Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dirty Laptop - Marketscore Spyware & Other Infections


  • This topic is locked This topic is locked
3 replies to this topic

#1 friarjack

friarjack

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 12 July 2008 - 09:44 AM

Not sure if this is appropriate, but I am cleaning a friends computer. They were getting blue screens consistently. If they used their computer more than 15 min. If they didn't use, it would not shut down. I received the computer earlier this week. The first thing I did was install ZoneAlarm and remove Trend Micro AntiVirus that I thought was acting funny. It has not shut down on me a single time.

Next I installed AVG and Spybot and ran several scans. MarketScore spyware came up on Spybot and I removed it. I did not keep good records, but AVG found 18 infections on about the 3rd scan. They were moved to the virus vault. Most of them were in folders that were no longer in use (if they ever were), so I had AVG delete them. I don't remember what they were, but it was virus infections and 16 trojan horses. I also installed CCleaner and WinPatrol. I cleaned up the startup list. The more I investigated the programs, the more I realized that I wasn't sure if I got the infections completely or not. Then I discoverd HJT. The first HJT scan I ran found three entries that I investigated and had HJT remove:

O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

Other than that, I have not made any changes.

I downloaded DSS and will post the reports below. I just want to make sure nothing else is there. I have run a couple AVG and Spybot scans with nothing turning up. I ran Kapersky and did not see a report. It only found one thing that I think was a false positive. It was "Exploit.PHP.Userpic.a". I researched it and most everything said it was a FP.

The laptop is a Dell Latitude D600 running Windows XP.

Here are the DSS reports:

extra.txt:
======

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1700MHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.23 MiB / 557.54 MiB
Pagefile Memory (total/avail): 1791.57 MiB / 1441.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1877.52 MiB

C: is Fixed (NTFS) - 27.9 GiB total, 12.37 GiB free.
D: is CDROM (No Media)
N: is Network (Unformatted)
S: is Network (Unformatted)
W: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2030AT - 27.95 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 27.9 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ottoal\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=1283OTTOA
ComSpec=C:\WINDOWS\system32\cmd.exe
CWALTAHOME=C:\Program Files\ContentWatch
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ottoal
HOMESHARE=\\ian128301\ottoal
LOGONSERVER=\\IAN128301
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ottoal\LOCALS~1\Temp
TMP=C:\DOCUME~1\ottoal\LOCALS~1\Temp
tvdumpflags=8
USERDNSDOMAIN=IAGN1283.MDS
USERDOMAIN=IAGN1283
USERNAME=ottoal
USERPROFILE=C:\Documents and Settings\ottoal
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

a1283700 (new local, admin, net ready)
a1283490 (admin)
fldtech (admin)
AlOtto (admin)
A1283490.1283OTTOA (admin)
Administrator (admin)
ottoal (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BlackBerry Desktop Software 4.0 --> MsiExec.exe /I{556144BE-61D6-4B04-8776-B09454897E87}
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Broadcom ASF Management Applications --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
BurnPlugin for Audible --> MsiExec.exe /I{301120E0-45A9-498C-8627-19E7E20EFA3A}
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cheetah DVD Burner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}\Setup.exe"
Conexant D480 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Crazy MiniGolf --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7CEFE01-24FB-40D2-829D-25ED39A089B5}\Setup.exe" -l0x9
Dell Printer Software Uninstall --> C:\Program Files\Dell\Install\Uninstall.exe
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Dora Lost City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{747C231B-062D-4586-8221-8E7870987D5B}\setup.exe" -l0x9 -uninst
Dragon NaturallySpeaking 8 --> MsiExec.exe /I{DDDD0C4B-57F7-4A85-ACF0-DB3FC8F1DBB4}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet All-In-One Software 8.0 --> C:\Program Files\HP\Digital Imaging\{24557DC0-0839-496f-82F9-C4EB72EFE4FA}\setup\hpzscr01.exe -datfile hposcr12.dat
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Smart Web Printing 1.0 --> MsiExec.exe /X{E3030F57-9E6B-4E36-95B6-F7B4DBDEB8FB}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® PROSet --> MsiExec.exe /I{181934AF-3E7B-450D-804F-2B812E018ED1}
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Microsoft Access 2002 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0050048383C9}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{DF930075-1C01-45CA-B023-993BF4118096}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Personal Folders Backup --> MsiExec.exe /X{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
New Testament Stories --> C:\WINDOWS\unvise32.exe C:\Program Files\Brighter Child\uninstal.log
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
Reader Rabbit's 1st Grade --> C:\WINDOWS\uninst.exe -fC:\TLCWIN\RRF\uninstal\DeIsL1.isu
Retrospect 7.0 --> MsiExec.exe /I{AFF8387B-A958-48F8-9E1C-2E9485A1985A}
Richard Scarry's Best Activity Center Ever --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Activity Center\Richard Scarry's Best Activity Center Ever\Uninst.isu"
Richard Scarry's Best Math Program Ever --> C:\WINDOWS\uninst.exe -fC:\BestMath\DeIsL1.isu
Scholastic's I SPY Mystery --> C:\PROGRA~1\SCHOLA~1\ISPYMY~1\UNWISE.EXE C:\PROGRA~1\SCHOLA~1\ISPYMY~1\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shop for HP Supplies --> C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPatrol 2008 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WriteExpress 3,001 Business & Sales Letters --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{720DAF8C-F9FD-4236-8EDD-75219B21E276}
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7941 / Error
Event Submitted/Written: 07/12/2008 09:01:16 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type7936 / Error
Event Submitted/Written: 07/12/2008 09:00:31 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type7935 / Error
Event Submitted/Written: 07/12/2008 09:00:30 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

