Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced Xp Fixer


  • Please log in to reply
5 replies to this topic

#1 quartz54

quartz54

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 13 June 2008 - 11:15 AM

My background screen is blue with a yellow box that reads "Warning! Spyware detected on your computer! Install and anti-virus or spyware remover to clean your computer." The Advanced XP fixer program keeps reappearing no matter how many times I remove it through add/remove programs. Additionally, it opens a pop-up window trying to do a virus scan, which I always stop and click "continue unprotected." My anti-virus program, AVG free edition, told me shortly after the initial infection it detected a threat called, "trojanhorse," which it healed. One last detail: there is a pop up box constantly reappearing in the lower right hand corner of my screen which reads, "136 threats detected." Thanks for your help!

Deckard's System Scanner v20071014.68
Run by Courtney on 2008-06-13 08:47:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-13 08:50:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lphcpjcj0ej7l.exe
C:\Program Files\AXPFixer\AXPFixer.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Courtney\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphcpjcj0ej7l] C:\WINDOWS\system32\lphcpjcj0ej7l.exe
O4 - HKLM\..\Run: [AXPFixer] C:\Program Files\AXPFixer\AXPFixer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc2.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178138188537
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124651358732
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...8014.4967708333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:\WINDOWS\lsasrv.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Service Monitor (winsvcmon) - Unknown owner - C:\WINDOWS\System32\winsvcmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 9271 bytes

