Windows Security

#5 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 11:03 AM

ComboFix 08-06-11.7 - windmill 2008-06-16 10:22:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -5:00]Running from: C:\Documents and Settings\windmill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\windmill\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RASPPTPP
-------\Legacy_WINDOWS_ACTION_SCRIPT
-------\Service_raspptpp
-------\Service_Windows Action Script


((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-07 18:14 . 2008-06-07 18:14 <DIR> d-------- C:\Deckard
2008-06-07 14:21 . 2008-06-07 14:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-06-07 14:21 . 2008-06-07 14:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 14:00 . 2008-06-07 14:00 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-06-06 14:04 . 2008-06-06 14:04 1,940 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-06-06 14:03 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-06-06 14:03 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-06-06 14:03 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-06-06 14:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-06-06 14:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-06-06 14:03 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-06-06 14:03 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-06-06 14:03 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Documents and Settings\windmill\Application Data\SUPERAntiSpyware.com
2008-06-06 12:15 . 2008-06-06 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Documents and Settings\windmill\Application Data\Malwarebytes
2008-06-04 00:50 . 2008-06-04 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 00:50 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-04 00:50 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-23 14:09 . 2002-09-18 02:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 14:09 . 2008-05-23 14:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 09:40 . 2008-05-23 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-22 13:45 . 2008-06-06 11:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 08:47 . 2008-05-21 08:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-19 18:32 . 2008-05-23 11:16 17,055 --a------ C:\bs.exe
2008-05-17 11:58 . 2008-05-17 12:54 10,059 --a------ C:\startup.exe
2008-05-17 11:54 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys
2008-05-17 11:53 . 2008-05-23 07:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx06
2008-05-17 11:53 . 2008-06-13 12:23 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 15:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-06 19:49 --------- d-----w C:\Documents and Settings\windmill\Application Data\Lavasoft
2008-05-23 08:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-23 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 18:10 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-30 20:28 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-30 20:28 --------- d-----w C:\Documents and Settings\windmill\Application Data\NCH Swift Sound
2004-12-01 18:56 62,880 ----a-w C:\Documents and Settings\windmill\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-13_12.40.48.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 17:32:52 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-16 15:31:01 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 15:16 49152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2002-02-27 11:27 75384]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.exe" [2002-02-19 03:03 74240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-29 15:49 98304]
"{FE-EB-B1-18-DW}"="C:\windows\system32\jjwnw64n.exe" [ ]

C:\Documents and Settings\windmill\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2002-11-26 10:18:28 1596]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-09-18 02:42:29 45056]
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [1999-02-17 10:05:56 65588]
SideCar.lnk.disabled [2002-10-01 17:35:41 1357]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell|Alert"=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Infogrames Interactive\\Civilization III\\Conquests\\Civ3Conquests.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 DM9XDiag;DM9XDiag;C:\Program Files\CNet\PRO200WL\DM9XDiag.sys [2001-07-31 16:15]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-30 01:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 05:42:27 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2002-10-25 17:58:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 10:32:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-16 10:40:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 15:39:54
ComboFix2.txt 2008-06-13 17:49:44

Pre-Run: 13,594,984,448 bytes free
Post-Run: 13,613,576,192 bytes free

156 --- E O F --- 2008-05-15 22:45:33


Aware that I needed to allow firewall to let dss get latest hjt, but I thought I would get a prompt.
It just ran anyway. Do not know that this hjt log includes everything it is supposed to, but here it is...
I do not know how to get firewall to allow download of latest hjt - of course I'd like to do that before running dss.