Event Record #/Type7933 / Error
Event Submitted/Written: 07/12/2008 06:05:25 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x800704cf). The network location cannot be reached. For information about network troubleshooting, see Windows Help.
Enrollment will not be performed.

Event Record #/Type7931 / Error
Event Submitted/Written: 07/11/2008 10:06:43 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type85596 / Warning
Event Submitted/Written: 07/12/2008 09:16:24 AM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {4E77A746-90BA-46AB-B7BA-989D1B313C2E}

Host Name : 1283OttoA

Primary Domain Suffix : iagn1283.mds

DNS server list :

68.87.68.162, 68.87.74.162

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:thumbsup: because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type85595 / Warning
Event Submitted/Written: 07/12/2008 09:16:23 AM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {A7ECE3C9-E582-45D0-962D-116A9D861BCF}

Host Name : 1283OttoA

Primary Domain Suffix : iagn1283.mds

DNS server list :

68.87.68.162, 68.87.74.162

Sent update to server : <?>

IP Address(es) :

192.168.1.100


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type85578 / Error
Event Submitted/Written: 07/12/2008 09:01:44 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service failed to start due to the following error:
%%1053

Event Record #/Type85577 / Error
Event Submitted/Written: 07/12/2008 09:01:44 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Windows User Mode Driver Framework service to connect.

Event Record #/Type85575 / Warning
Event Submitted/Written: 07/12/2008 09:00:31 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000CF1232D81. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-07-12 10:03:55 ------------

main.txt:
======

Deckard's System Scanner v20071014.68
Run by ottoal on 2008-07-12 09:58:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
17: 2008-07-12 13:59:06 UTC - RP1205 - Deckard's System Scanner Restore Point
16: 2008-07-12 03:00:29 UTC - RP1204 - Installed Ad-Aware
15: 2008-07-11 23:45:55 UTC - RP1203 - Installed Java™ 6 Update 7
14: 2008-07-11 15:21:38 UTC - RP1202 - System Checkpoint
13: 2008-07-10 13:36:38 UTC - RP1201 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-07 15:41:29 UTC - RP1189 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as ottoal.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:39 AM, on 7/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ottoal\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\ottoal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: (no name) - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} (ReiEngine Class) -
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212589685328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {D5382F3F-32AA-41E1-9FFF-5D1EFAC80D40} (FileClean.Clean) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iagn1283.mds
O17 - HKLM\Software\..\Telephony: DomainName = iagn1283.mds
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B7BFC3-C0FC-4C0D-9501-E639756AE334}: NameServer = 4.2.2.2,4.2.2.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iagn1283.mds
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iagn1283.mds
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = iagn1283.mds
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = iagn1283.mds
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = iagn1283.mds
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7705 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080711-184736-172 O15 - Trusted Zone: *.doginhispen.com
backup-20080711-184737-784 O15 - Trusted Zone: *.whataboutadog.com
backup-20080711-184737-829 O15 - Trusted Zone: *.whataboutarabit.com