-- HijackThis Fixed Entries (C:\ht\backups\) -----------------------------------

backup-20070502-131902-164 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
backup-20070502-131902-205 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
backup-20070502-131902-420 O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
backup-20070502-131902-425 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
backup-20070502-131902-565 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
backup-20070502-131902-599 O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
backup-20070502-131902-600 R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
backup-20070502-131902-683 O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
backup-20070502-131902-742 O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
backup-20070502-131902-798 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
backup-20070502-131902-929 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070502-131902-935 O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
backup-20070502-131902-943 O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
backup-20070502-131903-154 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
backup-20070502-131903-179 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
backup-20070502-131903-253 O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20070502-131903-271 O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
backup-20070502-131903-327 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070502-131903-357 O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
backup-20070502-131903-369 O21 - SSODL: odb_set - {063CDEF6-F021-4E52-820D-0C070B255860} - odbcmr32.dll (file missing)
backup-20070502-131903-469 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
backup-20070502-131903-484 O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
backup-20070502-131903-493 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
backup-20070502-131903-498 O4 - HKCU\..\Run: [_ctflog manager] c:\windows\_ctflog.exe
backup-20070502-131903-534 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20070502-131903-556 O4 - HKCU\..\Run: [service manager] c:\windows\service.exe
backup-20070502-131903-619 O23 - Service: Windows Service Monitor (winsvcmon) - Unknown owner - C:\WINDOWS\System32\winsvcmon.exe (file missing)
backup-20070502-131903-630 O4 - HKLM\..\Run: [SANS Service] C:\WINDOWS\System32\sansv.exe
backup-20070502-131903-659 O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:\WINDOWS\lsasrv.exe (file missing)
backup-20070502-131903-694 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070502-131903-711 O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143765714\ee\AOLSoftware.exe
backup-20070502-131903-727 O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
backup-20070502-131903-756 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070502-131903-773 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
backup-20070502-131903-811 O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
backup-20070502-131903-829 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm080YYUS
backup-20070502-131903-832 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
backup-20070502-131903-843 O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
backup-20070502-131903-868 O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
backup-20070502-131903-875 O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
backup-20070502-131903-893 O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
backup-20070502-131903-907 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20070502-131903-933 O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
backup-20070502-131903-936 O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
backup-20070502-131903-943 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
backup-20070502-131903-965 O4 - HKLM\..\Run: [Stump] C:\WINDOWS\System32\stump.exe
backup-20070502-131903-986 O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
backup-20070502-131903-993 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
backup-20070502-131936-333 O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:\WINDOWS\lsasrv.exe (file missing)
backup-20070502-131936-347 O23 - Service: Windows Service Monitor (winsvcmon) - Unknown owner - C:\WINDOWS\System32\winsvcmon.exe (file missing)
backup-20070502-131936-583 O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
backup-20070502-131936-709 O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
backup-20070502-131936-750 O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
backup-20070502-131950-704 O23 - Service: Windows Service Monitor (winsvcmon) - Unknown owner - C:\WINDOWS\System32\winsvcmon.exe (file missing)
backup-20070502-131950-811 O23 - Service: Local Security Authority Subsystem Library (LSA Server) - Unknown owner - C:\WINDOWS\lsasrv.exe (file missing)
backup-20070502-131950-864 O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BsStor (B.H.A Storage Helper Driver) - c:\windows\system32\drivers\bsstor.sys <Not Verified; B.H.A Co.,Ltd.; >
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsubleepa Electric Industrial Co.,Ltd.; >
R3 M2500 (802.11g Wireless Network Driver) - c:\windows\system32\drivers\m2500.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless PCI Adapters>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 mcemgr - c:\windows\system32\obdwk.sys (file missing)
S3 NTSIM - c:\windows\system32\ntsim.sys <Not Verified; VIA Networking, Inc.; Network Device Monitor Utility>
S3 sysrest.sys - c:\windows\system32\sysrest.sys
S3 VIASens (Vinyl Sensaura WDM 3D Audio Driver) - c:\windows\system32\drivers\viasens.sys <Not Verified; Sensaura Ltd; >
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoftฎ Windowsฎ Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsubleepa Electric Industrial Co., Ltd.; >
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 LSA Server (Local Security Authority Subsystem Library) - c:\windows\lsasrv.exe (file missing)
S2 ntlogin32 (NT login service) - c:\windows\system32\libsys32.exe (file missing)
S2 winsvcmon (Windows Service Monitor) - c:\windows\system32\winsvcmon.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2005-08-21 12:21:00 380 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-12 08:37:28 0 d-------- C:\WINDOWS\Sun
2008-06-12 08:37:28 0 d-------- C:\Documents and Settings\Courtney\Application Data\Sun
2008-06-12 08:36:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-06-12 08:36:36 0 d-------- C:\Program Files\Google
2008-06-12 08:33:30 0 d-------- C:\Program Files\Java
2008-06-12 08:32:53 0 d-------- C:\Program Files\Common Files\Java
2008-06-10 14:57:20 15328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-10 13:25:59 0 d-------- C:\Program Files\AXPFixer
2008-06-10 13:25:44 0 d-------- C:\Program Files\AXPDefender
2008-06-06 18:30:45 0 d-------- C:\Documents and Settings\Courtney\Application Data\AXPFixer
2008-06-05 16:52:23 0 d-------- C:\Documents and Settings\Courtney\Application Data\AXPDefender
2008-06-03 20:01:33 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-02 16:47:32 0 dr-h----- C:\$VAULT$.AVG
2008-06-02 13:13:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-02 12:49:11 0 d-------- C:\Documents and Settings\Courtney\Application Data\shcvjcj0ej7l
2008-06-02 12:47:49 52736 --a------ C:\WINDOWS\system32\blphcpjcj0ej7l.scr <Not Verified; Peter's Productions; Bugs!>
2008-06-02 12:46:11 93184 --a------ C:\WINDOWS\system32\lphcpjcj0ej7l.exe
2008-06-01 23:56:53 0 d-------- C:\Documents and Settings\Courtney\Application Data\Apple Computer
2008-06-01 23:56:05 0 d-------- C:\Program Files\iPod
2008-06-01 23:55:45 0 d-------- C:\Program Files\iTunes
2008-06-01 23:53:35 0 d-------- C:\Program Files\QuickTime
2008-06-01 23:53:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-01 23:50:33 0 d-------- C:\Program Files\Apple Software Update
2008-06-01 23:50:08 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-01 23:49:37 0 d-------- C:\Program Files\Common Files\Apple
2008-06-01 23:49:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-13 11:54:48 0 d-------- C:\Documents and Settings\Courtney\Application Data\Move Networks


