Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ultimate Cleaner Removal Follow-up


  • This topic is locked This topic is locked
21 replies to this topic

#1 jrichardson67

jrichardson67

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 11 July 2008 - 12:59 PM

Running Windows XP Professional on my home PC, and I foolishly approved a download from an unknown website and ended up with some nasty malware, which I've come to discover was an Ultimate Cleaner infection. I had the red biohazard desktop background and ridiculous popups. It erased all System Restore points (assuming there were any, as the PC was recently reformatted). Initially I was blocked from task manager or regedit. I was blocked from running many programs. "My Computer" didn't recognize C: or D: drives, only 3 1/2 Floppy A:. Any attempt to open a web page in explorer was redirected to one of several sham spyware removal sites, though it would eventually let me get to google and run a search, but I could only open cached pages from the search results. The Clock said "Virus Found" or "Virus Alert." It initially blocked all downloads. It continues to block Firefox, and Network Associates VirusScan is disabled, and it doesn't appear that my computer recognizes the VirusScan files.

After downloading various programs at work, from suggestions from this website and others (smitfraudfix, ccleaner, rogue remover, DrWeb and DSS) and burning them to CD, I was able to copy them from the CD by typing "D:\" into the address bar on "my computer." I was then able to run hijack this and rogue remover. I was initially blocked from running smitfraudfix, but after I ran DrWeb scan in safe mode, it allowed me to copy smitfraudfix from the cd onto the desktop, and I ran that in safe mode. I now have task manager back. Regedit is available. The red biohazard screen is gone. The "Virus Alert" is no longer attached to the clock. There are no popups in interent explorer. I'm able to navigate to most sites, and I'm able to download some files.

The ongoing problems are as follows. I've been able to download Firefox, as I tried uninstalling Firefox and reinstalling it, but it still won't allow me to run Firefox. It just ignores any type of command (including in Run or Command Prompt). It won't let me navigate to the page to download Opera or Kaspersky. It won't let me download Java updates. It won't let me run online virus scans (tried Panda and HouseCall), shows 404 not found or "the page cannot be displayed" when clicking on the SCAN link. I am able to use only Internet Explorer, and there are no popups, but while it allows google searches without fuss, it won't let me navigate to certain pages (login for this website for instance). It says "the page cannot be displayed" or navigates to seemingly random web pages. I'm only able to navigate to this website on my home pc by viewing cached pages. I've registered to this site, and I'm sending this from my work computer.
The real concerns are the blocking of VirusScan and firefox, and the inability to navigate to sites such as yours or other online virus scanners.


The DSS log is attached. Having gone through the above-described steps, it only gave me a "Main.txt" file, so that's all I attached. I had done a scan with DSS earlier, and I can post that (main and extra) if it would help. As noted above, I couldn't run a Kaspersky scan.

Attached Files


Edited by jrichardson67, 11 July 2008 - 01:15 PM.


BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 03 August 2008 - 12:04 AM

Hello, jrichardson67.
:thumbsup: to BleepingComputer.com

In the future, please do not run such tools before posting your log. These tools are not typically designed to fix the infections on their own; they rely on a human being to check their work.

And the problem is that they DESTROY some of the "pointers" that identify infections in HJT logs, etc.

Just keep in mind that running all those tools compromises anyone on the HJT Team's ability to clean your system.

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 07 August 2008 - 08:58 AM

Hello, jrichardson67.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 14 August 2008 - 06:43 AM

Topic reopened. Please post your logs below.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 14 August 2008 - 10:12 AM

Billy,
Thanks for your help!

I'm forced to send the logs to my work computer, as the spyware won't allow me to navigate to this website. I tried to follow the instructions to Run DSS from the "Run" program. The computer gave me an error message, "Cannot find '%userprofile\desktop\dss.exe' " or something similar. Sorry, I didn't write it all down.

I was able to run DSS from a desktop icon and here's the log from yesterday. I've also attached the main and extra logs fromt the first DSS I ran before running various anti-spyware programs below:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-13 22:54:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:54:54, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Desktop\ultim\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\ultim\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\qoMgeDWN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\Software\..\Telephony: DomainName = uchsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = uchsc.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: qoMgeDWN - C:\WINDOWS\SYSTEM32\qoMgeDWN.dll
O21 - SSODL: fsrpknov - {FCEEB175-16BA-43DD-A330-2A5C98713C3B} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Adaptive Server Anywhere - BDFACSApp (ASANYe_BDFACSApp) - iAnywhere Solutions, Inc. - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: NAI ePO Agent Install (NAIMServInst) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\unz61.tmp\FramePkg.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- Files created between 2008-07-13 and 2008-08-13 -----------------------------

Nothing created in this timespan.


