Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Coolwebsearch / Trojandownloader.xs Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Timtech

Timtech

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 12 June 2008 - 05:22 PM

Trend Micro warned me of an attack and blocked many of the attempted changes while they were occurring. However, I don’t know how far the virus/malware sank its roots. I was only online for a few hours after the initial infection while I immediately performed the following:
1 Disabled MsSecurity service.
2 Disabled any new items in the startup tab of MSconfig.
3 Disabled any unrecognized IE addins.
4 Booted from clean Windows XP on second hard drive.
5 Searched infected drive for all files created at time of infection.
6 Removed hljwugsf.bin, fccyxXRj.dll, iftuyszv.exe, and {8868752b-a702-39dd-5aa2-95e0d9463459}.dll from the System32 folder of the infected hard drive.
7 Booted from original infected hard drive and rescanned with Trend Micro. Shut down computer.
8 The next morning my DSL modem power supply died so internet exposure stopped.
9 Edited my registry to re-enable task manager.
10 Reverted to a clean system state dated 04/03/08 using Microsoft backup utility (*.bkf)
11 Re-scanned all files with Trend Micro and it cleaned TROJ_WINSHOW.XM. Final result = zero infections.
12 Repaired DSL power supply and back online. Trend Micro finally found TROJ_RENOS.XM in the iftuyszv.exe file I had moved from system32 to a non operating system partition.
13 Turned off system Restore and emptied Norton recycle & protected files.
14 Ran Norton Windoctor and JV16 regcleaner.
15 Deleted 44 files with 6/4/08 7:01pm from the Windows directory
16 Came to this website.

Did I nip this attack in the bud or do I need to change all my banking passwords, format, and reinstall windows? I’m sure that is the safest way to go but resetting all my programs up after a reformat will be a weeks worth of work. I’m hoping I disabled this attack and limited my internet exposure enough cleaned up the majority of this attack. BTW, I have a firewall in my DSL modem and wireless router.

Thanks in advance for your help.

Here are my DSS.exe and Hijack this results:


Deckard's System Scanner v20071014.68
Run by Tim on 2008-06-12 17:56:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-12 21:56:40 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Tim.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:26 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\FolderSize\FolderSizeSvc.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\NORTON~1\NORTON~1\NPROTECT.EXE
D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Trend Micro\Internet Security\SfCtlCom.exe
E:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\WINDOWS\System32\svchost.exe
E:\UPHClean\uphclean.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
E:\Trend Micro\BM\TMBMSRV.exe
E:\Trend Micro\Internet Security\UfSeAgnt.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
E:\Roxio\Media Experience\DMXLauncher.exe
D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Logitech\QuickCam10\Quickcam.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\ActiveSync\wcescomm.exe
E:\ACTIVE~1\rapimgr.exe
E:\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
E:\Trend Micro\TrendSecure\TSCFCommander.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Documents and Settings\Tim\Desktop\dss.exe
E:\TRENDM~1\Tim.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\obroker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - D:\Program Files\ShopSafe\BhoSSafe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - D:\WINDOWS\system32\BhoDshop.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "E:\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "E:\Logitech\QuickCam10\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "E:\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Winamp Toolbar Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - E:\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - E:\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - E:\Discover\SOAN\SOAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094267765030
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0BEDAF4-1BA6-444D-BCE5-97C15D54BC92}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Folder Size (FolderSize) - Brio - E:\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - E:\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - D:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - D:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - E:\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SPBBCSvc - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - D:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - E:\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 13620 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 mbmiodrvr - d:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows ® 2000 DDK driver>
R0 si3112r (Silicon Image SiI 3112 SATARaid Controller) - d:\windows\system32\drivers\si3112r.sys <Not Verified; Silicon Image, Inc; SATARaid>
R1 aslm75 - d:\windows\system32\drivers\aslm75.sys
R1 prcmondrv - d:\windows\system32\drivers\prcmondrv1041.sys <Not Verified; Igor Nys; PrcView>
R2 BCMNTIO - e:\norton systemworks\checkit\diagnostics\bcmntio.sys
R2 ElbyCDIO (ElbyCDIO Driver) - d:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 Airgo (Belkin Wireless Pre-N Notebook Network Driver) - d:\windows\system32\drivers\wnihdd51.sys <Not Verified; Belkin Corporation, Inc.; Belkin Wireless Pre-N Notebook Network Card>
R3 ElbyCDFL - d:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
R3 Pcouffin (VSO Software pcouffin) - d:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S2 ASInsHelp - d:\windows\system32\drivers\asinshelp32.sys (file missing)
S2 MAPMEM - e:\norton~1\checkit\diagno~1\mapmem.sys (file missing)
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - d:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - d:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - d:\windows\system32\drivers\awrtrd.sys (file missing)
S3 chanalog (CH Analog Devices) - d:\windows\system32\drivers\chanalog.sys <Not Verified; CH Products; CH Products Gameport Devices>
S3 IPFilter (Microsoft IntelliPoint Features driver) - d:\windows\system32\drivers\ipfilter.sys (file missing)
S3 lgatbus (LG USB Composite Device driver (WDM)) - d:\windows\system32\drivers\lgatbus.sys (file missing)
S3 lgatmdm (LG CDMA USB Modem Drivers) - d:\windows\system32\drivers\lgatmdm.sys (file missing)
S3 lgatserd (LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM)) - d:\windows\system32\drivers\lgatserd.sys <Not Verified; MCCI; LG CDMA USB Modem Diagnostic Serial Port>
S3 SDdriver - d:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 usbbus (LGE CDMA Composite USB Device) - d:\windows\system32\drivers\lgusbbus.sys (file missing)
S3 UsbDiag (LGE CDMA USB Diagnostic Serial Port Drivers (WDM)2) - d:\windows\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - d:\windows\system32\drivers\lgusbmodem.sys <Not Verified; LG Soft India; LG CDMA USB Modem Driver>
S3 WNIPROT5 (WNIPROT5 Protocol Driver) - d:\windows\system32\wniprot5.sys (file missing)
S3 XIRLINK (IBM PC Camera) - d:\windows\system32\drivers\c-itnt.sys <Not Verified; Xirlink, Inc; Xirlink Digital Video PC Camera>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - d:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 FolderSize (Folder Size) - e:\foldersize\foldersizesvc.exe <Not Verified; Brio; Folder Size for Windows>
R2 Speed Disk service - e:\norton~1\norton~1\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>
R2 UPHClean (User Profile Hive Cleanup) - e:\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

