Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Removing Trojans


  • This topic is locked This topic is locked
17 replies to this topic

#1 kathi

kathi

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 22 June 2008 - 09:36 AM

I ended up with what appears to be a range of trojans. Seems to have started with one by name of crypt? In anycase, I'm now experiencing attempts to hijack my browser. I'll type in one thing and a different page comes up.... The following are the DSS Hijack and Kaspersky logs....I appreciate any help you can provide!

Thanks

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-22 09:25:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
35: 2008-06-22 05:41:06 UTC - RP35 - Installed Windows XP Service Pack 2.
34: 2008-06-22 05:33:10 UTC - RP34 - Software Distribution Service 3.0
33: 2008-06-22 05:19:31 UTC - RP33 - Removed Java 2 Runtime Environment, SE v1.4.1_02
32: 2008-06-21 13:21:38 UTC - RP32 - System Checkpoint
31: 2008-06-20 12:09:05 UTC - RP31 - System Checkpoint


-- First Restore Point --
1: 2008-05-17 17:19:54 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:49 AM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\America Online 7.0a\aoltray.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\msdtc.exe
C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\iqdnedhj.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Desktop\dss.exe
C:\WINDOWS\system32\dumprep.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhww.exe] C:\WINDOWS\system32\kdhww.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SnapDetect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5461 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\21.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 08:46:03 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-04-23 11:32:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 00:54:49 0 d-------- C:\WINDOWS\Prefetch
2008-06-22 00:23:08 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Sun
2008-06-21 19:52:51 0 dr-h----- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Recent
2008-06-21 15:51:07 39424 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2008-06-17 21:02:09 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-17 21:00:53 0 d-------- C:\WINDOWS\system32\bits
2008-06-15 22:54:32 0 d-------- C:\Program Files\Trend Micro
2008-06-15 22:44:40 0 d-------- C:\Program Files\CCleaner
2008-06-15 22:44:06 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Intuit
2008-06-15 22:22:57 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-15 22:10:45 0 d-------- C:\Program Files\CodeStuff
2008-06-15 11:54:26 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Stamps.com Internet Postage
2008-06-15 11:53:42 0 d-------- C:\Documents and Settings\All Users\Application Data\{C7B40389-4FE2-4940-B140-D97CCA92EDA6}
2008-06-15 11:53:16 36 --ah----- C:\WINDOWS\system32\f9t.dat
2008-06-15 11:53:16 0 d-------- C:\Program Files\Stamps.com Internet Postage
2008-06-14 17:07:30 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Template
2008-06-14 16:56:08 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\.jpi_cache
2008-06-14 16:56:08 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\.java
2008-06-07 16:54:40 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2008-06-07 16:54:40 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2008-06-07 16:54:40 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2008-06-07 16:54:40 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-06-07 16:54:40 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2008-06-07 16:54:40 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2008-06-07 16:49:41 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\HP
2008-05-26 23:09:16 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Template
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\WINDOWS
2008-05-26 22:11:43 0 d--h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Templates
2008-05-26 22:11:43 0 dr------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Start Menu
2008-05-26 22:11:43 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\SendTo
2008-05-26 22:11:43 0 d--h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Recent
2008-05-26 22:11:43 0 d--h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\PrintHood
2008-05-26 22:11:43 0 d--h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\NetHood
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\My Documents
2008-05-26 22:11:43 0 d--h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Local Settings
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Favorites
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Desktop
2008-05-26 22:11:43 0 d---s---- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Cookies
2008-05-26 22:11:43 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Symantec
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Sonic
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\SampleView
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Real
2008-05-26 22:11:43 0 d---s---- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Microsoft
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\interMute
2008-05-26 22:11:43 0 d-------- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\Application Data\Identities
2008-05-26 22:11:42 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-LK4RLMSU41\NTUSER.DAT
2008-05-26 22:09:37 0 d-------- C:\WINDOWS\pss
2008-05-26 22:03:12 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Motive
2008-05-26 17:28:45 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Macromedia
2008-05-26 17:28:45 0 d-------- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data\Adobe
2008-05-26 17:01:29 53248 --a------ C:\WINDOWS\AolCInUn.exe <Not Verified; Gtek; Gtek AolCInUn>
2008-05-26 17:01:08 0 d-------- C:\Program Files\America Online 8.0a
2008-05-26 16:31:19 153088 --a------ C:\WINDOWS\system32\jgdwmie.dll <Not Verified; America Online; JG Decoder>
2008-05-26 16:31:19 54784 --a------ C:\WINDOWS\system32\Inetwh32.dll <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2008-05-26 16:31:19 24646 --a------ C:\WINDOWS\system32\aolddial.dll <Not Verified; America Online; AOLDDial Custom Dialer Module>
2008-05-26 16:31:18 1044480 --a------ C:\WINDOWS\system32\roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2008-05-26 16:31:11 0 d-------- C:\Program Files\America Online 7.0a
2008-05-26 09:26:21 0 d-------- C:\WUTemp
2008-05-23 06:11:22 0 d---s---- C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\UserData