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 85ae630d-b67d-46c3-8d4a-882af1bced1a - d:\cds300\cds300.dll (file missing)
S3 gameenum (Game Port Enumerator) - c:\windows\system32\drivers\gameenum.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys (file missing)
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RimUsb (RIM Handheld) - c:\windows\system32\drivers\rimusb.sys (file missing)
S3 sdcplh - c:\windows\system32\drivers\sdcplh.sys <Not Verified; ; SDCPLH>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S3 BAsfIpM (Broadcom ASF IP monitoring service v6.0.3) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
S3 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)
S3 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect 7.0\retrorun.exe <Not Verified; EMC Dantz; Retrospect>
S3 Retrospect Helper - "c:\program files\dantz\retrospect 7.0\rthlpsvc.exe" <Not Verified; EMC Dantz; Retrospect>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 09:04:39 0 dr-h---c- C:\Documents and Settings\ottoal\Recent
2008-07-11 23:00:33 0 d------c- C:\Program Files\Ad-Aware
2008-07-11 23:00:32 0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-11 22:58:50 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 12:20:46 0 d------c- C:\Program Files\Foxit Software
2008-07-10 01:44:55 0 d------c- C:\WINDOWS\SoftwareDistribution
2008-07-10 01:30:50 6656 --a----c- C:\WINDOWS\system32\Native.exe
2008-07-10 01:26:40 0 d------c- C:\ReimageUndo
2008-07-10 01:25:52 0 d-------- C:\Documents and Settings\a1283490\Desktop
2008-07-10 01:25:52 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Desktop
2008-07-10 01:25:52 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Application Data
2008-07-10 01:25:52 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Application Data\Microsoft
2008-07-10 01:25:51 0 d-------- C:\Documents and Settings\a1283490\Favorites
2008-07-10 01:25:51 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Favorites
2008-07-10 01:25:45 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\PrintHood
2008-07-10 01:25:45 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\NetHood
2008-07-10 01:25:44 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\SendTo
2008-07-10 01:25:43 0 d-------- C:\Documents and Settings\a1283490\Start Menu
2008-07-10 01:25:40 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Start Menu
2008-07-10 01:25:38 0 d-------- C:\Documents and Settings\A1283490.1283OTTOA\Templates
2008-07-10 01:25:28 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-07-10 01:25:28 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\Start Menu
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\SendTo
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\Recent
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\PrintHood
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\NetHood
2008-07-10 01:25:27 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-07-10 01:25:26 0 d-------- C:\Documents and Settings\Default User\Templates
2008-07-10 01:25:17 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-10 01:25:04 316416 --a------ C:\WINDOWS\system32\WUDFx.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:25:03 55808 --a------ C:\WINDOWS\system32\WudfSvc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:25:03 165376 --a------ C:\WINDOWS\system32\WudfPlatform.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:25:02 146432 --a------ C:\WINDOWS\system32\WudfHost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:57 133632 --a------ C:\WINDOWS\system32\WPDShServiceObj.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:57 38400 --a------ C:\WINDOWS\system32\wpdshextres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:57 17408 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:55 2603008 --a------ C:\WINDOWS\system32\WpdShext.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:52 656896 --a------ C:\WINDOWS\system32\WMVXENCD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:51 767488 --a------ C:\WINDOWS\system32\WMVSENCD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:50 1382912 --a------ C:\WINDOWS\system32\WMVSDECD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:49 1574912 --a------ C:\WINDOWS\system32\WMVENCOD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:46 1543680 --a------ C:\WINDOWS\system32\WMVDECOD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:36 130048 --a------ C:\WINDOWS\system32\wmpps.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:36 613376 --a------ C:\WINDOWS\system32\wmpmde.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:28 295936 --a------ C:\WINDOWS\system32\wmpeffects.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:15 535040 --a------ C:\WINDOWS\system32\wmdrmsdk.dll <Not Verified; Microsoft Corporation; Microsoft® DRM>
2008-07-10 01:24:00 199168 --a------ C:\WINDOWS\system32\PortableDeviceWMDRM.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:24:00 132096 --a------ C:\WINDOWS\system32\PortableDeviceWiaCompat.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:59 166912 --a------ C:\WINDOWS\system32\PortableDeviceTypes.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:59 101888 --a------ C:\WINDOWS\system32\PortableDeviceClassExtension.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:58 284160 --a------ C:\WINDOWS\system32\PortableDeviceApi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:28 259072 --a------ C:\WINDOWS\system32\MPG4DECD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:26 317440 --a------ C:\WINDOWS\system32\MP4SDECD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:25 259072 --a------ C:\WINDOWS\system32\MP43DECD.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:25 212992 --a------ C:\WINDOWS\system32\MFPLAT.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:09 249856 --a------ C:\WINDOWS\system32\drmupgds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:08 82944 --a------ C:\WINDOWS\system32\drivers\WudfRd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:08 77568 --a------ C:\WINDOWS\system32\drivers\WudfPf.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:23:07 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-10 00:39:17 0 d------c- C:\Reimage
2008-07-09 18:24:58 0 d------c- C:\Program Files\MSXML 4.0
2008-07-09 18:04:36 262144 --a------ C:\Documents and Settings\Default User\ntuser.dat
2008-07-09 17:08:08 0 d------c- C:\Documents and Settings\ottoal\Application Data\WinPatrol
2008-07-09 17:07:52 0 d------c- C:\Program Files\BillP Studios
2008-07-09 16:41:19 0 d--h---c- C:\$AVG8.VAULT$
2008-07-09 15:40:32 0 d------c- C:\WINDOWS\system32\drivers\Avg
2008-07-09 15:40:17 0 d------c- C:\Program Files\AVG
2008-07-09 15:40:15 0 d------c- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-09 13:41:02 81920 --a----c- C:\WINDOWS\system32\viscomwave.dll <Not Verified; Viscom Software; >
2008-07-09 13:41:01 323584 --a----c- C:\WINDOWS\system32\FoxImager.dll
2008-07-09 13:41:00 0 d------c- C:\Program Files\Cheetah Burner
2008-07-09 13:29:27 0 d------c- C:\Program Files\CCleaner