S2 RoxLiveShare10 (LiveShare P2P Server 10) - "d:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" (file missing)
S3 stllssvr - "d:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>
S4 MsSecurity1.209.4 (MsSecurity Updated) - d:\windows\444.471 service (file missing)
S4 SessionLauncher - d:\docume~1\tim\locals~1\temp\dx9\sessionlauncher.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: EPSON PCMCIA Storage Device
Device ID: USB\VID_04B8&PID_0602\HAO1026C71O0
Manufacturer: EPSON
Name: EPSON PCMCIA Storage Device
PNP Device ID: USB\VID_04B8&PID_0602\HAO1026C71O0
Service: EPUSBSTOR

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: ASInsHelp
Device ID: ROOT\LEGACY_ASINSHELP\0000
Manufacturer:
Name: ASInsHelp
PNP Device ID: ROOT\LEGACY_ASINSHELP\0000
Service: ASInsHelp


-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2008-06-12 17:41:47 0 dr-h----- D:\Documents and Settings\Tim\Recent
2008-06-09 17:04:30 0 d-------- D:\Documents and Settings\Test\Application Data\Roxio
2008-06-09 17:04:28 0 d-------- D:\Documents and Settings\Test\Application Data\Adobe
2008-06-09 17:03:59 0 d-------- D:\Documents and Settings\Test\Application Data\Identities
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\Templates
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\Start Menu
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\SendTo
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\Recent
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\PrintHood
2008-06-09 17:03:47 786432 --ah----- D:\Documents and Settings\Test\NTUSER.DAT
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\NetHood
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\My Documents
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\Local Settings
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\Favorites
2008-06-09 17:03:47 0 d-------- D:\Documents and Settings\Test\Desktop
2008-06-09 17:03:47 0 d---s---- D:\Documents and Settings\Test\Cookies
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\Application Data
2008-06-09 17:03:47 0 d---s---- D:\Documents and Settings\Test\Application Data\Microsoft
2008-06-05 19:13:50 2855 --a------ D:\WINDOWS\systeem.PIF
2008-06-05 00:25:30 338094 --a------ D:\WINDOWS\ms033368.exe
2008-06-04 19:01:21 20736 --a------ D:\WINDOWS\systeem.exe
2008-06-04 18:45:08 338094 --a------ D:\WINDOWS\ms028336.exe
2008-06-04 18:43:30 0 d-------- D:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-17 18:06:07 3972 -----n--- D:\WINDOWS\system32\drivers\PciBus.sys
2008-05-17 18:06:06 0 d-------- D:\WINDOWS\system32\Futuremark
2008-05-14 14:13:54 77824 --a------ D:\WINDOWS\h8907435.exe <Not Verified; ; h8907435>
2008-05-13 15:06:32 1269760 --a------ D:\WINDOWS\TinyBHO.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-04 18:38:45 0 d-------- D:\Documents and Settings\Tim\Application Data\NewsBin
2008-05-30 17:07:40 0 d-------- D:\Program Files\Symantec
2008-05-24 12:11:45 0 d-------- D:\Documents and Settings\Tim\Application Data\Skype
2008-05-17 18:33:34 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-05-11 12:14:44 0 d-------- D:\Documents and Settings\Tim\Application Data\Roxio
2008-05-06 22:36:06 0 d-------- D:\Program Files\Resco
2008-05-06 22:25:58 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-03-18 18:30:30 23 --ahs---- D:\WINDOWS\system32\feb9_z.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 04:06 PM 1135968 --a------ D:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= D:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 04:06 PM 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 05:12 AM D:\WINDOWS\soundman.exe]
"PHIME2002ASync"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/28/2002 10:39 PM]
"PHIME2002A"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/28/2002 10:39 PM]
"MSPY2002"="D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/28/2002 10:39 PM]
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [09/11/2006 04:40 AM]
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 10:32 PM]
"Acrobat Assistant 7.0"="E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 09:52 PM]
"RoxWatchTray"="D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/10/2006 12:10 PM]
"DMXLauncher"="E:\Roxio\Media Experience\DMXLauncher.exe" [08/14/2006 01:07 AM]
"RoxioDragToDisc"="D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [07/31/2006 09:00 AM]
"LogitechCommunicationsManager"="D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="E:\Logitech\QuickCam10\Quickcam.exe" [10/25/2007 04:37 PM]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"UfSeAgnt.exe"="E:\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="E:\ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [8/14/2005 10:24:00 AM]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [4/17/2006 9:25:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=01000000
"NoActiveDesktop"=0 (0x0)
"NoRecentDocsNetHood"=01000000
"NoViewOnDrive"=0 (0x0)
"ClearRecentDocsOnExit"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"E:\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Online Account Numbers]
E:\Discover\SOAN\SOAN.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShopSafe]
D:\PROGRA~1\ShopSafe\ShopSafe.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
E:\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e86841-c229-11dc-b3eb-0011502e5b57}]
AutoRun\command- N:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-12 17:59:34 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 2047.48 MiB / 1424.55 MiB
Pagefile Memory (total/avail): 2662.16 MiB / 2226.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.61 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 3.8 GiB total, 2.33 GiB free.
D: is Fixed (NTFS) - 9.32 GiB total, 1.43 GiB free.
E: is Fixed (NTFS) - 18.63 GiB total, 4.27 GiB free.
F: is Fixed (NTFS) - 18.63 GiB total, 9.87 GiB free.
G: is Fixed (NTFS) - 18.63 GiB total, 3.44 GiB free.
H: is Fixed (NTFS) - 18.63 GiB total, 6.08 GiB free.
I: is Fixed (NTFS) - 26.85 GiB total, 18.73 GiB free.
J: is CDROM (UDF2.00)
K: is CDROM (No Media)
L: is Fixed (FAT32) - 13.71 GiB total, 5.04 GiB free.
M: is Fixed (FAT32) - 14.21 GiB total, 2.84 GiB free.
N: is Removable (FAT32)
Z: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y120M0 - 114.49 GiB - 7 partitions
\PARTITION0 (bootable) - Unknown - 3.81 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 110.68 GiB - D: - E: - F: - G: - H: - I:

\\.\PHYSICALDRIVE1 - QUANTUM FIREBALLP LM30 - 27.95 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 13.73 GiB - L:
\PARTITION1 - Extended w/Extended Int 13 - 14.23 GiB - M:

\\.\PHYSICALDRIVE2 - USB Flash Memory USB Device - 3.73 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.73 GiB - N:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: Trend Micro Internet Security Pro v16.10.1079 ()

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\AIM\\aim.exe"="E:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\\ActiveSync\\rapimgr.exe"="E:\\ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"E:\\ActiveSync\\wcescomm.exe"="E:\\ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"E:\\ActiveSync\\WCESMgr.exe"="E:\\ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\ASUS\\AsusUpdate\\Update.exe"="E:\\ASUS\\AsusUpdate\\Update.exe:*:Enabled:ASUS Update"
"D:\\Program Files\\NetMeeting\\conf.exe"="D:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"H:\\Flight Simulator 9\\fs9.exe"="H:\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"D:\\WINDOWS\\system32\\dpnsvr.exe"="D:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"D:\\Program Files\\BitTorrent\\bittorrent.exe"="D:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"E:\\AIM\\aim.exe"="E:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\\Program Files\\Messenger\\msmsgs.exe"="D:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\RpcSandraSrv.exe"="E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\Win32\\RpcDataSrv.exe"="E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"E:\\Skype\\Phone\\Skype.exe"="E:\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\RECYCLER\\NPROTECT\\00000032.exe"="E:\\RECYCLER\\NPROTECT\\00000032.exe:*:Enabled:00000032"
"D:\\Program Files\\BitTorrent_DNA\\dna.exe"="D:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"D:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"="D:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service"
"D:\\Program Files\\SightSpeed\\SightSpeed.exe"="D:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"E:\\ActiveSync\\rapimgr.exe"="E:\\ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"E:\\ActiveSync\\wcescomm.exe"="E:\\ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"E:\\ActiveSync\\WCESMgr.exe"="E:\\ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="D:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"E:\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="E:\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"E:\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="E:\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"E:\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="E:\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"E:\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="E:\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\Tim\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=-
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Tim
LOGONSERVER=\\-
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\Common Files\Roxio Shared\DLLShared;E:\ATI Technologies\ATI Control Panel;D:\Program Files\Common Files\Roxio Shared\DLLShared\;D:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=D:\Program Files
PROMPT=$P$G
RoxioCentral=D:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Tim\LOCALS~1\Temp
TMP=D:\DOCUME~1\Tim\LOCALS~1\Temp
USERDOMAIN=-
USERNAME=Tim
USERPROFILE=D:\Documents and Settings\Tim
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Tim (admin)
(new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\IBM PC Camera\Uninst.isu"
--> D:\WINDOWS\IsUninst.exe -f"E:\WS_FTP Pro\uninst.isu"
--> D:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
--> E:\DivX\ConverterUninstall.exe /CONVERTER
--> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
--> MsiExec.exe /I{0D330013-4A99-46D6-83C6-2C959C68DBFF}
--> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
--> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
--> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
--> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
--> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
--> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
--> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
--> MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
--> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
--> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
3Deep --> D:\WINDOWS\IsUninst.exe -fe:\E-Color\3Deep\TDPunins.isu -c"e:\E-Color\3Deep\tdpunins.dll" ProdName3Deep
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0.1 --> D:\WINDOWS\ISUNINST.EXE -f"E:\Adobe\Photoshop 7.0\Uninst.isu" -c"E:\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader Japanese Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5A76-5A64-7E8A45000001}
Adobe Shockwave Player --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6.0 --> D:\Program Files\AIM6\uninst.exe
AnswerWorks 4.0 Runtime - English --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
ARC250 PRO --> MsiExec.exe /I{461401CC-BFD3-4A0E-B99E-23EAC6991819}
ATI Control Panel --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AttachmentOptions --> MsiExec.exe /I{F1A6CFD1-D792-48B8-8AFC-8BE9215608A9}
Avi2Dvd 0.4.4 beta --> E:\DivX\Avi2Dvd\uninst.exe
AviSynth 2.5 --> "E:\Divx\Avi2Dvd\AviSynth 2.5\Uninstall.exe"
AvPropPlugin 1.0.0.1 --> E:\AIM\AVPROP~1\UNWISE.EXE E:\AIM\AVPROP~1\INSTALL.LOG
Axim WLAN Update --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{68F759B6-3E11-46D0-8B4E-FF89C33AA2F6}\Setup.exe" -l0x9
BC296D BC796D SS --> MsiExec.exe /I{9E826E5F-12B6-4F9F-A3AB-751CA43011CA}
BitPim 1.0.1 --> "E:\BitPim\unins000.exe"
BitTorrent 5.0.9 --> "D:\Program Files\BitTorrent\uninstall.exe"
BitTorrent DNA --> "D:\Program Files\BitTorrent_DNA\dna.exe" /UNINSTALL
Burlington's CD Design Creator --> E:\CDDESI~1\UNWISE.EXE E:\CDDESI~1\INSTALL.LOG
Calculator Powertoy for Windows XP --> MsiExec.exe /I{B37C842A-B624-46B8-A727-654E72F1C91A}
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
CH Gameport Devices --> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\CH Products\Gameport Devices\Uninst.isu" -c"D:\Program Files\CH Products\Gameport Devices\CHANALOG.DLL"
Channel Master --> "E:\Dreambox programs\ChannelMaster\uninstall.exe"
CheckIt Diagnostics --> E:\NORTON~1\CheckIt\DIAGNO~1\UNWISE.EXE E:\NORTON~1\CheckIt\DIAGNO~1\INSTALL.LOG
CloneCD --> "E:\CloneCD\ccd-uninst.exe" /D="E:\CloneCD"
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
ConvertXtoDVD 2.1.5.173 --> "E:\vso\ConvertXtoDVD\unins000.exe"
dBpowerAMP FLAC Codec --> "D:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>D:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
dBpowerAMP Music Converter --> "D:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>D:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
DirectXInstallService --> MsiExec.exe /X{098122AB-C605-4853-B441-C0A4EB359B75}
DivX --> D:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> E:\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> E:\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> E:\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> E:\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Doom 3 --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
DVD Shrink 3.2 --> "E:\DVD Shrink\unins000.exe"
DVD X Copy Platinum 4.0.3 --> "E:\321Studios\Platinum\uninstall.exe"
DVDXCopy Platinum 4.0.3 --> "E:\321Studios\uninstall.exe"
EA Network Play System --> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\Electronic Arts\Network Play System\uninst.isu"