-- Find3M Report ---------------------------------------------------------------

2008-06-22 01:00:27 0 d-------- C:\Program Files\Java
2008-06-22 00:45:55 0 d-------- C:\Program Files\Messenger
2008-06-22 00:45:28 0 d-------- C:\Program Files\Movie Maker
2008-06-22 00:44:55 0 d-------- C:\Program Files\Windows NT
2008-06-15 22:21:20 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-15 12:10:13 0 d-------- C:\Program Files\Lavasoft
2008-06-15 12:09:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 11:52:04 112972 --a----c- C:\WINDOWS\hpoins07.dat
2008-06-11 23:18:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-11 23:18:02 0 d-------- C:\Program Files\Symantec
2008-06-11 23:14:57 0 d-------- C:\Program Files\Easy Internet signup
2008-06-11 23:13:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 17:01:28 0 d-------- C:\Program Files\Common Files\aolshare
2008-05-26 17:01:23 239 --a----c- C:\WINDOWS\PowerReg.dat
2008-05-26 17:01:18 0 d-------- C:\Program Files\Common Files\AOL
2008-05-26 16:27:17 1615 --a----c- C:\WINDOWS\eReg.dat
2008-05-23 06:11:17 0 d-------- C:\Program Files\America Online 7.0
2008-05-17 12:19:29 0 d-------- C:\Program Files\Common Files
2008-05-17 12:14:37 0 --a------ C:\WINDOWS\system32\iAlmcoin.dll
2008-04-30 23:17:51 0 d-------- C:\Program Files\Internet Content Filter
2008-04-30 22:49:45 0 d-------- C:\Program Files\SurfControl
2008-04-24 21:17:37 0 d-------- C:\Program Files\Maxis


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 09:07 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 10:01 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/24/2003 04:36 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 11:42 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [05/03/2003 01:19 AM]
"nwiz"="nwiz.exe" [05/03/2003 01:19 AM C:\WINDOWS\system32\nwiz.exe]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [06/17/2003 08:13 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/31/2002 10:28 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [02/24/2003 08:51 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"WMDM PMSP Service"="C:\WINDOWS\system32\cssrss.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"C:\WINDOWS\system32\kdhww.exe"="C:\WINDOWS\system32\kdhww.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [06/21/2008 03:51 PM]
"ieupdate"="C:\WINDOWS\system32\ieupdates.exe" []

C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [7/26/2003 3:57:44 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 7.0 Tray Icon.lnk - C:\Program Files\America Online 7.0a\aoltray.exe [5/26/2008 4:31:11 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdhww.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 05:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - DCOMLAUNCH
*Newly Created Service* - FLTMGR
*Newly Created Service* - HTTP
*Newly Created Service* - WS2IFSL
*Newly Created Service* - WSCSVC