-- Find3M Report ---------------------------------------------------------------

2008-07-11 02:52:25 2542 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-11 01:41:47 0 d-------- C:\Program Files\Common Files
2008-07-11 01:41:47 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-11 01:16:30 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-10 15:10:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-07-10 15:08:47 1196 --ahs---- C:\WINDOWS\system32\uDJSBJjl.ini2
2008-07-10 14:49:22 0 d-------- C:\Program Files\CCleaner
2008-07-10 01:29:47 92672 --a------ C:\WINDOWS\system32\KillBox.exe <Not Verified; Option; Explicit Software vbtechcd@gmail.com>
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\opnkliJA.dll
2008-07-09 14:50:40 184320 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-09 14:50:40 360448 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-09 14:50:38 274432 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-01 21:05:35 0 d-------- C:\Program Files\support.com
2008-07-01 21:05:19 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-23 18:21:42 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-05-18 21:40:35 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}]
07/09/2008 23:21 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [12/07/2005 03:55]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 03:23]
"@"="" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [12/16/2002 17:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [03/31/2003 20:28]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 17:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 14:50]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 17:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [9/3/2007 9:11:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)
"MaxGPOScriptWait"=15 (0xf)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}"= C:\WINDOWS\system32\qoMgeDWN.dll [07/09/2008 23:21 29568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fsrpknov"= {FCEEB175-16BA-43DD-A330-2A5C98713C3B} - C:\WINDOWS\fsrpknov.dll [07/09/2008 14:50 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMgeDWN]
qoMgeDWN.dll 07/09/2008 23:21 29568 C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJBSJDu

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\uchsc.edu\netlogon\CM_push.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\uchsc.edu\netlogon\OutlookAddinInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AuthServersControl.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=\\uchsc.edu\netlogon\DesktopSecurity.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=\\uchsc.edu\netlogon\LandeskInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2102999208-408303454-1867994533-67349\Scripts\Logon\0\0]
"Script"=AuthServicesControl.vbe




-- End of Deckard's System Scanner: finished at 2008-08-13 22:55:54 ------------



Additionally, here are the logs from the DSS scan I did before running various anti-spyware programs, which you've subsequently warned me against. Maybe they'll be of some use. First is the main log from 7/11/08, shortly after the problem program was downloaded, followed by the extra log.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-11 01:26:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
49: 2008-07-10 19:45:32 UTC - RP265 - Deckard's System Scanner Restore Point
48: 2008-07-10 04:37:38 UTC - RP264 - Restore Operation
47: 2008-07-10 04:35:44 UTC - RP263 - System Checkpoint
46: 2008-07-10 04:35:44 UTC - RP262 - System Checkpoint
45: 2008-07-10 04:35:44 UTC - RP261 - System Checkpoint


-- First Restore Point --
1: 2008-07-10 04:26:51 UTC - RP217 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-11 01:27:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\ultim\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = WWW.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\qoMgeDWN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: QXK Olive - {86805705-69AE-45C6-9B92-A11D54F00AE5} - C:\WINDOWS\wbxdpgfeasv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = uchsc.edu
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = uchsc.edu
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: qoMgeDWN - C:\WINDOWS\system32\qoMgeDWN.dll
O21 - SSODL: fdxbameg - {74AC15F9-B1AD-4B0E-A6A9-57E54BF70265} - C:\WINDOWS\fdxbameg.dll
O21 - SSODL: fsrpknov - {30CF3CA6-5F67-4BE8-A6E1-DDA879507E1A} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Adaptive Server Anywhere - BDFACSApp (ASANYe_BDFACSApp) - iAnywhere Solutions, Inc. - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NAI ePO Agent Install (NAIMServInst) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\unz61.tmp\FramePkg.exe /SignalComplete /LOGDIR="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NAILogs" /Cleanup2="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\unz61.tmp" /WaitFor=2916 /CurrentFolder="C:\WINDOWS\system32" /install=agent /s
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 5793 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ASANYe_BDFACSApp (Adaptive Server Anywhere - BDFACSApp) - c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe -hvasanye_bdfacsapp <Not Verified; iAnywhere Solutions, Inc.; Adaptive Server Anywhere>
R2 McAfeeFramework (McAfee Framework Service) - "c:\program files\network associates\common framework\frameworkservice.exe" /servicestart <Not Verified; McAfee, Inc.; McAfee Common Framework>