-- Find3M Report ---------------------------------------------------------------

2008-06-13 08:48:43 0 d-------- C:\Documents and Settings\Courtney\Application Data\Skype
2008-06-13 03:46:36 0 d-------- C:\Documents and Settings\Courtney\Application Data\skypePM
2008-06-12 08:32:53 0 d-------- C:\Program Files\Common Files
2008-06-03 20:03:39 0 d-------- C:\Program Files\Lavasoft
2008-06-02 13:52:36 0 d-------- C:\Documents and Settings\Courtney\Application Data\AVG7
2008-06-02 13:13:51 0 d-------- C:\Documents and Settings\Courtney\Application Data\Lavasoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/24/2003 10:51 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/24/2003 10:44 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/13/2004 03:49 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [05/13/2008 10:55 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"lphcpjcj0ej7l"="C:\WINDOWS\system32\lphcpjcj0ej7l.exe" [06/02/2008 12:46 PM]
"AXPFixer"="C:\Program Files\AXPFixer\AXPFixer.exe" [05/19/2008 11:03 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [09/29/2007 01:22 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [12/12/2007 04:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 7:50:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-13 08:51:24 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: mobile AMD Athlon™ XP-M (LV) 2200+
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 479.48 MiB / 159.3 MiB
Pagefile Memory (total/avail): 1122.11 MiB / 740.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.33 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 29.42 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - IC25N080ATMR04-0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\1143765714\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143765714\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1143765714\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143765714\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Courtney\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SIMON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Courtney
LOGONSERVER=\\SIMON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Courtney\LOCALS~1\Temp
TMP=C:\DOCUME~1\Courtney\LOCALS~1\Temp
USERDOMAIN=SIMON
USERNAME=Courtney
USERPROFILE=C:\Documents and Settings\Courtney
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Courtney (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\RUCKUS~1\UNWISE.EXE /a C:\PROGRA~1\RUCKUS~1\INSTALL.LOG
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AXPFixer --> "C:\Program Files\AXPFixer\uninstall.exe"
BCM Wireless Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\Setup.exe" DVD-RAM Driver
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LG USB Drivers --> C:\PROGRA~1\LGDRIV~1\LGUSBD~1\UNWISE.EXE C:\PROGRA~1\LGDRIV~1\LGUSBD~1\INSTALL.LOG
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Medi@Show --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CyberLink\MediaShow\Uninst.isu"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Network Guide --> MsiExec.exe /I{2F30A886-DC9F-4C4D-8CE5-124388C82943}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Courtney\Application Data\Move Networks\ie_bin\Uninst.exe
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Plaxo Toolbar for Outlook (with AIM Enhancements) --> C:\Program Files\Plaxo\2.12.1.1\uninstall.exe
Power2Go 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PowerStarter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
S3 S3Display --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Smart Link 56K Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
UniChrome Graphics Driver and Utilities --> C:\PROGRA~1\S3\S3\s3setvga.exe -s -fC:\PROGRA~1\S3\S3\S3.uns
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
V CAST Music --> MsiExec.exe /X{3249FD43-B24B-413F-B786-F8FEA32FA747}
VIA Audio Driver Setup Program --> RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -f"C:\PROGRA~1\VIATEC~1\VIAAUD~1/Uninst.isu"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WordPerfect Office X3 --> MsiExec.exe /I{54DB13F1-0CE0-4BAB-BD5F-7DE150C043C8}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7328 / Error
Event Submitted/Written: 06/10/2008 02:51:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application axpdefender.exe, version 2.1.0.1, faulting module axpdefender.exe, version 2.1.0.1, fault address 0x0004d4c9.
Processing media-specific event for [axpdefender.exe!ws!]

Event Record #/Type7325 / Error
Event Submitted/Written: 06/05/2008 11:19:42 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application PowerDVD.exe, version 5.0.0.1107, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7298 / Error
Event Submitted/Written: 06/02/2008 00:52:04 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application shcvjcj0ej7l.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7277 / Error
Event Submitted/Written: 05/25/2008 05:36:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7272 / Error
Event Submitted/Written: 05/20/2008 04:55:18 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type156996 / Warning
Event Submitted/Written: 06/12/2008 10:07:21 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type155458 / Warning
Event Submitted/Written: 06/09/2008 04:34:37 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011090C353B. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type155451 / Warning
Event Submitted/Written: 06/09/2008 04:34:29 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011090C353B. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type154816 / Error
Event Submitted/Written: 06/08/2008 05:49:48 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 147.222.228.148 on the
Network Card with network address 0011090C353B.

Event Record #/Type154815 / Warning
Event Submitted/Written: 06/08/2008 05:49:48 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011090C353B. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-06-13 08:51:24 ------------

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 14 June 2008 - 01:29 PM

Hello quartz54 and welcome to BC. Let's see what we can find. Please follow the teps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 quartz54

quartz54
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 15 June 2008 - 09:57 PM

Thanks Old Timer. I'm pretty sure I didn't send this in wordwrap, but I'm not sure.