-- End of Deckard's System Scanner: finished at 2008-06-22 09:29:16 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.50GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 246.98 MiB / 123.82 MiB
Pagefile Memory (total/avail): 605.81 MiB / 389.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.88 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 69.89 GiB total, 40.37 GiB free.
D: is Fixed (FAT32) - 6.42 GiB total, 2.34 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 2 partitions
\PARTITION0 - Unknown - 6.43 GiB - D:
\PARTITION1 (bootable) - Installable File System - 69.89 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\msvupdater.exe"="C:\\WINDOWS\\msvupdater.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-LK4RLMSU41
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.YOUR-LK4RLMSU41.000
LOGONSERVER=\\YOUR-LK4RLMSU41
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp
TMP=C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp
USERDOMAIN=YOUR-LK4RLMSU41
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.YOUR-LK4RLMSU41.000
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner.YOUR-LK4RLMSU41.000 (admin)
Administrator.YOUR-LK4RLMSU41 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album Starter Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{483616D1-867E-46F8-BEC7-3C6475933908}\apxp.ex_" -l0x9
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Coach Version 1.0(Build:20020929.1) --> C:\WINDOWS\AolCInUn.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CodeStuff Starter --> "C:\Program Files\CodeStuff\Starter\unStarter.exe"
Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Instant Support --> C:\PROGRA~1\INSTAN~1\UNWISE.EXE C:\PROGRA~1\INSTAN~1\INSTALL.LOG
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
NVIDIA Gart Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Roll --> C:\WINDOWS\UniFish3.exe C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\RollerCoaster Tycoon.log
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8567FC11-B0BF-49CD-9EF0-959413FA103D\Uninstall.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
Stamps.com --> "C:\Documents and Settings\All Users\Application Data\{C7B40389-4FE2-4940-B140-D97CCA92EDA6}\stamps.exe" REMOVE=TRUE MODIFY=FALSE
STX from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75443238-3575-492C-9122-6A88DC3A2B75\Uninstall.exe"
The Sims Unleashed --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C32C567-DC0F-4C80-B06C-7873850A2E06}\setup.exe" -l0009
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
Virtual Warfare from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\EEDAA297-DFDF-436A-B977-D95EA63C907D\Uninstall.exe"
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
Yahoo! Companion --> regsvr32 /s /u C:\PROGRA~1\Yahoo!\Common\YCOMP5~1.DLL


-- Application Event Log -------------------------------------------------------

Event Record #/Type260 / Error
Event Submitted/Written: 06/22/2008 09:27:55 AM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Event Record #/Type257 / Error
Event Submitted/Written: 06/22/2008 09:27:32 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type242 / Warning
Event Submitted/Written: 06/22/2008 00:46:20 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type239 / Error
Event Submitted/Written: 06/21/2008 10:09:00 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 786229352.

Event Record #/Type238 / Error
Event Submitted/Written: 06/21/2008 10:09:00 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 786229352.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1561 / Warning
Event Submitted/Written: 06/22/2008 00:59:50 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1529 / Error
Event Submitted/Written: 06/22/2008 00:55:40 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type1504 / Error
Event Submitted/Written: 06/22/2008 00:23:34 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type1480 / Error
Event Submitted/Written: 06/21/2008 04:09:54 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type1455 / Error
Event Submitted/Written: 06/21/2008 06:54:06 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-22 09:29:16 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:02 AM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\America Online 7.0a\aoltray.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\msdtc.exe
C:\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\iqdnedhj.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdhww.exe] C:\WINDOWS\system32\kdhww.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SnapDetect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5440 bytes

Sunday, June 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 22, 2008 14:51:43
Records in database: 880200


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 158521
Threat name 5
Infected objects 10
Suspicious objects 0
Duration of the scan 03:01:43

File name Threat name Threats count
iqdnedhj.exe\iqdnedhj.exe/iqdnedhj.exe\iqdnedhj.exe Infected: Email-Worm.Win32.Zhelatin.aan 1

C:\Deckard\System Scanner\backup\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\ajipbkjn.exe Infected: Trojan-Downloader.Win32.Cntr.bv 1