Deckard's System Scanner v20071014.68
Run by windmill on 2008-06-16 10:48:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-16 10:48:33
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Norton AntiVirus\Navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\windmill\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache2.midco.net:3128
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{FE-EB-B1-18-DW}] C:\windows\system32\jjwnw64n.exe DWram
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk.disabled = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: SideCar.lnk.disabled = ?
O8 - Extra context menu item: Add Content To 92KQRS Web Reader - res://C:\Program Files\92KQRS Web Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (RhapsodyPlayerEngineCtrl Class) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7624.2647916667
O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak01.pictures.aol.com/ygp/aol/plug...der.1.0.9.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 8096 bytes

-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-13 12:19:36 68096 --a------ C:\WINDOWS\zip.exe
2008-06-13 12:19:36 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-13 12:19:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 12:19:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-13 12:19:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 12:19:36 98816 --a------ C:\WINDOWS\sed.exe
2008-06-13 12:19:36 80412 --a------ C:\WINDOWS\grep.exe
2008-06-13 12:19:36 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-07 14:21:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 14:21:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 14:00:32 0 d-------- C:\Program Files\Sunbelt Software
2008-06-06 14:04:34 1940 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-06 14:03:45 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-06 14:03:44 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-06 14:03:44 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-06 14:03:44 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-06 14:03:44 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-06 14:03:44 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-06 14:03:44 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-06 14:03:44 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-06 12:15:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 12:15:05 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 12:15:05 0 d-------- C:\Documents and Settings\windmill\Application Data\SUPERAntiSpyware.com
2008-06-06 12:14:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 00:50:49 0 d-------- C:\Documents and Settings\windmill\Application Data\Malwarebytes
2008-06-04 00:50:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 00:50:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 14:12:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-23 14:09:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-23 14:09:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-23 14:09:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-23 14:09:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 14:09:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-23 14:09:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-23 14:09:15 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-23 14:09:15 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-23 14:09:15 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-23 14:09:15 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-23 14:09:15 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-23 14:09:14 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-23 09:40:04 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-22 13:45:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 08:47:58 0 d-------- C:\Program Files\Enigma Software Group
2008-05-19 18:32:39 17055 --a------ C:\bs.exe
2008-05-17 11:58:12 10059 --a------ C:\startup.exe
2008-05-17 11:53:25 0 d-------- C:\WINDOWS\system32\dFrnx06
2008-05-17 11:53:24 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-06-16 10:17:24 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-13 12:23:10 0 d-------- C:\Program Files\Common Files
2008-06-06 14:49:44 0 d-------- C:\Documents and Settings\windmill\Application Data\Lavasoft
2008-05-13 13:11:12 2546 --a------ C:\WINDOWS\unins000.dat
2008-05-13 13:10:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-30 15:28:14 0 d-------- C:\Documents and Settings\windmill\Application Data\NCH Swift Sound
2008-04-30 15:28:12 0 d-------- C:\Program Files\NCH Swift Sound


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 15:16]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [02/27/2002 11:27]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.exe" [02/19/2002 03:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/29/2006 15:49]
"{FE-EB-B1-18-DW}"="C:\windows\system32\jjwnw64n.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33]

C:\Documents and Settings\windmill\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 10:50:56 AM]
HotSync Manager.lnk.disabled [11/26/2002 10:18:28 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/31/2001 10:50:56 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/18/2002 2:42:29 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office2000\Office\OSA9.EXE [2/17/1999 10:05:56 AM]
SideCar.lnk.disabled [10/1/2002 5:35:41 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell|Alert"=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe"
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-16 10:49:42 ------------

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 11:06 AM

wxwindmill

Good work. How is your PC running now?
Posted Image
Microsoft MVP - Windows Security

#7 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 01:05 PM

Thanks bamaJOECOOLjim!!!
PC seems to be running normally. edit combofix said it would put clock back the way it was, but it is still in military time?? endedit

Do I run SUPERantispware or MalwarebytesAntiMalware now and then?? or are they mostly fixers??
Running adaware and spybot seems like overkill now (my perspective is, though probably unfair, that they let me down), but I would not be surprised if y'all said there is no such thing as overkill. SUPERantispyware runs on startup and IIRC has blocked some things, so it seems there is a level of protection there, but how far does that go??

I understand wiping my harddrive and reinstalling Windows is safest after the rootkit, but I am under the impression now that there is a fair chance a Windows reinstall is now not a complete necessity?? The HJT thread is here to circumvent the need for a reinstall?? IOW a reinstall would waste all the effort we spent on the procedures and fixes above?? I was pretty close as far as having everything backed up to doing a complete reinstall, but there are some reasons I would rather not at this time. Thanks for allowing me to try this logic 'out loud'. I'm looking forward to applying other bleep PC health helps now such as deciding what runs at startup.