EPSON Printer Software --> D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
Folder Size for Windows --> MsiExec.exe /I{FC8D21C8-7B29-4104-ADB0-FEE9CA1C7922}
FranklinCovey PlanPlus for Microsoft Outlook --> MsiExec.exe /I{DE43214F-2793-4611-A9B2-912C17D10D45}
FranklinCovey PlanPlus for the Pocket PC --> MsiExec.exe /I{B9EB775F-D8CA-4001-A34A-A150E5011578}
Google Earth Pro --> MsiExec.exe /X{9578C0CD-8108-4379-9026-4601F59859A0}
HijackThis 2.0.2 --> "N:\HijackThis.exe" /uninstall
ImageRescue3 --> MsiExec.exe /I{6EA6D4E3-134D-4A11-AF2A-7986F61BB2F6}
Ipswitch WS_FTP Pro --> D:\WINDOWS\ISUNINST.EXE -f"E:\WS_FTP~1\uninst.isu" -c"E:\WS_FTP~1\FTPInstUtils.dll"
irock! Download Manager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{AE7ECCD9-7A88-467D-A3C5-8CF74261DB9E}\Setup.exe" -l0x9
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
jv16 PowerTools 2008 --> "E:\jv16 PowerTools 2008\unins000.exe"
Lexmark Printer Software Uninstall --> D:\Program Files\Lexmark\Install\Uninstall.exe
LG USB Modem driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\Setup.exe" -l0x9
LGUsbDriver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{EB866374-B705-4749-83D9-997AC77146B3}\setup.exe"
LingvoSoft Dictionary 2006 (English<->Japanese Romaji) for Windows --> E:\LINGVO~1\LINGVO~1\UNWISE.EXE E:\LINGVO~1\LINGVO~1\INSTALL.LOG
LiveUpdate 3.0 (Symantec Corporation) --> "D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Logitech Legacy USB Camera Driver Package --> "D:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\11.10.2016\LgDrvInst.exe" -remove -instdir"D:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"legacyqcam_11.10" /clone_wait /hide_progress
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Logitech QuickCam Driver Package --> "D:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"D:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
MapSource --> D:\WINDOWS\IsUninst.exe -fE:\Garmin\Uninst.isu
MapSource --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}\Setup.exe" -l0x9 AddRemove
MapSource - US Rec Lakes with Fishing Hot Spots® East v5 --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{84A757A7-B412-44A0-ADE6-9C0F9E96D84D} /l1033
MapSource - US Topo v3.02 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{AD4203ED-7683-435E-B436-C299773A9936}\setup.exe" -l0x9 AddRemove
Media Library Management Wizard --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Bookshelf 1998 (Remove ONLY) --> D:\WINDOWS\stpsup.exe ,E:\BOOKSH~1\unwise.exe /S E:\BOOKSH~1\install.log
Microsoft Data Access Components KB870669 --> D:\WINDOWS\muninst.exe D:\WINDOWS\INF\KB870669.inf
Microsoft Money 2007 Home & Business --> "E:\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Web Access S/MIME --> MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Motherboard Monitor 5 --> "E:\Motherboard Monitor 5\unins000.exe"
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mozilla Firefox (2.0.0.12) --> E:\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
Need For Speed High Stakes --> D:\WINDOWS\ISUNINST.EXE -f"h:\need for speed\Uninst.isu" -c"h:\need for speed\uninst.dll" E
NetFront v3.2 for Pocket PC (PPC3ARENR101JV) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B3C51453-3770-4D97-8A2B-1804E4680587}\Setup.exe" -l0x9
NewsBin Pro --> E:\NewsBin\uninst.exe
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks 2006 Premier --> MsiExec.exe /I{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}
Norton SystemWorks 2006 Premier (Symantec Corporation) --> "D:\Program Files\Common Files\Symantec Shared\SymSetup\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}.exe" /X
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
NSW_DRM_COLLECTION --> MsiExec.exe /I{900B1884-2D6F-4a70-A3C7-C3F4DA873FDB}
Passware Kit Enterprise 7.7 --> E:\Passware\un-kit_ent.exe
PerformanceTest v6.0 --> "E:\Norton SystemWorks\PerformanceTest\unins000.exe"
PhoneTools --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" ControlPanel
Plus! MP3 Audio Converter LE --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\audcle.inf,DefaultUninstall
Pocket dbExplorer --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{AF3B21E2-FDAC-11D1-B881-00A0C95A2DAF}\Setup.exe" -l0x9 uninstall
Punch! Home Design - AS4000 --> E:\PUNCH!~1\UNWISE.EXE E:\PUNCH!~1\INSTALL.LOG
QuickPar 0.9 --> E:\QuickPar\uninst.exe
Realtek AC'97 Audio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
REALTEK GbE & FE Ethernet PCI NIC Driver --> D:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe -runfromtemp -l0x0009 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Roxio Activation Module --> MsiExec.exe /I{EC877639-07AB-495C-BFD1-D63AF9140810}
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Easy Media Creator 9 Suite --> MsiExec.exe /I{938B1CD7-7C60-491E-AA90-1F1888168240}
Roxio EasyWrite Reader --> D:\WINDOWS\system32\MRFUNIN.EXE
RTC Client API v1.2 --> MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Secure Online Account Numbers --> "D:\Program Files\InstallShield Installation Information\{65980EBF-C4B5-4555-823A-94DB7F709E53}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
ShopSafe --> "D:\Program Files\InstallShield Installation Information\{FFFD3E91-8881-4903-9413-7C4849907118}\setup.exe" -runfromtemp -l0x0009 -removeonly
SightSpeed (remove only) --> "D:\Program Files\SightSpeed\uninst.exe"
SiSoftware Sandra Professional Business XIb (Win64/32/CE) --> "E:\SiSoftware\SiSoftware Sandra Professional Business XIb\unins000.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartSound Quicktracks Plugin --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sony USB Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SPD for irock! 500 Series --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{C37F5D13-B7C7-4F19-92E7-053A4CE670AB}\Setup.exe" -l0x9
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
TDK Launcher --> D:\WINDOWS\unLauncher.EXE
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Trend Micro Internet Security Pro --> E:\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security Pro --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E}
TurboTax Deluxe Deduction Maximizer 2006 --> E:\TurboTax\Deluxe 2006\TaxUnst.EXE "E:\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
TurboTax Premier 2007 --> E:\TurboTax\Premier 2007\TaxUnst.EXE "E:\TurboTax\Premier 2007\Uninstall.log" -NoGui
Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
Unreal Tournament 2004 --> h:\UT2004\System\Setup.exe uninstall "UT2004"
User Profile Hive Cleanup Service --> MsiExec.exe /I{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}
Viewpoint Manager (Remove Only) --> D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> D:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WinAce Archiver --> E:\WinAce\SXUNINST.EXE E:\WinAce\SXUNINST.INI
Winamp --> "E:\Winamp\UninstWA.exe"
Winamp Remote --> "D:\Program Files\Winamp Remote\uninstall.exe"
Winamp Toolbar --> "D:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Vista Upgrade Advisor --> MsiExec.exe /I{7A2B077D-D7AC-4215-B0FB-5EA581E549E6}
WinRAR archiver --> E:\WinRAR\uninstall.exe
WinZip --> "E:\WinZip\WINZIP32.EXE" /uninstall
Xingtone Ringtone Maker --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{625304B0-2976-473B-AD81-5CA376093F03}\setup.exe" -l0x9 -removeonly
YouSendIt Plug-in for Outlook --> D:\Program Files\InstallShield Installation Information\{EA05CC60-8148-4B0D-A763-C0483A8FFFC8}\setup.exe -runfromtemp -l0x0409


