Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.gen!h, .gen!m Infection


  • This topic is locked This topic is locked
6 replies to this topic

#1 nop_90

nop_90

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 16 June 2008 - 08:54 PM

Greets to all.

System Info: 3.2Ghz P4 /w 3G ram, XP Pro version 2002 SP2, IE 6.0.2900, Norton SystemWorks

2007.

I infected this XP machine, and then my Vista laptop, by carelessly opening a crack

file...yeah, I know, I know. Lesson learned.

The infection manifested itself as a loss of desktop in XP, then a massive slowdown, frequent

popup ad displays, and what appeared to be a filtering of URL searches related to solving the

problem, such as MS Update, and ComboFix searches.

Ms Update would not run to completion.

Norton scans didn't identify a problem.

Ms OneCare saftey scanner identifed the original infection as vundo.gen!H.
I read about it on the net, prior to locating this site, and eventually tried the Norton vundo

cleaner from their website. It appeared to have no effect.

I read that vundo could attach itself to the explorer.exe file and affect the desktop, so I got

the bright idea to repair/reinstall XP from the install cd.
During the next couple of XP repair attempts, I began to get the following series of three

messages, relating to a problem with svchost.exe. I suspect this might be related to the virus,

but am not sure.

I get these three messages during windows bootup and shutdown:

Message 1:
Data Execution Prevention - MS Windows
To help protect your computer, windows has closed the program.
Name: Generic Host Process for Win32 Services.
Publisher: MS Corp.

followed by...
Message 2:
Generic Host Process for Win32 Services
Generic Host Process for Win32 Services encountered a problem and needed to close.
Tell MS about the problem?
Etc, etc.

then...
svchost.exe - Application Error
Instruction XXX referred to memory at 0x00. The memory could not be written.

Because I was getting these messages during XP repair/install, I questioned the integrety of

the installation, so I've made no effort to do all of the updates of XP or IE until the Windows

error messages are eliminated.

After scanning with AdwareAlert, SpyHunter3, SpywareDoctor, and MS OneCare, and attempting

various repairs offered by these products, I had been unable to remove the infection, and these

applications began to detect additional infections such as kazza, vundo.gen!H and .gen!M,

bifrose, and sinowal.

After discovering BleepingComputer.com, and reading about ComboFix...but before I discovered

all of the available documentation on the solution process here with the warning not to, I ran

ComboFix. I seem to have gotten lucky, as it seems to have fixed a major portion of the

problem. The system is very fast, with no popups, or URL interference. The desktop hasn't

disappeard since, and the machine seems back to normal.

After ComboFix, I ran MS OneCare again and detected 12 infections, all vundo as I recall.
I allowed OneCare to clean them, it did, and it then retests as clean. SpyHunter finds no

infections, only cookies. AdwareAlert still identifies as many as 70 infections.

I have a HijackThis log from before I ran ComboFix, if that might prove useful, and the log

obtained after ComboFix is provided below.

After running ComboFix, and with great improvement to system operation, I'm submitting the
KASPERSKY and DEKARD's logs below for review.

Thanks in advance for any assistance you might be able to offer.

Nop_90


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 14:33:21
Records in database: 872820
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\NAHydro\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 86782
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:40:55


File name / Threat name / Threats count
C:\Program Files\AdwareAlert\SpyCleaner.dll Infected:

not-a-virus:FraudTool.Win32.SpywareStop.ae 1
C:\Program Files\AdwareAlert\TCL.dll Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.ev

1
C:\Program Files\AdwareAlert\zlib.dll Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.eu

1

The selected area was scanned.

Deckard's System Scanner v20071014.68
Run by NAHydro on 2008-06-16 13:14:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-16 20:14:58 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as NAHydro.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:33 PM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
D:\dss.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\NAHydro.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp

Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe"

/r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All

Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program

Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} -

C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) -

http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) -

https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...site.cab?121347

4528921
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} -

http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b_site.cab?1187

330779490
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -

http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) -

http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: wvUnOFVp - wvUnOFVp.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program

Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware

Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9326 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe"

"%1"



-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R1 aslm75 - c:\windows\system32\drivers\aslm75.sys

S3 ngrpci (NETGEAR FA310TX Fast Ethernet Adapter Driver) -

c:\windows\system32\drivers\ngrpci.sys (file missing)
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation;

Norton Speed Disk>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\progra~1\norton~2\norton~1\speedd~1\nopdb.exe <Not Verified;