C:\Deckard\System Scanner\backup\DOCUME~1\OWNERY~1.000\LOCALS~1\Temp\iqdnedhj.exe Infected: Trojan-Downloader.Win32.Cntr.bv 1

C:\Documents and Settings\Keely\Local Settings\Temporary Internet Files\Content.IE5\8J3VYK1T\install_iframe[1].jsp Infected: Trojan-Downloader.JS.Agent.kk 1

C:\Documents and Settings\Keely\Local Settings\Temporary Internet Files\Content.IE5\PKCR5XKL\CAN5P72M.jsp Infected: Trojan-Downloader.JS.Agent.kk 1

C:\Documents and Settings\Keely\Local Settings\Temporary Internet Files\Content.IE5\Y9BC587M\install_iframe[1].htm Infected: Trojan-Downloader.JS.Agent.kk 1

C:\hp\region\start-search\en_us-IE.reg Infected: Trojan.WinREG.StartPage 1

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP2\A0000029.reg Infected: Trojan.WinREG.StartPage 1

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP32\A0016472.exe Infected: Trojan.Win32.Monder.gen 1

C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP35\A0021212.exe Infected: Email-Worm.Win32.Zhelatin.aan 1

The selected area was scanned.

Edited by kathi, 22 June 2008 - 01:29 PM.


BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 23 June 2008 - 05:24 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

I'm afraid I have unpleasant news for you. You have been severely infected by at least one backdoor trojan and others. A backdoor trojan allows outsiders complete access to every keystroke, account, and password you use while on this machine.

IF this computer has been used for any kind of important data, my best recommendation is to disconnect from the internet, reformat the entire drive and reinstall your operating system and applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. If that's the case, you could be subject to another attack or takeover as soon as you reconnect to the internet, even after removal of the infection.

The decision whether to reformat or not should be based on what you use the computer for. If the computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any applications (programs) or executable files (.dll, .exe, .scr, .bat, .cmd, .vbs, .sys). Those should be reinstalled from the original CD's or websites.
  • If you have used this computer for shopping, banking, or any transactions relating to your financial well being, call all of your banks, credit card companies and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords - for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

In your next reply, let me know how you want to proceed.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 23 June 2008 - 08:41 PM

Simon,

Sigh...this is really not what I wanted to hear, but I'm glad that you are able to help. My first question is whether or not my secondary computer would be infected..... We have DSL and a wireless router. Computer #2 is the one that is using a wireless connection to access the internet. The first computer (the infected one) is hooked to this modem with a ethernet cord (?). Is the second computer at risk? That is my primary concern. The infected computer is disconnected from the internet. When this all happened (I think...) I was on youtube and my computer completely shut itself down and then restarted. I immediately ran adaware and found the trojan, went to the secondary computer and changed my bank and aol passwords. Since then, I have not used my primary computer for anything other than trying to deal with cleaning it. HOwever the second computer we've been using as normal (I did run Adaware on it as well, but didn't find anything of concern).

Second, as far as what to do with the first computer, I'd prefer to reformat the drive and wipe everything off if you are sure that will get rid of all traces of anything left that could be damaging. I'm so worried I'd almost feel better buying a new computer (which I was considering anyway!). Please let me know how to proceed - I appreciate your help and guidance.

Oh, one more thing...I've used this computer in the last couple of weeks to do something remotely for work - used the logmein website....are my computers at work in anyway jeapordized? We do keep them up to date with virus software and firewalls and I haven't noticed anything but let me know what you think.

THanks again - just tell me what to do! In the meantime, I'll be dealing with the identity theft issue just in case.

Kathi

#4 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 24 June 2008 - 04:58 AM

Hi,

Second, as far as what to do with the first computer, I'd prefer to reformat the drive and wipe everything off if you are sure that will get rid of all traces of anything left that could be damaging. I'm so worried I'd almost feel better buying a new computer (which I was considering anyway!). Please let me know how to proceed - I appreciate your help and guidance.