-- Application Event Log -------------------------------------------------------

Event Record #/Type9377 / Warning
Event Submitted/Written: 06/12/2008 05:44:10 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'

Event Record #/Type9376 / Warning
Event Submitted/Written: 06/12/2008 05:44:10 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type9375 / Warning
Event Submitted/Written: 06/12/2008 05:44:10 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'

Event Record #/Type9374 / Warning
Event Submitted/Written: 06/12/2008 05:44:10 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type9373 / Warning
Event Submitted/Written: 06/12/2008 05:44:07 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8665 / Error
Event Submitted/Written: 06/12/2008 05:44:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2

Event Record #/Type8637 / Error
Event Submitted/Written: 06/12/2008 04:51:26 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2

Event Record #/Type8609 / Error
Event Submitted/Written: 06/12/2008 04:41:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2

Event Record #/Type8582 / Error
Event Submitted/Written: 06/11/2008 11:18:57 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2

Event Record #/Type8573 / Error
Event Submitted/Written: 06/11/2008 10:42:40 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library USB Flash Memory USB Device.



-- End of Deckard's System Scanner: finished at 2008-06-12 17:59:34 ------------

BC AdBot (Login to Remove)

 


m

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 16 June 2008 - 09:23 PM

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.





Please post the following logs in your next reply.. Please post each log in separate post

1. SDFix
2. ComboFix
3. A fresh HijackThis log (after ComboFix step)


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 17 June 2008 - 07:32 PM

SDFix: Version 1.194
Run by Tim on Tue 06/17/2008 at 05:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:13:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}]
"SymbolicLink"="\\?\USB#Vid_046d&Pid_08ca&MI_00#6&1a6e8e02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\{bbefb6c7-2fc4-4139-bb8b-a58bba724083}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters]
"CLSID"="{17CCA71B-ECD7-11D0-B908-00A0C9223196}"
"FriendlyName"="Logitech QuickCam Fusion"
"ExtensionDLL"="LVUI2.dll"
"RTCFlags"=dword:00000010
"FilterData"=hex:02,00,00,00,00,00,20,00,03,00,00,00,00,00,00,00,30,70,69,33,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters\PageAliases]
"{71F96464-78F3-11d0-A18C-00A0C9118956}"=hex:21,e8,c2,3d,13,47,d2,11,ba,41,00,a0,c9,0d,2b,05

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters\PinFactory]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters\PinFactory\1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters\PinFactory\1\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{65e8773d-8f56-11d0-a3b9-00a0c9223196}\##?#USB#VID_046D&PID_08CA&MI_00#6&1A6E8E02&5&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\#{BBEFB6C7-2FC4-4139-BB8B-A58BBA724083}\Device Parameters\PinFactory\1\Interfaces\{5BB95400-52BB-11d2-BA41-00A0C90D2B05}]
@=""

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\ASUS\\AsusUpdate\\Update.exe"="E:\\ASUS\\AsusUpdate\\Update.exe:*:Enabled:ASUS Update"
"D:\\Program Files\\NetMeeting\\conf.exe"="D:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"H:\\Flight Simulator 9\\fs9.exe"="H:\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"D:\\WINDOWS\\system32\\dpnsvr.exe"="D:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"D:\\Program Files\\BitTorrent\\bittorrent.exe"="D:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"E:\\AIM\\aim.exe"="E:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"D:\\Program Files\\Messenger\\msmsgs.exe"="D:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\RpcSandraSrv.exe"="E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\Win32\\RpcDataSrv.exe"="E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"E:\\Skype\\Phone\\Skype.exe"="E:\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"E:\\RECYCLER\\NPROTECT\\00000032.exe"="E:\\RECYCLER\\NPROTECT\\00000032.exe:*:Enabled:00000032"
"D:\\Program Files\\BitTorrent_DNA\\dna.exe"="D:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"D:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"="D:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service"
"D:\\Program Files\\SightSpeed\\SightSpeed.exe"="D:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"E:\\ActiveSync\\rapimgr.exe"="E:\\ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"E:\\ActiveSync\\wcescomm.exe"="E:\\ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"E:\\ActiveSync\\WCESMgr.exe"="E:\\ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="D:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"E:\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="E:\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"E:\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="E:\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"E:\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="E:\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"E:\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="E:\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\AIM\\aim.exe"="E:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\\ActiveSync\\rapimgr.exe"="E:\\ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"E:\\ActiveSync\\wcescomm.exe"="E:\\ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"E:\\ActiveSync\\WCESMgr.exe"="E:\\ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :



Files with Hidden Attributes :

Fri 3 Nov 2006 4,348 ..SH. --- "D:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 25 Oct 2007 0 A.SH. --- "D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 11 Jun 2008 0 A..H. --- "D:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT5.tmp"
Sun 11 May 2008 1,664 A.SH. --- "D:\Documents and Settings\Tim\Application Data\Roxio\Dragon\3.x\DiscInfoCache\TDK_DVDRW880N_1.39_000_DICV018_DRGV9000007.TMP"

Finished!