S3 NAIMServInst (NAI ePO Agent Install) - c:\docume~1\admini~1\locals~1\temp\unz61.tmp\framepkg.exe /signalcomplete /logdir="c:\docume~1\admini~1\locals~1\temp\nailogs" /cleanup2="c:\docume~1\admini~1\locals~1\temp\unz61.tmp" /waitfor=2916 /currentfolder="c:\windows\system32" /install=agent /s (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_70011799&REV_02\4&1C660DD6&0&10F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_70011799&REV_02\4&1C660DD6&0&10F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Service:


-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-10 14:49:16 0 d-------- C:\Program Files\CCleaner
2008-07-10 14:35:51 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-10 14:27:41 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-07-10 01:30:35 92672 --a------ C:\WINDOWS\system32\KillBox.exe <Not Verified; Option; Explicit Software vbtechcd@gmail.com>
2008-07-10 01:29:49 0 d-------- C:\!KillBox
2008-07-10 00:48:20 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-09 23:26:22 1196 --ahs---- C:\WINDOWS\system32\uDJSBJjl.ini2
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\opnkliJA.dll
2008-07-09 23:20:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-07-09 23:20:19 344064 --a------ C:\WINDOWS\wbxdpgfeasv.dll
2008-07-09 23:20:19 184320 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-09 23:20:19 155648 --a------ C:\WINDOWS\gpefaowr.exe
2008-07-09 23:20:19 274432 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-09 23:20:19 360448 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-09 23:20:19 163840 --a------ C:\WINDOWS\erem.exe
2008-07-09 23:20:13 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-07-01 21:05:19 0 d-------- C:\Program Files\Common Files\SupportSoft


-- Find3M Report ---------------------------------------------------------------

2008-07-01 21:05:35 0 d-------- C:\Program Files\support.com
2008-07-01 21:05:19 0 d-------- C:\Program Files\Common Files
2008-06-03 08:28:53 0 d-------- C:\Program Files\BD FACSDiva Software
2008-06-02 14:22:49 0 d-------- C:\Program Files\Common Files\BD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}]
07/09/2008 23:21: VIRUS ALERT! 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86805705-69AE-45C6-9B92-A11D54F00AE5}]
07/09/2008 14:50: VIRUS ALERT! 344064 --a------ C:\WINDOWS\wbxdpgfeasv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55: VIRUS ALERT!]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51: VIRUS ALERT!]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [12/07/2005 03:55: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06: VIRUS ALERT!]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 03:23: VIRUS ALERT!]
"@"="" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [12/16/2002 17:51: VIRUS ALERT!]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [03/31/2003 20:28: VIRUS ALERT!]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 17:05: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 14:50: VIRUS ALERT!]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 17:45: VIRUS ALERT!]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [9/3/2007 9:11:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)
"MaxGPOScriptWait"=15 (0xf)
"RunStartupScriptSync"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}"= C:\WINDOWS\system32\qoMgeDWN.dll [07/09/2008 23:21: VIRUS ALERT! 29568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fdxbameg"= {74AC15F9-B1AD-4B0E-A6A9-57E54BF70265} - C:\WINDOWS\fdxbameg.dll [07/09/2008 14:50: VIRUS ALERT! 360448]
"fsrpknov"= {30CF3CA6-5F67-4BE8-A6E1-DDA879507E1A} - C:\WINDOWS\fsrpknov.dll [07/09/2008 14:50: VIRUS ALERT! 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMgeDWN]
qoMgeDWN.dll 07/09/2008 23:21: VIRUS ALERT! 29568 C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJBSJDu

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\uchsc.edu\netlogon\CM_push.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\uchsc.edu\netlogon\OutlookAddinInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AuthServersControl.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=\\uchsc.edu\netlogon\DesktopSecurity.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=\\uchsc.edu\netlogon\LandeskInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2102999208-408303454-1867994533-67349\Scripts\Logon\0\0]
"Script"=AuthServicesControl.vbe




-- End of Deckard's System Scanner: finished at 2008-07-11 01:37:55 ------------




Extra log:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 509.98 MiB / 197.64 MiB
Pagefile Memory (total/avail): 1248.68 MiB / 969.35 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.97 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.45 GiB total, 54.6 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 71.45 GiB - C:
\PARTITION2 - Unknown - 3.02 GiB