If you reformat your drive and reinstall Windows, every trace of the trojan will be gone. It's a very safe method; be sure to install an anti-virus program right away though, before you connect to the internet. Here are some sites that can help you if you want to reformat -

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Oh, one more thing...I've used this computer in the last couple of weeks to do something remotely for work - used the logmein website....are my computers at work in anyway jeapordized? We do keep them up to date with virus software and firewalls and I haven't noticed anything but let me know what you think.

I would be surprised if that jeapordized your computer at work. Just in case, you can inform the IT department of the situation so they can take action of needed.

As for your second computer, it could be that it's infected but the chance is slim. You can post a log from Deckard's System Scanner here so I can check to make sure it's clean.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#5 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 June 2008 - 07:10 AM

Simon, again thank you - we are off today to find anti-virus software - any suggestions?! Will this post be kept open while I try to reformat my drive (of which I'm terrified to do - fyi!).?

...here is the log for the second computer, thanks for taking a look at it:

Deckard's System Scanner v20071014.68
Run by Bruce on 2008-06-24 06:57:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-06-24 11:57:44 UTC - RP2246 - Deckard's System Scanner Restore Point
11: 2008-06-24 02:36:53 UTC - RP2245 - System Checkpoint
10: 2008-06-22 14:18:00 UTC - RP2244 - Software Distribution Service 3.0
9: 2008-06-22 14:01:33 UTC - RP2243 - Installed Java™ 6 Update 6
8: 2008-06-22 13:55:04 UTC - RP2242 - Installed Ad-Aware


-- First Restore Point --
1: 2008-06-14 13:06:28 UTC - RP2235 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Bruce.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-24 06:59:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\COMPAQ\Easy Access Button Support\STARTEAK.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\CPQInet\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CMpdpsrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\COMPAQ\Easy Access Button Support\BttnServ.exe
C:\Program Files\Common Files\aol\1178015060\ee\aolsoftware.exe
C:\Program Files\Common Files\aol\1178015060\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\aol\Loader\aolload.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\aol\1178015060\ee\SSCEvtHdlr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\Program Files\Common Files\aol\1178015060\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\mcafee.com\antivirus\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\aol\1178015060\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Bruce\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1178015060\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1178015060\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1178015060\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: JT's Blocks () - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 () - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/8/B...42/wmsp9dmo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2724F21A-6AF1-4061-917B-D6154A6A81C1} () - http://downloads2.taxslayer.com/netinstall001/default.cab
O16 - DPF: {27F09AE0-972C-444A-8D4A-E6AE606BAC28} () - http://downloads.taxslayer.com/olf2002/net...013/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/pm/activex/eBay_E...l_v1-0-3-30.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} () - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131419403468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183345260671
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_06) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} () - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7906.2541782407
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?5,0,1730,0
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} () - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - AppInit_DLLs: NVDESK32.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\aol\acs\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\aol\1178015060\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\Program Files\mcafee.com\antivirus\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MpfService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe


--
End of file - 13751 bytes

-- HijackThis Fixed Entries (C:\unzipped\HIJACK~1\backups\) --------------------

backup-20051108-214012-148 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
backup-20051108-214012-771 O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
backup-20051108-214012-845 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
backup-20051108-214013-312 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26de604e0af321...ip/RdxIE601.cab
backup-20051108-214013-527 O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
backup-20051108-214013-633 O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 MPFIREWL - c:\windows\system32\drivers\mpfirewall.sys <Not Verified; McAfee; McAfee Personal Firewall>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 SnappyN - c:\windows\system32\drivers\snappyn.sys <Not Verified; Play Incorporated; Snappy by Play Incorporated>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

S1 EACMOS - c:\windows\system32\drivers\eacmos.sys (file missing)
S1 EAWDMFD - c:\windows\system32\drivers\eawdmfd.sys (file missing)
S3 1_3MService (SiPix 1.3M Digital Camera) - c:\windows\system32\drivers\sc1300u.sys <Not Verified; SiPix Imaging Inc.; SC1300 USB>
S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys <Not Verified; DUCam Technology Inc.; DUCam DU101 USB Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Compaq_RBA (Compaq Advisor) - c:\program files\compaq\compaq advisor\bin\compaq-rba.exe <Not Verified; NeoPlanet; NeoPlanet RBA>
R2 PackethSvc (Virtual NIC Service) - c:\windows\system32\packethsvc.exe <Not Verified; America Online, Inc.; America Online>