#4 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 17 June 2008 - 07:34 PM

ComboFix 08-06-16.5 - Tim 2008-06-17 20:17:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1431 [GMT -4:00]
Running from: D:\Documents and Settings\Tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Tim\Application Data\Microsoft\dtsc
D:\Documents and Settings\Tim\Application Data\Microsoft\dtsc\id
D:\WINDOWS\Downloaded Program Files\Temp
D:\WINDOWS\system32\feb9_z.dll
E:\RECYCLER\Desktop.ini
F:\RECYCLER\Desktop.ini
G:\RECYCLER\Desktop.ini
H:\RECYCLER\Desktop.ini
I:\RECYCLER\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 17:54 . 2008-06-17 17:54 <DIR> d-------- D:\WINDOWS\ERUNT
2008-06-17 16:16 . 2008-06-17 18:15 <DIR> d-------- D:\SDFix
2008-06-15 11:17 . 2008-06-15 11:17 <DIR> d-------- D:\Program Files\Microsoft Money 2006
2008-06-12 17:56 . 2008-06-12 17:56 <DIR> d-------- D:\Deckard
2008-06-09 17:04 . 2008-06-09 17:04 <DIR> d-------- D:\Documents and Settings\Test\Application Data\Roxio
2008-06-09 17:03 . 2008-06-09 17:06 <DIR> d-------- D:\Documents and Settings\Test

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 00:08 0 ----a-w D:\WINDOWS\system32\drivers\lvuvc.hs
2008-06-18 00:08 0 ----a-w D:\WINDOWS\system32\drivers\logiflt.iad
2008-06-04 22:38 --------- d-----w D:\Documents and Settings\Tim\Application Data\NewsBin
2008-05-30 21:07 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:07 60,800 ----a-w D:\WINDOWS\system32\S32EVNT1.DLL
2008-05-30 21:07 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:07 10,671 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:07 --------- d-----w D:\Program Files\Symantec
2008-05-24 16:11 --------- d-----w D:\Documents and Settings\Tim\Application Data\Skype
2008-05-17 22:33 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-05-11 16:14 --------- d-----w D:\Documents and Settings\Tim\Application Data\Roxio
2008-05-08 12:28 202,752 ------w D:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ------w D:\WINDOWS\system32\quartz.dll
2008-05-07 02:36 --------- d-----w D:\Program Files\Resco
2008-05-07 02:25 --------- d-----w D:\Program Files\Microsoft ActiveSync
2008-05-02 20:22 205,328 ----a-w D:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 20:21 36,368 ----a-w D:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 20:17 1,169,240 ----a-w D:\WINDOWS\system32\drivers\vsapint.sys
2008-05-01 21:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-04-21 07:04 659,456 ----a-w D:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ------w D:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w D:\WINDOWS\system32\win32k.sys
2006-10-02 23:41 81,920 ----a-w D:\Documents and Settings\Tim\Application Data\ezpinst.exe
2006-10-02 23:41 47,360 ----a-w D:\Documents and Settings\Tim\Application Data\pcouffin.sys
2006-04-13 22:40 50,928 ----a-w D:\Documents and Settings\Tim\Application Data\GDIPFONTCACHEV1.DAT
2004-03-07 07:23 225 ----a-w D:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 16:06 1135968 --a------ D:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll" [ ]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "D:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 16:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= D:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 16:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="E:\ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 D:\WINDOWS\soundman.exe]
"PHIME2002ASync"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 22:39 455168]
"PHIME2002A"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 22:39 455168]
"MSPY2002"="D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 22:39 59392]
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"Acrobat Assistant 7.0"="E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"RoxWatchTray"="D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 12:10 221184]
"DMXLauncher"="E:\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 01:07 102400]
"RoxioDragToDisc"="D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 09:00 1116920]
"LogitechCommunicationsManager"="D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="E:\Logitech\QuickCam10\Quickcam.exe" [2007-10-25 16:37 2178832]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UfSeAgnt.exe"="E:\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-08-14 10:24:00 25214]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-04-17 09:25:34 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoViewOnDrive"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"MSACM.CEGSM"= mobilev.acm
"VIDC.I263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-01-08 18:33 53096 D:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2004-12-27 15:14 57344 E:\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Online Account Numbers]
--a------ 2007-02-02 18:11 233472 E:\Discover\SOAN\SOAN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShopSafe]
--a------ 2007-03-14 17:25 262144 D:\PROGRA~1\ShopSafe\ShopSafe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 E:\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-11 00:15 111816 D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\NetMeeting\\conf.exe"=
"H:\\Flight Simulator 9\\fs9.exe"=
"D:\\WINDOWS\\system32\\dpnsvr.exe"=
"D:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\RpcSandraSrv.exe"=
"E:\\SiSoftware\\SiSoftware Sandra Professional Business XIb\\Win32\\RpcDataSrv.exe"=
"D:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"D:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"D:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"E:\ActiveSync\rapimgr.exe"= E:\ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"E:\ActiveSync\wcescomm.exe"= E:\ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"E:\ActiveSync\WCESMgr.exe"= E:\ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"D:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"D:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 MrFilter;EasyWrite Driver;D:\WINDOWS\system32\drivers\MrFilter.sys [2005-10-20 12:05]
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;D:\WINDOWS\system32\drivers\si3112r.sys [2002-10-16 06:57]
R1 c2scsi;c2scsi;D:\WINDOWS\system32\drivers\c2scsi.sys [2005-05-11 08:00]
R1 DLARTL_M;DLARTL_M;D:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R1 prcmondrv;prcmondrv;D:\WINDOWS\system32\drivers\prcmondrv1041.sys [2006-02-17 20:28]
S2 BCMNTIO;BCMNTIO;E:\NORTON~1\CheckIt\DIAGNO~1\BCMNTIO.sys []
S2 MAPMEM;MAPMEM;E:\NORTON~1\CheckIt\DIAGNO~1\MAPMEM.sys []
S2 RoxLiveShare10;LiveShare P2P Server 10;"D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" []
S3 chanalog;CH Analog Devices;D:\WINDOWS\system32\DRIVERS\chanalog.sys [2002-08-08 23:50]
S3 EPUSBSTOR;EPSON USB Storage Driver;D:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 00:00]
S3 IR500;IR500;D:\WINDOWS\system32\DRIVERS\IR500.sys [2002-02-23 15:31]
S3 lgatbus;LG USB Composite Device driver (WDM);D:\WINDOWS\system32\DRIVERS\lgatbus.sys []
S3 lgatmdm;LG CDMA USB Modem Drivers;D:\WINDOWS\system32\DRIVERS\lgatmdm.sys []
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);D:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
S3 PortRst;PortRst;D:\WINDOWS\system32\DRIVERS\PortRst.sys [2002-01-16 14:51]
S3 XIRLINK;IBM PC Camera;D:\WINDOWS\system32\DRIVERS\C-itnt.sys [2001-08-01 16:49]
S4 SessionLauncher;SessionLauncher;D:\DOCUME~1\Tim\LOCALS~1\Temp\DX9\SessionLauncher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e86841-c229-11dc-b3eb-0011502e5b57}]
\Shell\AutoRun\command - N:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 20:22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-17 20:24:02
ComboFix-quarantined-files.txt 2008-06-18 00:23:53