-quartz

Attached Files



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 15 June 2008 - 11:08 PM

Hi quartz54. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
LSA Server
mcemgr
ntlogin32
sysrest.sys
winsvcmon
Files to delete:
%allusersprofile%\desktop\axpfixer.lnk
%programfiles%\axpfixer\axpfixer.exe
%systemroot%\lsasrv.exe
%systemroot%\system32\blphcpjcj0ej7l.scr
%systemroot%\system32\libsys32.exe
%systemroot%\system32\lphcpjcj0ej7l.exe
%systemroot%\system32\obdwk.sys
%systemroot%\system32\phcpjcj0ej7l.bmp
%systemroot%\system32\sysrest.sys
%systemroot%\system32\winsvcmon.exe
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%appdata%\axpdefender
%appdata%\axpfixer
%appdata%\shcvjcj0ej7l
%programfiles%\axpdefender
%programfiles%\axpfixer

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> lphcpjcj0ej7l.exe -> %SystemRoot%\system32\lphcpjcj0ej7l.exe
YY -> axpfixer.exe -> %ProgramFiles%\AXPFixer\AXPFixer.exe
[Win32 Services - Non-Microsoft Only]
NY -> (LSA Server) Local Security Authority Subsystem Library [Win32_Own | Auto | Stopped] -> %SystemRoot%\lsasrv.exe
NY -> (ntlogin32) NT login service [Win32_Own | Auto | Stopped] -> %SystemRoot%\System32\libsys32.exe
NY -> (winsvcmon) Windows Service Monitor [Win32_Own | Auto | Stopped] -> %SystemRoot%\System32\winsvcmon.exe
[Driver Services - Non-Microsoft Only]
NY -> (mcemgr) mcemgr [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\obdwk.sys
NY -> (sysrest.sys) sysrest.sys [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\sysrest.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> lphcpjcj0ej7l -> %SystemRoot%\system32\lphcpjcj0ej7l.exe [C:\WINDOWS\system32\lphcpjcj0ej7l.exe]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Power2GoExpress -> []
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 1
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar2.dll [Google Toolbar Helper]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar2.dll [&Google]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar2.dll [&Google]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Bonjour\mDNSResponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour]
[Files/Folders - Created Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> 141 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> blphcpjcj0ej7l.scr -> %SystemRoot%\System32\blphcpjcj0ej7l.scr
NY -> lphcpjcj0ej7l.exe -> %SystemRoot%\System32\lphcpjcj0ej7l.exe
NY -> phcpjcj0ej7l.bmp -> %SystemRoot%\System32\phcpjcj0ej7l.bmp
NY -> sysrest.sys -> %SystemRoot%\System32\sysrest.sys
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> AXPDefender -> %AppData%\AXPDefender
NY -> AXPFixer -> %AppData%\AXPFixer
NY -> shcvjcj0ej7l -> %AppData%\shcvjcj0ej7l
NY -> 6 C:\Documents and Settings\Courtney\My Documents\*.tmp files -> C:\Documents and Settings\Courtney\My Documents\*.tmp
NY -> AXPFixer.lnk -> %AllUsersProfile%\Desktop\AXPFixer.lnk
NY -> AXPDefender -> %ProgramFiles%\AXPDefender
NY -> AXPFixer -> %ProgramFiles%\AXPFixer
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> 141 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> blphcpjcj0ej7l.scr -> %SystemRoot%\System32\blphcpjcj0ej7l.scr
NY -> lphcpjcj0ej7l.exe -> %SystemRoot%\System32\lphcpjcj0ej7l.exe
NY -> phcpjcj0ej7l.bmp -> %SystemRoot%\System32\phcpjcj0ej7l.bmp
NY -> sysrest.sys -> %SystemRoot%\System32\sysrest.sys
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> shcvjcj0ej7l -> %AppData%\shcvjcj0ej7l
NY -> 6 C:\Documents and Settings\Courtney\My Documents\*.tmp files -> C:\Documents and Settings\Courtney\My Documents\*.tmp
NY -> AXPFixer.lnk -> %AllUsersProfile%\Desktop\AXPFixer.lnk
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 quartz54

quartz54
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 16 June 2008 - 01:46 PM

the avenger report:

Logfile of The Avenger Version 2.0, ฉ by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "LSA Server" deleted successfully.
Driver "mcemgr" deleted successfully.
Driver "ntlogin32" deleted successfully.
Driver "sysrest.sys" deleted successfully.
Driver "winsvcmon" deleted successfully.
File "C:\Documents and Settings\All Users\desktop\axpfixer.lnk" deleted successfully.
File "C:\Program Files\axpfixer\axpfixer.exe" deleted successfully.