Symantec Corporation; Norton Speed Disk>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&2E98101C&0&28F0
Manufacturer: Marvell
Name: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&2E98101C&0&28F0
Service: yukonwxp


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 12:00:09 312 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button

Checkup.job
2008-06-16 10:01:18 500 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-06-13 22:12:56 534 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System

Scan - NAHydro.job
2007-12-19 18:20:40 294 --ah-----

C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 13:12:43 0 d-------- C:\WINDOWS\LastGood
2008-06-16 01:33:36 0 d-------- C:\WINDOWS\Sun
2008-06-16 01:33:36 0 d-------- C:\Documents and Settings\NAHydro\Application Data\Sun
2008-06-16 01:31:28 0 d-------- C:\Program Files\Java
2008-06-16 01:30:40 0 d-------- C:\Program Files\Common Files\Java
2008-06-15 15:42:02 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals;

Sysinternals PsExec>
2008-06-15 15:36:45 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 15:36:45 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 15:36:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX;

SteelWerX Extended Configurator ACLists>
2008-06-15 15:36:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX

Service Controller>
2008-06-15 15:36:45 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX;

SteelWerX Registry Editor>
2008-06-15 15:36:45 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 15:36:45 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 15:36:45 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:27:19 0 dr-hs---- C:\cmdcons
2008-06-15 15:27:16 0 d-------- C:\WINDOWS\setup.pss
2008-06-15 15:27:03 0 d-------- C:\WINDOWS\setupupd
2008-06-15 14:32:02 0 d-------- C:\Program Files\Trend Micro
2008-06-14 21:05:54 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-14 20:03:04 0 d-------- C:\Documents and Settings\NAHydro\Application

Data\AdwareAlert
2008-06-14 20:02:54 0 d-------- C:\Program Files\AdwareAlert
2008-06-14 17:19:45 0 d-------- C:\Program Files\Enigma Software Group
2008-06-14 17:15:43 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-14 15:38:43 0 d-------- C:\Program Files\Spyware Doctor
2008-06-14 15:38:43 0 d-------- C:\Documents and Settings\NAHydro\Application Data\PC

Tools
2008-06-14 14:57:49 0 d-a------ C:\Documents and Settings\All Users\Application

Data\TEMP
2008-06-14 13:02:54 0 d-------- C:\WINDOWS\Prefetch
2008-06-12 18:45:11 0 d-------- C:\Documents and Settings\Administrator\Application

Data\Macromedia
2008-06-12 18:44:32 0 d-------- C:\Documents and Settings\Administrator\Application

Data\Adobe
2008-06-12 18:36:54 0 d--hs---- C:\WINDOWS\CSC
2008-06-12 17:16:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-12 17:16:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-12 17:16:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-12 17:16:46 0 dr-h----- C:\Documents and Settings\Administrator\Application

Data
2008-06-12 17:16:46 0 d---s---- C:\Documents and Settings\Administrator\Application

Data\Microsoft
2008-06-12 17:16:45 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-12 17:16:45 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-12 17:16:45 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-12 17:16:45 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-12 17:16:45 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-12 17:16:45 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-12 17:16:45 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-12 17:16:45 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-12 17:16:45 0 d--h----- C:\Documents and Settings\Administrator\Local Settings


-- Find3M Report ---------------------------------------------------------------

2008-06-16 01:30:40 0 d-------- C:\Program Files\Common Files
2008-06-14 15:18:59 0 d-------- C:\Documents and Settings\NAHydro\Application

Data\GrabIt
2008-06-14 13:45:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-14 12:50:17 23376 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-13 15:19:28 0 d-------- C:\Program Files\Symantec
2008-06-13 10:44:14 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-02 13:00:08 0 d-------- C:\Program Files\Norton SystemWorks Premier
2008-05-04 18:18:32 0 d-------- C:\Documents and Settings\NAHydro\Application Data\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll

[12/13/2007 09:49 AM 1185120]

[-HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 07:30 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [01/15/2008 03:54 PM]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [06/18/2002 02:01

AM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [09/05/2006 12:22 PM]
"NSWosCheck"="C:\Program Files\Norton SystemWorks Premier\osCheck.exe" [12/03/2007 02:41 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"