Pre-Run: 1,029,414,912 bytes free
Post-Run: 1,033,146,368 bytes free

206 --- E O F --- 2008-06-17 21:32:25

#5 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 17 June 2008 - 07:40 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:22 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
E:\FolderSize\FolderSizeSvc.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\NORTON~1\NORTON~1\NPROTECT.EXE
D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Trend Micro\Internet Security\SfCtlCom.exe
E:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\WINDOWS\System32\svchost.exe
E:\UPHClean\uphclean.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
E:\Trend Micro\BM\TMBMSRV.exe
E:\Trend Micro\Internet Security\UfSeAgnt.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
E:\Roxio\Media Experience\DMXLauncher.exe
D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\ActiveSync\wcescomm.exe
E:\ACTIVE~1\rapimgr.exe
D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
E:\Trend Micro\Internet Security\TmProxy.exe
E:\Trend Micro\TrendSecure\TSCFCommander.exe
D:\WINDOWS\explorer.exe
E:\Trend Micro\HijackThis.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\obroker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - D:\Program Files\ShopSafe\BhoSSafe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - D:\WINDOWS\system32\BhoDshop.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "E:\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "E:\Logitech\QuickCam10\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "E:\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Winamp Toolbar Search - D:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\ACTIVE~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - E:\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - E:\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - E:\Discover\SOAN\SOAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent.com/netagent/objects/custappx3.CAB
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094267765030
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0BEDAF4-1BA6-444D-BCE5-97C15D54BC92}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Folder Size (FolderSize) - Brio - E:\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - E:\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - D:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - D:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - D:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - E:\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SPBBCSvc - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - D:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - E:\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - E:\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 13710 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 18 June 2008 - 08:51 AM

Hello, thanks for the reply.. Please do the following...

Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • D:\WINDOWS\system32\obroker.exe
  • Click on the submit button
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Fix below entry in HijackThis if you do not set the "Lock homepage from changes" restrictions.. Click on Do a system scan only. Check the boxes next to all the entries listed below.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply.. Please post each log in separate post...

1. Jotti/VirusTotal result
2. Malwarebytes' log
3. A fresh Deckard System Scanner log (after Malwarebytes' step)


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 19 June 2008 - 08:36 PM

Thanks for helping me with this!

Jotti:
File: obroker.exe
Status: OK
MD5: ad2f36f7f2e1ff614efa555638756585
Packers detected: -

I think this file is part of Microsoft Money (Orbiscom Broker Module).

#8 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 19 June 2008 - 09:17 PM

Malwarebytes' Anti-Malware 1.18
Database version: 871

10:14:34 PM 6/19/2008
mbam-log-6-19-2008 (22-14-34).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 136099
Time elapsed: 24 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted

successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 19 June 2008 - 09:50 PM

-- Files created between 2008-05-19 and 2008-06-19 -----------------------------

2008-06-19 21:41:26 0 d-------- D:\Documents and Settings\Tim\Application Data\Malwarebytes
2008-06-19 21:41:24 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 22:53:15 0 dr-h----- D:\Documents and Settings\Tim\Recent
2008-06-17 20:16:42 68096 --a------ D:\WINDOWS\zip.exe
2008-06-17 20:16:42 49152 --a------ D:\WINDOWS\VFind.exe
2008-06-17 20:16:42 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-17 20:16:42 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-17 20:16:42 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-17 20:16:42 98816 --a------ D:\WINDOWS\sed.exe
2008-06-17 20:16:42 80412 --a------ D:\WINDOWS\grep.exe
2008-06-17 20:16:42 89504 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-17 20:03:18 0 d-------- D:\WINDOWS\setup.pss
2008-06-17 20:03:02 0 d-------- D:\WINDOWS\setupupd
2008-06-17 17:54:34 0 d-------- D:\WINDOWS\ERUNT
2008-06-15 11:17:25 0 d-------- D:\Program Files\Microsoft Money 2006
2008-06-14 11:29:25 0 --a------ D:\Documents and Settings\Tim\ipconfig
2008-06-09 17:04:30 0 d-------- D:\Documents and Settings\Test\Application Data\Roxio
2008-06-09 17:04:28 0 d-------- D:\Documents and Settings\Test\Application Data\Adobe
2008-06-09 17:03:59 0 d-------- D:\Documents and Settings\Test\Application Data\Identities
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\Templates
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\Start Menu
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\SendTo
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\Recent
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\PrintHood
2008-06-09 17:03:47 786432 --ah----- D:\Documents and Settings\Test\NTUSER.DAT
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\NetHood
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\My Documents
2008-06-09 17:03:47 0 d--h----- D:\Documents and Settings\Test\Local Settings
2008-06-09 17:03:47 0 dr------- D:\Documents and Settings\Test\Favorites
2008-06-09 17:03:47 0 d-------- D:\Documents and Settings\Test\Desktop
2008-06-09 17:03:47 0 d---s---- D:\Documents and Settings\Test\Cookies
2008-06-09 17:03:47 0 dr-h----- D:\Documents and Settings\Test\Application Data
2008-06-09 17:03:47 0 d---s---- D:\Documents and Settings\Test\Application Data\Microsoft
2008-06-04 18:43:30 0 d-------- D:\Documents and Settings\LocalService\Application Data\Macromedia


-- Find3M Report ---------------------------------------------------------------

2008-06-15 11:17:41 0 d-------- D:\Program Files\Common Files
2008-06-04 18:38:45 0 d-------- D:\Documents and Settings\Tim\Application Data\NewsBin
2008-05-30 17:07:40 0 d-------- D:\Program Files\Symantec
2008-05-24 12:11:45 0 d-------- D:\Documents and Settings\Tim\Application Data\Skype
2008-05-17 18:33:34 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-05-11 12:14:44 0 d-------- D:\Documents and Settings\Tim\Application Data\Roxio
2008-05-06 22:36:06 0 d-------- D:\Program Files\Resco
2008-05-06 22:25:58 0 d-------- D:\Program Files\Microsoft ActiveSync