S2 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F13\4&163C0F35&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F13\4&163C0F35&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&163C0F35&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&163C0F35&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-06-24 06:44:20 450 --a------ C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job
2001-12-14 22:45:32 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2001-12-14 22:45:32 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job


-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-22 09:34:08 0 dr-h----- C:\Documents and Settings\Bruce\Recent
2008-06-22 09:12:55 0 d-------- C:\Program Files\CCleaner
2008-06-22 08:55:14 0 d-------- C:\Program Files\Lavasoft
2008-06-22 08:55:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-22 08:53:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 23:05:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-25 10:04:41 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-25 10:03:19 0 d-------- C:\Program Files\Microsoft IntelliType Pro


-- Find3M Report ---------------------------------------------------------------

2008-06-24 06:50:49 16681 --a------ C:\WINDOWS\compaq.reg
2008-06-22 09:05:37 0 d-------- C:\Program Files\Java
2008-06-22 08:53:06 0 d-a------ C:\Program Files\Common Files
2008-06-22 08:48:48 0 d-------- C:\Documents and Settings\Bruce\Application Data\Lavasoft
2008-05-08 21:14:37 0 d-------- C:\Program Files\MSECache


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [08/15/2001 05:50 AM]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [09/26/2001 03:30 AM]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [07/24/2001 09:34 AM]
"NvCplDaemon"="NvQTwk" []
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [07/13/2000 03:00 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [07/13/2000 03:00 PM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/17/2001 12:50 PM]
"CMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE" [05/07/2001 11:53 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1178015060\ee\AOLSoftware.exe" [04/12/2007 04:23 PM]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1178015060\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe" [01/25/2007 04:34 PM]
"sscRun"="C:\Program Files\Common Files\AOL\1178015060\ee\SSCRun.exe" [01/25/2007 04:34 PM]
"OASClnt"="C:\Program Files\mcafee.com\antivirus\oasclnt.exe" [07/28/2006 11:43 AM]
"EmailScan"="C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" [07/28/2006 11:43 AM]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [03/07/2006 03:05 PM]
"Broadcom Wireless Manager"="C:\WINDOWS\system32\wltray.exe" [06/14/2007 04:48 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/2006 06:14 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/2006 06:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/30/2006 10:49 PM]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [04/18/2007 01:49 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Compaq_RBA"=C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe [12/7/2007 9:55:12 PM]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [11/7/2003 7:40:22 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun\Autorun.exe

*Newly Created Service* - ENTDRV51



End of Deckard's System Scanner: finished at 2008-06-24 07:02:36

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.70GHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 255.42 MiB / 44.02 MiB
Pagefile Memory (total/avail): 616.86 MiB / 189.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.32 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.27 GiB total, 22.99 GiB free.
D: is Fixed (FAT32) - 3.99 GiB total, 1.14 GiB free.
E: is CDROM (No Media)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 33.27 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 3.99 GiB - D:

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device - 1961.06 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1963.88 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: AOL Firewall v210.5.4.1 (AOL LLC.) Disabled
AV: AOL Antivirus v210.5.4.1 (AOL) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CMpdpsrv.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CMpdpsrv.exe:*:Enabled:PDP RPC Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\aol\\1178015060\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1178015060\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bruce\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GEORGE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bruce
LOGONSERVER=\\GEORGE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bruce\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bruce\LOCALS~1\Temp
USERDOMAIN=GEORGE
USERNAME=Bruce
USERPROFILE=C:\Documents and Settings\Bruce
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Bruce (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\mcafee.com\antivirus\uninst.exe" /PopUpMsgBox="N" /CheckMutx="N" /S
--> "C:\Program Files\mcafee.com\personal firewall\aol\uninst.exe" /PopUpMsgBox="N" /CheckMutx="N" /S
--> C:\Program Files\Common Files\McAfee\Installer\mcinst.exe "C:\Program Files\mcafee.com\personal firewall\mpfp.inf" /uninstall
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D40ADCAB-4DB2-44DC-8BBB-6C1DEC81B5B9}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2001 TurboTax Home & Business --> C:\Tax01\TaxUnst.EXE "C:\Tax01\Uninstall.log" -NoGui
2002 TaxSlayer OLF --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5FC73EB1-B966-43D7-84B5-888970C24CB8}
3D Home Architect Deluxe --> C:\WINDOWS\uninst.exe -fC:\3dhmedlx\DeIsL1.isu
a-squared Free 1.6.1 --> "C:\Program Files\a-squared\unins000.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Bonjour --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1033
CA Pest Patrol Realtime Protection --> MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
Camera Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\Setup.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Coloreal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE90251-93EB-4F6A-89D8-086E2D91DC56}\setup.exe"
Compaq Advisor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4C1AFCD-2C72-48B4-AE2E-A7354A525E87}\Setup.exe" UNINSTALL
Compaq Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03AAA1D8-D4CF-48BD-9C66-78B41D80DF06}\setup.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CompuServe 2000 --> C:\Program Files\Common Files\csshare\csunins_us.exe
CoolCam Camera Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
CPQIED06XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0969ABD2-CC59-11D4-8D96-00902799E3BF}\setup.exe"
Dynex Wireless G USB Network Adapter Setup --> C:\Program Files\InstallShield Installation Information\{531D27E5-DE21-4777-9EDB-B7803087E7F3}\setup.exe -runfromtemp -l0x0009 -removeonly
Easy Access Button Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.exe" -uninst
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Encarta Online --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.exe" -uninst
HijackThis 1.99.1 --> C:\unzipped\hijackthis\HijackThis.exe /uninstall
Image Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}\Setup.exe" UNINSTALL
ImageMixer for Sony --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe"
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
MGI PhotoSuite III SE (Remove Only) --> "C:\Program Files\MGI\MGI PhotoSuite III SE\System\MGIUninstall.exe" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\MGI PhotoSuite III SE\Uninst.isu" -c"C:\Program Files\MGI\MGI PhotoSuite III SE\System\CustomUninstall.dll"
Microsoft Money 2001 --> MsiExec.exe /I{D085A1B6-90A4-11D3-82B7-00C04FA309DE}
Microsoft Publisher 97 --> C:\Program Files\Microsoft Publisher\Setup\Setup.exe /m
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Netscape 6 (6.1) --> C:\WINDOWS\N6Uninst.exe /ua "6.1 (en)"
NHRA Pro Stock Cars and Trucks --> C:\PROGRA~1\MOTORS~1\NHRAPR~1\UNWISE.EXE C:\PROGRA~1\MOTORS~1\NHRAPR~1\INSTALL.LOG
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvcq.inf
Quicken 2002 New User Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Safety and Security Center Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SiPix 1.3M Digital Camera --> C:\WINDOWS\TWAIN_32\SiPix\1_3M\CamRemov.exe
SoundMAX2 --> C:\Program Files\Analog Devices\SoundMAX 2\ADIOUT.BAT
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TaxSlayer --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F7D66C27-FB55-40D3-BDA6-2A23E654FC92} TaxSlayer
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebIQ Client Software --> C:\WINDOWS\System32\WebIQInstall.exe /u
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1602 / Warning
Event Submitted/Written: 06/24/2008 06:46:53 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type1601 / Warning
Event Submitted/Written: 06/24/2008 06:46:53 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type1593 / Warning
Event Submitted/Written: 06/23/2008 07:37:50 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type1592 / Warning
Event Submitted/Written: 06/23/2008 07:37:49 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type1590 / Warning
Event Submitted/Written: 06/23/2008 07:31:23 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type115007 / Error
Event Submitted/Written: 06/24/2008 06:49:01 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
cdudf_xp
i8042prt

Event Record #/Type115006 / Error
Event Submitted/Written: 06/24/2008 06:49:01 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Bonjour Service service hung on starting.