[02/16/2005 05:15 PM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12

AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/27/2006 04:38 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[01/11/2008 11:16 PM]
"SoundMan"="SOUNDMAN.EXE" [04/16/2007 04:28 PM C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[5/12/2005 12:23:26 AM]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [10/4/2007 3:21:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 04/27/2007 01:10 PM 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOFVp]
wvUnOFVp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f91a138-de

68-11dc-9546-0011d8ecb40c}]




-- End of Deckard's System Scanner: finished at 2008-06-16 13:16:59 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2047.23 MiB / 1559.86 MiB
Pagefile Memory (total/avail): 3943.64 MiB / 3615 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.77 MiB

C: is Fixed (NTFS) - 74.54 GiB total, 36.52 GiB free.
D: is Fixed (NTFS) - 298.09 GiB total, 151.15 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L080J4 - 74.55 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.54 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD3200AAJS-00YFA0 - 298.09 GiB - 1 partition
\PARTITION0 - Installable File System - 298.09 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Norton AntiVirus v2007 (Symantec Corporation)
AV: Norton AntiVirus v2007 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Au

thorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-220

19"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\

AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-220

19"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\HPZinw12.exe"="C:\\WINDOWS\\system32\\HPZinw12.exe:*:Enabled:HPZinw12.e

xe"
"C:\\WINDOWS\\system32\\HPZipm12.exe"="C:\\WINDOWS\\system32\\HPZipm12.exe:*:Enabled:HPZipm12.e

xe"
"C:\\Program Files\\Agent\\agent.exe"="C:\\Program Files\\Agent\\agent.exe:*:Enabled:Agent"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital

Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital

Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital

Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program

Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Enabled:pcAnywhere Host"
"D:\\TurboTax\\tax2007\\TurboTax Home & Business

2007\\32bit\\ttax.exe"="D:\\TurboTax\\tax2007\\TurboTax Home & Business

2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"D:\\TurboTax\\tax2007\\TurboTax Home & Business

2007\\32bit\\updatemgr.exe"="D:\\TurboTax\\tax2007\\TurboTax Home & Business

2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\NAHydro\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\NAHydro
LOGONSERVER=\\DESKTOP
MINGDIR=C:\MinGW
MSVCDir=c:\program files\microsoft visual studio 8\vc
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NAHydro\LOCALS~1\Temp
TMP=C:\DOCUME~1\NAHydro\LOCALS~1\Temp
USERDOMAIN=DESKTOP
USERNAME=NAHydro
USERPROFILE=C:\Documents and Settings\NAHydro
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

NAHydro (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {60E971B7-51A0-48CA-8687-C6B8F094A409}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132

C:\WINDOWS\INF\PCHealth.inf
2001 TurboTax Home & Business --> d:\turbotax\tax2001\TaxUnst.EXE

"d:\turbotax\tax2001\Uninstall.log" -NoGui
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AdwareAlert --> MsiExec.exe /X{4C55A701-56BF-49E3-8BA3-8216C006B0E7}
AnswerWorks 4.0 Runtime - English --> RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe"

-l0x9 -removeonly
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
ASUS Probe V2.23.03 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu"

-c"C:\Program Files\ASUS\Probe\probunis.dll"
ATI Display Driver --> rundll32

C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart

-flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2008 - English --> C:\Program Files\AutoCAD 2008\Setup\Setup.exe /P

{5783F2D7-6001-0409-0002-0060B0CE6BBA} /M ACAD
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compatibility Pack for the 2007 Office system --> MsiExec.exe

/X{90120000-0020-0409-0000-0000000FF1CE}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Connection Keep Alive --> MsiExec.exe /I{77364F85-6219-4CB8-AAA0-6D53368D683D}
Cypress USB Mass Storage Driver Installation --> RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe"

-l0x9 NotFirstInstall
Data Lifeguard Tools --> RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Designjet Software & Driver Installation Wizard --> RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation

Information\{21E6C8E8-C2DF-46B9-8C50-3538C26AEDCC}\IS_SETUP.EXE" -l0x9
EZdrummer --> MsiExec.exe /I{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}
EZXCocktail --> MsiExec.exe /I{147567F0-8575-4BE0-B5B3-62706C67FA5A}
EZXVintage --> MsiExec.exe /I{430399DC-98BC-4A7F-8F8E-77981CABAE05}
Finale 2008 --> C:\Program Files\Finale 2008\uninstallFinale.exe
Forté Agent --> C:\PROGRA~1\Agent\UNWISE.EXE C:\PROGRA~1\Agent\INSTALL.LOG "Uninstall Forté