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
ASANY9=C:\Program Files\Sybase\SQL Anywhere 9
ASANYSH9=C:\Program Files\Sybase\Shared
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RICHARKEPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\RICHARKEPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Sybase\SQL Anywhere 9\win32;C:\Program Files\Sybase\Shared\win32;C:\Program Files\Sybase\SQL Anywhere 9\drivers;C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=RICHARKEPC
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

richarke
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
BD FACSDiva Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{BE8D4222-0FBD-4A3B-9F27-DC27ABF91CE7}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
HijackThis 1.99.1 --> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Photo Loader 2.3E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70B45586-B51E-4947-A258-A895596C5CED}\Setup.exe" -uninst
Photohands 1.0E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{544FB392-069D-4BA5-9DC7-FFD47230AEE5}\Setup.exe"
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
SQL Anywhere Studio 9, Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F653AB56-DB37-415B-8DDD-EF5BC1982150}\is_setup.exe" -l0x9 UNINSTALLING
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1877 / Error
Event Submitted/Written: 07/11/2008 01:12:15 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type1876 / Error
Event Submitted/Written: 07/11/2008 01:11:51 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\LandeskInstall.bat. The network path was not found.
.

Event Record #/Type1875 / Error
Event Submitted/Written: 07/11/2008 01:11:51 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\DesktopSecurity.bat. The network path was not found.
.

Event Record #/Type1874 / Error
Event Submitted/Written: 07/11/2008 01:11:50 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script AuthServersControl.vbe. The system cannot find the file specified.
.

Event Record #/Type1873 / Error
Event Submitted/Written: 07/11/2008 01:11:49 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\OutlookAddinInstall.bat. The network path was not found.
.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13818 / Error
Event Submitted/Written: 07/11/2008 01:26:32 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type13817 / Warning
Event Submitted/Written: 07/11/2008 01:26:32 AM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Event Record #/Type13797 / Warning
Event Submitted/Written: 07/11/2008 01:12:02 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns1.uchsc.edu. No authentication protocol was available.

Event Record #/Type13796 / Warning
Event Submitted/Written: 07/11/2008 01:12:02 AM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/ns1.uchsc.edu. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

Event Record #/Type13795 / Error
Event Submitted/Written: 07/11/2008 01:11:53 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {F5F6647E-A36B-42BB-AD4E-A93753DE4DCD} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-07-11 01:37:55 ------------

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 14 August 2008 - 10:29 AM

Please copy DSS to your desktop and then re-rerun the above. DSS needs to have the /config switch passed to it in order for it to make the extra.txt log again, as well as some other information. I want to see that info updated because it contains time sensitive information :thumbsup:

Also, make sure the punctuation is correct. Quotes are requited and there must be % signs on BOTH sides of userprofile:
"%userprofile%\desktop\dss.exe" /config

Just don't want to send commands into the machine that may throw a wrench in the gears :)

Good luck,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 14 August 2008 - 10:33 AM

Billy,
I won't be able to make another attempt until Sunday. I'm leaving from work for a camping trip for the weekend. Will post as soon as possible. I think you called it though. I don't think i put % on both sides of userprofile.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 14 August 2008 - 10:36 AM

Okie Dokie :thumbsup:

I will make sure this thread stays open longer than the usual timeout of 5 days :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 26 August 2008 - 05:29 PM

Billy,
I got an automatically generated response to my last post telling me I need to run a newer version of hijack this. I'll reinstall Hijack this and post back with the results soon. I know I'm slow to respond, but I ask that you please keep the topic open. Thank you.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 26 August 2008 - 07:59 PM

Hello, jrichardson67.

Here are instructions for the latest version of HJT.

Your log shows that your HijackThis is an old version.
  • Please delete all copies of HijackThis.zip or HijackThis.exe you have saved.
  • Please download the self-extracting version of HijackThis from here: HijackThis Installer Download
  • Save HJTInstall.exe to your desktop.
  • Double-click the file then click the Install button.
    • The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
  • A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.
  • Click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.
Please use the shortcut to run the extracted HijackThis.exe from now on.

In your next reply, please include the following:
  • A HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 30 August 2008 - 05:04 PM

Hello, jrichardson67.
Are you still here?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 01 September 2008 - 02:59 PM

Billy,
I'm still here. I'm unable to download anything, or open e-mail attachments with the infected computer, so I'm delayed by the need to burn things onto disk at work then bring them home. I"ll try to post a new dss log now.
Thanks!