Event Record #/Type115005 / Error
Event Submitted/Written: 06/24/2008 06:47:16 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Kodak Camera Connection Software service failed to start due to the following error:
%%2

Event Record #/Type115003 / Error
Event Submitted/Written: 06/24/2008 06:46:52 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type115002 / Error
Event Submitted/Written: 06/24/2008 06:46:52 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)



-- End of Deckard's System Scanner: finished at 2008-06-24 07:02:36 ------------

#6 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 24 June 2008 - 08:31 AM

Hi :thumbsup:

Here are two free anti-virus programs I recommend -
I will keep this thread open until you've succesfully reformatted your hard drive. When Windows is reinstalled, I'll give you some more tips to prevent reinfection.

As for your second computer, your anti-virus software appears to be outdated. Please update it to ensure your computer is protected.

Also, please uninstall the following program - Java 2 Runtime Environment, SE v1.4.2_01

For the rest your log looks clean, there are no infections on that computer as far as I can see.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#7 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 June 2008 - 06:49 PM

Should I install both or just pick one? Will this take the place of something like Norton?

#8 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 24 June 2008 - 07:05 PM

Should I install both or just pick one? Will this take the place of something like Norton?

You should only install one anti-virus program.

The programs I recommended will give you sufficient protection; so yes, it will take the place of Norton. However, if you have already paid for Norton it would be best to install that one; there's no need to waste money :thumbsup:
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#9 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 28 June 2008 - 11:03 AM

well, here's the next issues:

1. I've been attempting to find the disks/manuals, etc that came with this computer and I'm not finding them anywhere (we've moved since we bought this and alot of our stuff is still in storage). I do have an unopened microsoft office xp small business disc...can I use this instead of the original xp?

2. And, I turned on the infected computer today so that I could start backing up any info I may need to keep and all I'm getting is a black screen with a blinking curser and I can't type anythign in. At start up I get the option to F1 or F10 (system recovery) before it goes to the black screen.

What now?!? (seriously, would it just be easier to buy a new computer?!)

#10 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 28 June 2008 - 11:24 AM

Hi :thumbsup:

I do have an unopened microsoft office xp small business disc...can I use this instead of the original xp?

Yes, as long as the serial key hasn't been used it's OK to use that CD.

And, I turned on the infected computer today so that I could start backing up any info I may need to keep and all I'm getting is a black screen with a blinking curser and I can't type anythign in. At start up I get the option to F1 or F10 (system recovery) before it goes to the black screen.

You can try booting into Safe Mode -

When you start up your computer, rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking).

Log in to your usual account.

Let me know whether that worked.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#11 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 28 June 2008 - 11:28 AM

i can't get the F8 to work....

#12 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 28 June 2008 - 11:34 AM

i can't get the F8 to work....

Please try F5 instead of F8.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#13 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 28 June 2008 - 11:37 AM

Nope, still just get the red/white Compaq screen with the F1 and F10 options, then goes to black screen with blinking cursor.... I even tried the F10 earlier and it didn't work...seems like all I can get into is the setup option.

#14 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 28 June 2008 - 11:45 AM

Hi :thumbsup:

Nope, still just get the red/white Compaq screen with the F1 and F10 options, then goes to black screen with blinking cursor.... I even tried the F10 earlier and it didn't work...seems like all I can get into is the setup option.

If you want to backup your important data, you can connect your hard drive to another PC to get off all your files. I'm not that experienced with it though, so I suggest you post in the Windows XP forum, where they deal with more general computer problems > http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Be sure not to backup any executable files (.exe, .dll, .ocx, .sys, .scr, .com) or programs, as they may be infected.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#15 kathi

kathi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 28 June 2008 - 07:31 PM

Simon

Just an update - I've resolved the black screen issue (apparently all it took was opening the cd drive...???) In anycase, I'm backing up my files as we speak and will push forward on the reinstallation issue - just wanted you to know I haven't given up (yet....)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users