Agent"
Garritan Instruments for Finale --> C:\Program Files\Garritan Instruments for

Finale\uninstallGarritan.exe
GnuWin32: FreeType-2.3.5 --> "C:\Program Files\GnuWin32\uninstall\unins001.exe"
GrabIt 1.7.1 Beta (build 960) --> "C:\Program Files\GrabIt\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital

Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital

Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital

Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
IsoBuster 2.1 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
ItsDeductible Express --> MsiExec.exe /X{36495C59-089C-49D1-BD15-9E5BD86DC9A1}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec

Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe

/X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
MGI PhotoSuite SE (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\PhotoSuite

SE\Uninst.isu"
MGI VideoWave SE+ (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\MGI

VideoWave\Uninst.isu"
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe

/X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help

8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe

/I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe

/I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup

Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe

/I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe

/X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe

/I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe

/X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe

/X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package -->

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable

Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU --> C:\Program Files\Microsoft Visual

Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601) -->

C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall

{D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
MinGW 5.1.3 --> C:\MinGW\uninst.exe
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSRedist --> MsiExec.exe /I{D1725BDB-BA2B-4503-A8CB-F5C835D743FA}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup

"C:\Program Files\InstallShield Installation

Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Setup.exe" -l0x9 AddRemoveCPRun
Nikon View 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup

"C:\Program Files\InstallShield Installation

Information\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}\setup.exe" UNINSTALL
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec

Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_5_89\{830D8CBD-C668-49e2-A969-C2C21

06332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Cleanup --> MsiExec.exe /I{CA31120D-2101-484D-9FF1-195DE96FE346}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Norton SystemWorks --> MsiExec.exe /I{9E23C48E-5483-4971-BA50-089F2FABCD66}
Norton SystemWorks (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec

Shared\SymSetup\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}\{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}.e

xe" /X
Norton SystemWorks Premier --> MsiExec.exe /I{B9807C3D-B3DD-41B7-8321-53DDB3A3A888}
Norton Utilities --> MsiExec.exe /I{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}
PC Authorize --> C:\WINDOWS\uninst.exe -fC:\Tellan\PCAuth\DeIsL1.isu
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup

"C:\Program Files\InstallShield Installation

Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
RealLegal E-Transcript Viewer --> MsiExec.exe /X{2D0F506B-05E1-4492-8E65-FA13A4E77A21}
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Reason 4.0 --> "C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
Retrospect 7.5 --> MsiExec.exe /I{92596597-71B3-4608-8628-AD48F2664EB9}
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061) -->

C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall

{94E2AAC1-CAE5-4F73-B0D1-C471BA1F8E2A} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe

/I{AC76BA86-7AD7-5464-3428-800000000003}
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program

Files\Enigma Software Group\SpyHunter\install.log" -u
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec pcAnywhere --> MsiExec.exe /I{12118183-866A-11D3-97DF-0000F8D8F2E9}
Toontrack solo --> MsiExec.exe /I{5866520C-8857-4986-833A-039F4584C3F7}
TurboTax Home & Business 2006 --> D:\TurboTax\tax2006\TurboTax Home & Business 2006\TaxUnst.EXE

"D:\TurboTax\tax2006\TurboTax Home & Business 2006\Uninstall.log" -NoGui
TurboTax Home & Business 2007 --> D:\TurboTax\tax2007\TurboTax Home & Business 2007\TaxUnst.EXE

"D:\TurboTax\tax2007\TurboTax Home & Business 2007\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
TurboTax Premier 2004 --> D:\TurboTax\tax2004\TaxUnst.EXE "D:\TurboTax\tax2004\Uninstall.log"

-NoGui
TurboTax Premier 2005 --> D:\TurboTax\tax2005\TurboTax Premier 2005\TaxUnst.EXE

"D:\TurboTax\tax2005\TurboTax Premier 2005\Uninstall.log" -NoGui
TurboTax Premier Home & Business 2002 --> d:\turbotax\tax2002\TaxUnst.EXE

"d:\turbotax\tax2002\Uninstall.log" -NoGui
TurboTax Premier Home & Business 2003 --> D:\TurboTax\tax2003\TaxUnst.EXE