#13 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 05 September 2008 - 12:45 PM

Billy,
I was able to burn a copy of the HJInstall.exe file to disc and copy it onto my desktop on my home PC, but I cannot get it to open now to install it. No messages or anything, just an absence of processor activity from what I can tell. ????
Joel

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:37 AM

Posted 05 September 2008 - 01:50 PM

Please redownload and reburn the file, this time saving the installer as COOKIE.EXE.

Try this new Cookie.exe file and see if that works.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 jrichardson67

jrichardson67
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 September 2008 - 12:50 PM

Billy,
I got the new version of HijackThis installed using the COOKIE.EXE advice you gave. I ran dss.exe using Run: "%userprofile%\desktop\dss.exe" /config

Attached and copied below is A HiJack This Log along with the extra.txt file, finally...

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-09-07 11:40:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
73: 2008-09-07 16:40:51 UTC - RP289 - Deckard's System Scanner Restore Point
72: 2008-09-06 15:05:20 UTC - RP288 - System Checkpoint
71: 2008-08-23 15:45:53 UTC - RP287 - System Checkpoint
70: 2008-08-18 15:19:22 UTC - RP286 - System Checkpoint
69: 2008-08-14 00:10:37 UTC - RP285 - System Checkpoint


-- First Restore Point --
1: 2008-07-10 04:26:51 UTC - RP217 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:58, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - C:\WINDOWS\system32\qoMgeDWN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bleepingcomputer.com
O15 - Trusted Zone: *.download.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\Software\..\Telephony: DomainName = uchsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = uchsc.edu
O20 - Winlogon Notify: qoMgeDWN - C:\WINDOWS\SYSTEM32\qoMgeDWN.dll
O21 - SSODL: fsrpknov - {FCEEB175-16BA-43DD-A330-2A5C98713C3B} - C:\WINDOWS\fsrpknov.dll
O23 - Service: Adaptive Server Anywhere - BDFACSApp (ASANYe_BDFACSApp) - iAnywhere Solutions, Inc. - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbeng9.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: NAI ePO Agent Install (NAIMServInst) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\unz61.tmp\FramePkg.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4813 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ASANYe_BDFACSApp (Adaptive Server Anywhere - BDFACSApp) - c:\program files\sybase\sql anywhere 9\win32\dbeng9.exe -hvasanye_bdfacsapp <Not Verified; iAnywhere Solutions, Inc.; Adaptive Server Anywhere>
R2 McAfeeFramework (McAfee Framework Service) - "c:\program files\network associates\common framework\frameworkservice.exe" /servicestart <Not Verified; McAfee, Inc.; McAfee Common Framework>

S3 NAIMServInst (NAI ePO Agent Install) - c:\docume~1\admini~1\locals~1\temp\unz61.tmp\framepkg.exe /signalcomplete /logdir="c:\docume~1\admini~1\locals~1\temp\nailogs" /cleanup2="c:\docume~1\admini~1\locals~1\temp\unz61.tmp" /waitfor=2916 /currentfolder="c:\windows\system32" /install=agent /s (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_70011799&REV_02\4&1C660DD6&0&10F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_70011799&REV_02\4&1C660DD6&0&10F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02\3&172E68DD&0&FD
Service:


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 468)
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll

C:\WINDOWS\explorer.exe (pid 1400)
2008-07-09 14:50:38 274432 --a------ C:\WINDOWS\fsrpknov.dll
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll


-- Files created between 2008-08-07 and 2008-09-07 -----------------------------

2008-09-01 13:28:21 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-11 02:52:25 2542 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-11 01:41:47 0 d-------- C:\Program Files\Common Files
2008-07-11 01:41:47 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-11 01:16:30 0 d-------- C:\Program Files\RogueRemover FREE
2008-07-10 15:10:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-07-10 15:08:47 1196 --ahs---- C:\WINDOWS\system32\uDJSBJjl.ini2
2008-07-10 14:49:22 0 d-------- C:\Program Files\CCleaner
2008-07-10 01:29:47 92672 --a------ C:\WINDOWS\system32\KillBox.exe <Not Verified; Option; Explicit Software vbtechcd@gmail.com>
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll
2008-07-09 23:21:00 29568 --a------ C:\WINDOWS\system32\opnkliJA.dll
2008-07-09 14:50:40 184320 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-09 14:50:40 360448 --a------ C:\WINDOWS\fdxbameg.dll
2008-07-09 14:50:38 274432 --a------ C:\WINDOWS\fsrpknov.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}]
07/09/2008 23:21 29568 --a------ C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [12/07/2005 03:55]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [12/15/2006 03:23]
"@"="" []
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [12/16/2002 17:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [03/31/2003 20:28]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 17:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 14:50]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 17:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [9/3/2007 9:11:59 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideStartupScripts"=1 (0x1)
"MaxGPOScriptWait"=15 (0xf)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286}"= C:\WINDOWS\system32\qoMgeDWN.dll [07/09/2008 23:21 29568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fsrpknov"= {FCEEB175-16BA-43DD-A330-2A5C98713C3B} - C:\WINDOWS\fsrpknov.dll [07/09/2008 14:50 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMgeDWN]
qoMgeDWN.dll 07/09/2008 23:21 29568 C:\WINDOWS\system32\qoMgeDWN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJBSJDu

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\uchsc.edu\netlogon\CM_push.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\uchsc.edu\netlogon\OutlookAddinInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AuthServersControl.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\3\0]
"Script"=\\uchsc.edu\netlogon\DesktopSecurity.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\4\0]
"Script"=\\uchsc.edu\netlogon\LandeskInstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2102999208-408303454-1867994533-67349\Scripts\Logon\0\0]
"Script"=AuthServicesControl.vbe




-- End of Deckard's System Scanner: finished at 2008-09-07 11:42:46 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 509.98 MiB / 229.21 MiB
Pagefile Memory (total/avail): 1248.68 MiB / 988.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.79 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 71.45 GiB total, 53.1 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - ST380011A - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 71.45 GiB - C:
\PARTITION2 - Unknown - 3.02 GiB



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
ASANY9=C:\Program Files\Sybase\SQL Anywhere 9
ASANYSH9=C:\Program Files\Sybase\Shared
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RICHARKEPC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\RICHARKEPC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Sybase\SQL Anywhere 9\win32;C:\Program Files\Sybase\Shared\win32;C:\Program Files\Sybase\SQL Anywhere 9\drivers;C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=RICHARKEPC
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

richarke
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
BD FACSDiva Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{BE8D4222-0FBD-4A3B-9F27-DC27ABF91CE7}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Photo Loader 2.3E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{70B45586-B51E-4947-A258-A895596C5CED}\Setup.exe" -uninst
Photohands 1.0E --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{544FB392-069D-4BA5-9DC7-FFD47230AEE5}\Setup.exe"
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
SQL Anywhere Studio 9, Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F653AB56-DB37-415B-8DDD-EF5BC1982150}\is_setup.exe" -l0x9 UNINSTALLING
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2181 / Error
Event Submitted/Written: 09/07/2008 11:16:32 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type2180 / Error
Event Submitted/Written: 09/07/2008 11:16:08 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\LandeskInstall.bat. The network path was not found.
.

Event Record #/Type2179 / Error
Event Submitted/Written: 09/07/2008 11:16:08 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\DesktopSecurity.bat. The network path was not found.
.

Event Record #/Type2178 / Error
Event Submitted/Written: 09/07/2008 11:16:07 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script AuthServersControl.vbe. The system cannot find the file specified.
.

Event Record #/Type2177 / Error
Event Submitted/Written: 09/07/2008 11:16:06 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\uchsc.edu\netlogon\OutlookAddinInstall.bat. The network path was not found.
.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15151 / Warning
Event Submitted/Written: 09/07/2008 11:16:37 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns1.uchsc.edu. No authentication protocol was available.

Event Record #/Type15150 / Warning
Event Submitted/Written: 09/07/2008 11:16:37 AM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/ns1.uchsc.edu. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

Event Record #/Type15149 / Error
Event Submitted/Written: 09/07/2008 11:16:10 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {F5F6647E-A36B-42BB-AD4E-A93753DE4DCD} did not register with DCOM within the required timeout.

Event Record #/Type15148 / Error
Event Submitted/Written: 09/07/2008 11:15:33 AM / 09/07/2008 11:15:34 AM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain STARGATE due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type15144 / Warning
Event Submitted/Written: 09/06/2008 08:55:41 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns1.uchsc.edu. No authentication protocol was available.



-- End of Deckard's System Scanner: finished at 2008-09-07 11:42:46 ------------

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users