Error: file "C:\WINDOWS\lsasrv.exe" not found!
Deletion of file "C:\WINDOWS\lsasrv.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\blphcpjcj0ej7l.scr" deleted successfully.

Error: file "C:\WINDOWS\system32\libsys32.exe" not found!
Deletion of file "C:\WINDOWS\system32\libsys32.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\lphcpjcj0ej7l.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\obdwk.sys" not found!
Deletion of file "C:\WINDOWS\system32\obdwk.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\phcpjcj0ej7l.bmp" deleted successfully.
File "C:\WINDOWS\system32\sysrest.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\winsvcmon.exe" not found!
Deletion of file "C:\WINDOWS\system32\winsvcmon.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\Documents and Settings\Courtney\Application Data\axpdefender" deleted successfully.
Folder "C:\Documents and Settings\Courtney\Application Data\axpfixer" deleted successfully.
Folder "C:\Documents and Settings\Courtney\Application Data\shcvjcj0ej7l" deleted successfully.
Folder "C:\Program Files\axpdefender" deleted successfully.
Folder "C:\Program Files\axpfixer" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

OT scan log:

06/15/08 22:17:21 Entering StartDeviceDiscovery.
06/15/08 22:17:21 Entering DDWorkerThreadProc
Doing initial wait.
06/15/08 22:17:21 Finished initial wait.
06/15/08 22:17:21 Exiting StartDeviceDiscovery and returning 1.
06/15/08 22:17:21 Wait for plug-and-play to finish.
06/15/08 22:17:22 Creating list of supported devices in main loop.
06/15/08 22:17:22 Entering CreateListOfSupportedDevices.
06/15/08 22:17:23 Searching C:\Program Files\HP\Digital Imaging\data\DeviceDiscovery ...
06/15/08 22:17:23 Trying C:\Program Files\HP\Digital Imaging\data\DeviceDiscovery\hpodd09.ini ...
06/15/08 22:17:24 Insert product class "hp psc 1000 series".
06/15/08 22:17:24 Insert product class "hp psc 1100 series".
06/15/08 22:17:24 Insert product class "hp psc 1200 series".
06/15/08 22:17:24 Insert product class "hp psc 1300 series".
06/15/08 22:17:25 Insert product class "hp psc 1310 series".
06/15/08 22:17:25 Insert product class "hp psc 2100 series".
06/15/08 22:17:25 Insert product class "hp psc 2150 series".
06/15/08 22:17:25 Insert product class "hp psc 2170 series".
06/15/08 22:17:25 Insert product class "hp psc 2200 series".
06/15/08 22:17:26 Insert product class "hp psc 2300 series".
06/15/08 22:17:26 Insert product class "hp psc 2400 series".
06/15/08 22:17:26 Insert product class "hp psc 2500 series".
06/15/08 22:17:26 Insert product class "hp officejet 4100 series".
06/15/08 22:17:26 Insert product class "hp officejet 4105 series".
06/15/08 22:17:27 Insert product class "hp officejet 4200 series".
06/15/08 22:17:27 Insert product class "hp officejet 5500 series".
06/15/08 22:17:27 Insert product class "hp officejet 6100 series".
06/15/08 22:17:27 Insert product class "HP Officejet 6200 series".
06/15/08 22:17:27 Insert product class "HP Officejet 7300 series".
06/15/08 22:17:27 Insert product class "HP Officejet 7400 series".
06/15/08 22:17:28 Insert product class "HP PSC 2350 series".
06/15/08 22:17:28 Insert product class "HP Photosmart 2600 series".
06/15/08 22:17:28 Insert product class "HP Photosmart 2700 series".
06/15/08 22:17:28 Insert product class "HP Officejet 7200 series".
06/15/08 22:17:28 Insert product class "HP PSC 1600 series".
06/15/08 22:17:29 Insert product class "HP PSC 1500 series".
06/15/08 22:17:29 Insert product class "HP PSC 1400 series".
06/15/08 22:17:29 Exiting CreateListOfSupportedDevices and returning 1.
06/15/08 22:17:30 Entering BuildQueues.
06/15/08 22:17:30 Entering CreateListFromContext.
06/15/08 22:17:30 Exiting CreateListFromContext and returning 1.
06/15/08 22:17:34 Found and using context id: #Hewlett-Packard#HP PSC 1600 series#1125097647
06/15/08 22:17:34 Exiting BuildQueues and returning 1.
06/15/08 22:17:35 Entering AddDevices.
06/15/08 22:17:35 Exiting AddDevices and returning 1.
06/15/08 22:17:35 Entering ModifyDevices.
06/15/08 22:17:35 Exiting ModifyDevices and returning 1.
06/15/08 22:17:35 Entering RemoveDevices.
06/15/08 22:17:35 Exiting RemoveDevices and returning 1.