"D:\TurboTax\tax2003\Uninstall.log" -NoGui
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
VERITAS RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
VERITAS RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
VERITAS Simple Backup --> MsiExec.exe /I{60E971B7-51A0-48CA-8687-C6B8F094A409}
Voice Editor --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Winbond\Voice Editor\DeIsL1.isu"

-c"C:\Program Files\Winbond\Voice Editor\_ISREG32.DLL"
WexTech AnswerWorks --> RunDll32

C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program

Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE"

-l0x9 -eliminate
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Toolbar for Internet Explorer --> "C:\Program Files\Winamp Toolbar\uninstall.exe"
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety

Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type31830 / Error
Event Submitted/Written: 06/15/2008 09:07:03 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version

0.0.0.0, fault address 0x009d06d1.
Processing media-specific event for [svchost.exe!ws!]

Event Record #/Type31829 / Error
Event Submitted/Written: 06/15/2008 09:05:47 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version

0.0.0.0, fault address 0x00dd06d1.
Error in creating result PEAP-TLV in response to received PEAP-TLV (svchost.exe!ld!)

Event Record #/Type31822 / Warning
Event Submitted/Written: 06/15/2008 09:03:14 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not

valid.

Event Record #/Type31820 / Error
Event Submitted/Written: 06/15/2008 09:03:06 AM
Event ID/Source: 17204 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL

Server\MSSQL.1\MSSQL\DATA\mastlog.ldf for file number 2. OS error: 5(Access is denied.).

Event Record #/Type31819 / Error
Event Submitted/Written: 06/15/2008 09:03:06 AM
Event ID/Source: 17207 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open: Operating system error 5(Access is denied.) occurred while creating or opening file

'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf'. Diagnose and correct

the operating system error, and retry the operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29151 / Error
Event Submitted/Written: 06/16/2008 01:30:55 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type29136 / Error
Event Submitted/Written: 06/16/2008 00:46:06 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register with DCOM within the

required timeout.

Event Record #/Type29135 / Error
Event Submitted/Written: 06/16/2008 00:45:58 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1

time(s).

Event Record #/Type29120 / Error
Event Submitted/Written: 06/16/2008 00:45:32 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Windows Image Acquisition (WIA) service hung on starting.

Event Record #/Type29119 / Error
Event Submitted/Written: 06/16/2008 00:44:54 AM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The SQL Server (SQLEXPRESS) service terminated with service-specific error 3417 (0xD59).



-- End of Deckard's System Scanner: finished at 2008-06-16 13:16:59 ------------

BC AdBot (Login to Remove)

 


#2 nop_90

nop_90
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 20 June 2008 - 01:03 AM

Looks like folks are pretty busy here, so I've tried to move on and try to fix this problem myslef....wooo, vveerryy scarey :thumbsup:

After going through the HJT and svchost tutorials, I was able to remove a couple of seemingly goofy entries in the log, which eliminated the XP messages about Data Execution Prevention and Application Errors. XP seems to be running normally, and both the Norton Internet Security and MS Malicious Software scans are clean.

If I could trouble someone to give a quick look at the current HJT log below for any additional problems, I would appreaciate it.

Thanks,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:19 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213474528921
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187330779490
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9921 bytes

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 20 June 2008 - 02:53 PM

Hi there,
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

Edited by rookie147, 20 June 2008 - 02:54 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 nop_90

nop_90
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 20 June 2008 - 05:23 PM

Thanks in advance for taking a look.

ComboFix log:

ComboFix 08-06-20.1 - NAHydro 2008-06-20 16:08:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1525 [GMT -7:00]
Running from: C:\Documents and Settings\NAHydro\Desktop\cf.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 15:25 . 2008-06-20 15:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-19 19:02 . 2008-06-19 19:02 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-19 00:52 . 2008-06-19 00:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-19 00:52 . 2008-06-19 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 13:14 . 2008-06-16 13:14 <DIR> d-------- C:\Deckard
2008-06-16 01:33 . 2008-06-16 01:33 <DIR> d-------- C:\WINDOWS\Sun
2008-06-16 01:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-16 01:31 . 2008-06-16 01:32 <DIR> d-------- C:\Program Files\Java
2008-06-16 01:30 . 2008-06-16 01:30 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-15 14:32 . 2008-06-15 14:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 21:05 . 2008-06-15 16:22 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-14 20:55 . 2008-06-14 20:56 <DIR> d-------- C:\ComboFix
2008-06-14 17:19 . 2008-06-19 16:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-14 17:15 . 2008-06-14 17:15 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-14 14:57 . 2008-06-19 16:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-14 12:58 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-06-14 12:58 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-06-14 12:56 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-14 12:55 . 2004-08-04 05:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-06-14 12:52 . 2008-06-14 12:52 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-06-14 12:52 . 2008-06-14 12:52 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-06-14 12:52 . 2008-06-14 12:52 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-06-14 12:52 . 2008-06-14 12:52 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-06-14 12:52 . 2008-06-14 12:52 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-06-14 12:52 . 2008-06-14 12:52 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-06-12 22:26 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SET4E.tmp
2008-06-12 22:26 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SET4B.tmp
2008-06-12 22:26 . 2004-08-04 05:00 13,753 -ra------ C:\WINDOWS\SET5A.tmp
2008-06-12 21:32 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SETBA.tmp
2008-06-12 21:32 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SETB7.tmp
2008-06-12 21:32 . 2004-08-04 05:00 13,753 -ra------ C:\WINDOWS\SETC6.tmp
2008-06-12 18:46 . 2008-06-05 18:59 1,396,264 --a------ C:\TEMP\WindowsXP-KB948277-x86-ENU.exe
2008-06-12 17:16 . 2008-06-14 17:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-04 19:32 . 2008-06-04 19:33 1,220 --a------ C:\WINDOWS\DESGNJT2.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 23:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 22:53 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-19 22:53 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-19 22:53 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-19 22:53 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-19 22:53 --------- d-----w C:\Program Files\Symantec
2008-06-14 22:18 --------- d-----w C:\Documents and Settings\NAHydro\Application Data\GrabIt
2008-06-13 17:44 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-02 20:00 --------- d-----w C:\Program Files\Norton SystemWorks Premier
2008-05-05 01:18 --------- d-----w C:\Documents and Settings\NAHydro\Application Data\U3
2008-04-21 21:52 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-04-21 21:52 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-04-21 21:52 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-04-21 21:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-04-21 21:52 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-04-21 21:52 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-04-21 21:52 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-04-21 21:52 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-04-21 21:52 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
1998-08-24 20:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_15.53.43.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 22:45:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 22:22:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-09-03 17:14:10 578,848 ----a-w C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
+ 2007-09-03 16:14:10 578,848 ----a-w C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
- 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
+ 2008-06-20 22:26:54 3,134 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{432E6A36-C031-4161-8215-53311D3C2244}.bin
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-10-11 22:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-21 01:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 09:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 09:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 19:30 517768]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 15:54 37376]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 02:01 155648]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 12:22 26248]
"NSWosCheck"="C:\Program Files\Norton SystemWorks Premier\osCheck.exe" [2007-12-03 02:41 25472]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-27 16:38 107112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2007-10-04 15:21:24 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\HPZinw12.exe"=
"C:\\WINDOWS\\system32\\HPZipm12.exe"=
"C:\\Program Files\\Agent\\agent.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9220:TCP"= 9220:TCP:port9220
"9500:TCP"= 9500:TCP:port9500
"9290:TCP"= 9290:TCP:port9290
"161:UDP"= 161:UDP:port161
"427:UDP"= 427:UDP:port427
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 01:20:40 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- c:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-06-14 05:12:56 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - NAHydro.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
"2008-06-16 19:00:09 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks Premier\OBC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 16:11:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 16:13:04
ComboFix-quarantined-files.txt 2008-06-20 23:12:34
ComboFix2.txt 2008-06-15 22:54:26

Pre-Run: 35,947,241,472 bytes free
Post-Run: 36,026,798,080 bytes free

185 --- E O F --- 2008-06-20 19:16:19

Fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:07 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] C:\Program Files\Norton SystemWorks Premier\osCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213474528921
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187330779490
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9461 bytes

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 21 June 2008 - 04:26 PM

Good job, you've removed all of the malware from the PC :thumbsup:
Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programmes:
Ad-Aware 2008
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 nop_90

nop_90
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 22 June 2008 - 02:32 PM

Charles:

Thanks for your help.

I've picked up some great skills from this website, and will remain a regular.

Now, since Gratitude is the shortest-lived human emotion, I'm gonna TAP that donation button to demonstrate mine.

Best regards,

nop_90

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 23 June 2008 - 02:56 PM

Thank you very much for the kind donation. :thumbsup:
Since this issue has been resolved, I will now close this topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users