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
10/04/2007 04:06 PM 1135968 --a------ D:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
E:\Trend Micro install\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= D:\Program Files\Winamp Toolbar\winamptb.dll [10/04/2007 04:06 PM 1135968]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 05:12 AM D:\WINDOWS\soundman.exe]
"PHIME2002ASync"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/28/2002 10:39 PM]
"PHIME2002A"="D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/28/2002 10:39 PM]
"MSPY2002"="D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [08/28/2002 10:39 PM]
"ISUSScheduler"="D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [09/11/2006 04:40 AM]
"IntelliPoint"="D:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 10:32 PM]
"Acrobat Assistant 7.0"="E:\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 09:52 PM]
"RoxWatchTray"="D:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/10/2006 12:10 PM]
"DMXLauncher"="E:\Roxio\Media Experience\DMXLauncher.exe" [08/14/2006 01:07 AM]
"RoxioDragToDisc"="D:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [07/31/2006 09:00 AM]
"LogitechCommunicationsManager"="D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="E:\Logitech\QuickCam10\Quickcam.exe" [10/25/2007 04:37 PM]
"SunJavaUpdateSched"="E:\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"UfSeAgnt.exe"="E:\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="E:\ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - D:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [8/14/2005 10:24:00 AM]
EPSON Status Monitor 3 Environment Check 2.lnk - D:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [4/17/2006 9:25:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=01000000
"NoRecentDocsNetHood"=01000000
"NoViewOnDrive"=0 (0x0)
"ClearRecentDocsOnExit"=1 (0x1)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"E:\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscoverDeskshop]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Secure Online Account Numbers]
E:\Discover\SOAN\SOAN.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShopSafe]
D:\PROGRA~1\ShopSafe\ShopSafe.exe /dontopenmycards

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
E:\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5e86841-c229-11dc-b3eb-0011502e5b57}]
AutoRun\command- N:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-19 22:26:18 ------------

Event Description:
The following boot-start or system-start driver(s) failed to load:
aslm75

Event Record #/Type9902 / Error
Event Submitted/Written: 06/19/2008 06:07:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2

Event Record #/Type9901 / Error
Event Submitted/Written: 06/19/2008 06:07:46 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BCMNTIO service failed to start due to the following error:
%%2

Event Record #/Type9871 / Error
Event Submitted/Written: 06/17/2008 10:46:52 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
aslm75

Event Record #/Type9870 / Error
Event Submitted/Written: 06/17/2008 10:46:52 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The MAPMEM service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-19 22:26:18 ------------


Both of my CD rom drives and my virtual drive for loading iso files were non functional and showed yellow exclamations in my device manager. The only way I could get the system accept them was to delete the "lowerfilter" entry in HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}. However, the drives will not write to any media anymore. So, I found versions of my SYSTEM, SAM, SOFTWARE, SECURITY, and DEFAULT files from 3/16/08 that I overwrote into my SYSTEM32\CONFIG folder hoping it would fix the problem but no soap. I will try reloading Roxio to try to get the drivers and pointers working again. BTW, I made the config file changes before running Jotti, malwarebytes, and fresh hijackthis. I'll have to do a regclean to get rid of all the reg entries of software I have removed since 3/16/08. I am starting to think a fresh install of Windows would have been what the doctor ordered.

Can I load the BHO that were moved earlier in our repair procedures yet?

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 20 June 2008 - 09:05 PM

Hello, apologies for my late reply.. I was in hospital for two days due to bad food (food poisoning)..


Can I load the BHO that were moved earlier in our repair procedures yet?


Your logs look clean to my eyes.. Do you really want those BHO's back as I don't think it's related with your cd/dvd problem..

If you insist please do the following...


Please go to C:\WINDOWS\ERDNT and look for the latest date of registry backup that has been perform before. Double click on that file and press Ok at prompt.

The ERUNT backup file should look like this: Posted Image



After that, please post a fresh Deckard System Scanner in your next reply.. Also, tell me about those dvd/cd problems that you had before..


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 20 June 2008 - 09:29 PM

Sorry to hear about your illness. I fixed my CD/DVD problems by reinstalling Roxio 9. My CD/DVD drives no longer had the yellow explanation marks in device manager and they were recognised as writers as well as readers by the system. However, Roxio still didn't recognise the drive ("no drive detected") until I found and ran Roxio pxengine2_08_40d.exe. Everything was looking ok so I bit the bullet and installed Windows XP SP3. I should be pretty clean now. The CD/DVD problems might have been brought on by the recovery of my "system state" via Microsoft backup. I wan't paying much attention to the device manager throughout my virus cleansing procedure.

A couple of those BHOs are for my Discover deskshop and Visa SHopsafe single use credit card number generators. I guess I can just reinstall things as I discover applications that no longer function. I don't want to restore anything over the new install of SP3.

Thanks for your help.

BTW, according to my TrendMicro Internet Security, procs.exe in SDfix/apps contains TROJ_Generic.ADV. I trusted you and let it run anyway...

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 20 June 2008 - 10:03 PM

Well, I'm okay now.. Great!.. Glad to hear your computer is good again :thumbsup:


TrendMicro is a great security program..


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image



NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6



NEXT


I noticed that you already have:
1. Trend Micro Internet Security consisting of your antivirus and firewall
2. MalwareBytes' Anti-Malware as your antispyware..



Lastly, to keep your operating system up to date please visit the link below monthlyTo learn more about how to protect yourself while on the internet read this excellent article by Grinler: How did I get infected?, With steps so it does not happen again!

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Timtech

Timtech
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 21 June 2008 - 10:14 AM

One step ahead of you...
I already deleted old versions and updated to the latest Java :thumbsup::-)
I ran combofix.exe /u and it uninstalled.

Question,
I now have a folder called "cmdcons" on my Operating system drive (D:) that is hidden. It contains 201 files, two folders for a total of 8.13 MB. Did one of the virus applications install this folder? If so, can I delete it?

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 21 June 2008 - 06:13 PM

Question,
I now have a folder called "cmdcons" on my Operating system drive (D:) that is hidden. It contains 201 files, two folders for a total of 8.13 MB. Did one of the virus applications install this folder? If so, can I delete it?


Well, that folder is associated with Windows Recovery Console.. More informations below.. I'd suggest you to keep it :thumbsup:


http://support.microsoft.com/kb/233979

http://support.microsoft.com/kb/216417

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 06 July 2008 - 04:45 PM

I'm glad that we could help.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users