F scan report:

Scanning Report
Sunday, June 15, 2008 22:32:38 - 11:37:48
Computer name: SIMON
Scanning type: Scan system for malware, rootkits
Target: C:\
________________________________________
Result: 2 malware found
Tracking Cookie (spyware)
• System
Trojan:W32/Agent.FHZ (virus)
• C:\SYSTEM VOLUME INFORMATION\_RESTORE{28C8C62D-8626-43A5-9641-5ACE7EDB37B5}\RP8\A0000190.EXE (Submitted)
________________________________________
Statistics
Scanned:
• Files: 47970
• System: 3627
• Not scanned: 125
Actions:
• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 2
• Submitted: 1
Files not scanned:
�� x IBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
• C:\WINDOWS\$NTUNINSTALLQ828026$\WMP.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\SHELL32.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\SHLWAPI.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\SXS.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\CMDEVTGPROV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\EVTGPROV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
• C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
• C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\XPSP2RES.DLL
• C:\WINDOWS\$NTUNINSTALLKB833998$\SHELL32.DLL
• C:\WINDOWS\$NTUNINSTALLKB833998$\SXS.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\DAO360.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\EXPSRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSEXCH40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSEXCL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJET40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJETOL1.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJETOLEDB40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJINT40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJTER40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJTES40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSLTUS40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSPBDE40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSRD2X40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSRD3X40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSREPL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSTEXT40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSWDAT10.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSWSTR10.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSXBDE40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\VBAJET32.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
• C:\WINDOWS\R� � �
• C:\HIBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
• C:\WINDOWS\$NTUNINSTALLQ828026$\WMP.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\SHLWAPI.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\SXS.DLL
• C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
• C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\CMDEVTGPROV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\EVTGPROV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
• C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
• C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
• C:\WINDOWS\$NTUNINSTALLKB835732$\XPSP2RES.DLL
• C:\WINDOWS\$NTUNINSTALLKB833998$\SHELL32.DLL
• C:\WINDOWS\$NTUNINSTALLKB833998$\SXS.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\DAO360.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\EXPSRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSEXCH40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSEXCL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJET40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJETOL1.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJETOLEDB40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJINT40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJTER40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSJTES40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSLTUS40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSPBDE40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSRD2X40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSRD3X40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSREPL40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSTEXT40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSWDAT10.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSWSTR10.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\MSXBDE40.DLL
• C:\WINDOWS\$NTUNINSTALLKB829558$\VBAJET32.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
• C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
• C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLLA
________________________________________
Options
Scanning engines:
• F-Secure USS: 2.30.0
• F-Secure Hydra: 2.8.8110, 2008-06-15
• F-Secure AVP: 7.0.171, 2008-06-16
• F-Secure Pegasus: 1.20.0, 2008-04-14
• F-Secure Blacklight: 1.0.68
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
• Use Advanced heuristics



Thanks again,

quartz54

Attached Files


Edited by quartz54, 16 June 2008 - 01:48 PM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:03 PM

Posted 16 June 2008 - 02:12 PM

Hi quartz54. That looks good. Just a couple of leftover regsitry entires to take care of:

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> AXPFixer -> %ProgramFiles%\AXPFixer\AXPFixer.exe [C:\Program Files\AXPFixer\AXPFixer.exe]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Aim6 -> []

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

Close Notepad and OTScanIt.

Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users