Edited by wxwindmill, 16 June 2008 - 01:08 PM.


#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 01:22 PM

Thanks bamaJOECOOLjim!!!
PC seems to be running normally. edit combofix said it would put clock back the way it was, but it is still in military time?? endedit

Do I run SUPERantispware or MalwarebytesAntiMalware now and then?? or are they mostly fixers??
Running adaware and spybot seems like overkill now (my perspective is, though probably unfair, that they let me down), but I would not be surprised if y'all said there is no such thing as overkill. SUPERantispyware runs on startup and IIRC has blocked some things, so it seems there is a level of protection there, but how far does that go??

I understand wiping my harddrive and reinstalling Windows is safest after the rootkit, but I am under the impression now that there is a fair chance a Windows reinstall is now not a complete necessity?? The HJT thread is here to circumvent the need for a reinstall?? IOW a reinstall would waste all the effort we spent on the procedures and fixes above?? I was pretty close as far as having everything backed up to doing a complete reinstall, but there are some reasons I would rather not at this time. Thanks for allowing me to try this logic 'out loud'. I'm looking forward to applying other bleep PC health helps now such as deciding what runs at startup.

You are most welcome.

Yes we have successfully removed the infection, so a re-format and re - install will not be necessary.

SuperAntiSpyware will be fine to keep for periodic scans. MBAM is mainly a fix tool.

Let me see one more fresh Hiajckthis log so I can make sure it's clean.
Posted Image
Microsoft MVP - Windows Security

#9 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 01:57 PM

Let me see one more fresh Hiajckthis log so I can make sure it's clean.

Sorry for this hiccup.....
This was between the combofix log and the hjt log in post #5 hiding I guess.
"Aware that I needed to allow firewall to let dss get latest hjt, but I thought I would get a prompt.
It just ran anyway. Do not know that this hjt log includes everything it is supposed to, but here it is...
I do not know how to get firewall to allow download of latest hjt - of course I'd like to do that before running dss."

The firewall is Sunbelt Personal Firewall4. I've looked some but it is not obvious to me how to have it allow dss to check for and/or download the latest hjt. I did not get an 'extra' hjt log last time -- this is not uncommon??

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 02:40 PM

wxwindmill

Actually, it was my bad. I should have looked more carefuly.

The log looks good.

Did your Clock reset to normal time?
Posted Image
Microsoft MVP - Windows Security

#11 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2008 - 06:49 PM

confusion on both sides
I thought you originally saw and considered the HJT log in post#5, but for some reason I thought that you thought one last one would have a chance to be different.
I'm like 'great - I'd love a double check', but I was thinking there was a chance I did not have access to the latest update of HJT because the firewall interrupted the DSS run.
Please confirm it's likely a new HJT log that came from the latest update would not show anything different than what you have already looked at in post#5.

Clock is still military time, but I figured other people had bigger problems.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 17 June 2008 - 11:55 AM

wxwindmill

The Hijackthis log posted as part of the DSS scan is the latest, and it's clean.

To adjust the clock, let's do this

Click Start ->> Control Panel

In the Left pane Select Classic View. Then in the Right Pane Select Regional and Language Settings.

Under the Regional Options tab Select the Customize button.

Another window will open

Select the Time tab

In the time format window Select h:mm:ss tt format

Then Apply and O.k.
Posted Image
Microsoft MVP - Windows Security

#13 wxwindmill

wxwindmill
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 17 June 2008 - 02:01 PM

Clock now fixed and appreciate the confirmation. Many Many Thanks!! I feel bad for taking time and another post for something as minor as a clock fix, but I'm not sure I could have gotten there on my own; it's buried somewhat.

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 17 June 2008 - 02:22 PM

wxwindmill

Don't feel bad at all, because we are not done.
Have one empty item to clean up and I wanted to leave you with some final notes.

1. Rerun Hijackthis (scan only) and place checks beside the following entry O4 - HKLM\..\Run: [{FE-EB-B1-18-DW}] C:\windows\system32\jjwnw64n.exe DWram

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> And you are there.

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u5.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users