-- Find3M Report ---------------------------------------------------------------

2008-07-11 22:58:50 0 d------c- C:\Program Files\Common Files
2008-07-11 19:47:18 0 d------c- C:\Program Files\Java
2008-07-10 01:43:29 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:28 356352 --a------ C:\WINDOWS\system32\wpdsp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:25 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:24 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:24 35840 --a------ C:\WINDOWS\system32\wpdconns.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:20 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:20 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:17 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:17 4096 --a------ C:\WINDOWS\system32\wmvadvd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:17 1329152 --a------ C:\WINDOWS\system32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:16 603648 --a------ C:\WINDOWS\system32\wmspdmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:15 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:14 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:14 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:14 99840 --a------ C:\WINDOWS\system32\wmpshell.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:13 8231936 --a------ C:\WINDOWS\system32\wmploc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:06 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:04 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:43:03 242688 --a------ C:\WINDOWS\system32\wmpasf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:54 937984 --a------ C:\WINDOWS\system32\wmnetmgr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:53 157184 --a------ C:\WINDOWS\system32\wmidx.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:53 227328 --a------ C:\WINDOWS\system32\wmerror.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:51 348672 --a------ C:\WINDOWS\system32\WMDRMNet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:51 429056 --a------ C:\WINDOWS\system32\WMDRMdev.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:50 37376 --a------ C:\WINDOWS\system32\WMDMPS.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:42:50 33792 --a------ C:\WINDOWS\system32\WMDMLOG.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:42:49 1117696 --a------ C:\WINDOWS\system32\wmadmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:49 757248 --a------ C:\WINDOWS\system32\wmadmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:46 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:46 4096 --a------ C:\WINDOWS\system32\wdfapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:45 8704 --a------ C:\WINDOWS\system32\uwdf.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:42 211456 --a------ C:\WINDOWS\system32\qasf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:39 321536 --a------ C:\WINDOWS\system32\MSWMDM.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:42:38 414208 --a------ C:\WINDOWS\system32\MSSCP.dll <Not Verified; Microsoft Corporation; Microsoft® DRM>
2008-07-10 01:42:37 175616 --a------ C:\WINDOWS\system32\MsPMSP.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:42:37 27136 --a------ C:\WINDOWS\system32\MsPMSNSv.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:42:36 179712 --a------ C:\WINDOWS\system32\msnetobj.dll <Not Verified; Microsoft Corporation; Microsoft® DRM>
2008-07-10 01:42:16 4096 --a------ C:\WINDOWS\system32\mpg4dmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:15 4096 --a------ C:\WINDOWS\system32\mp4sdmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:15 4096 --a------ C:\WINDOWS\system32\mp43dmod.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:14 100864 --a------ C:\WINDOWS\system32\logagent.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:13 11264 --a------ C:\WINDOWS\system32\laprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:42:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-10 01:42:03 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll <Not Verified; Microsoft Corporation; Microsoft® DRM>
2008-07-10 01:41:57 229376 --a------ C:\WINDOWS\system32\cewmdm.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-07-10 01:41:56 542720 --a------ C:\WINDOWS\system32\blackbox.dll <Not Verified; Microsoft Corporation; Microsoft® DRM>
2008-07-10 01:41:56 276992 --a------ C:\WINDOWS\system32\Audiodev.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 01:41:52 7168 --a------ C:\WINDOWS\system32\asferror.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-09 22:41:21 0 d------c- C:\Documents and Settings\ottoal\Application Data\Mozilla
2008-07-09 18:55:18 0 d------c- C:\Program Files\Common Files\AOL
2008-07-09 18:52:28 0 d------c- C:\Documents and Settings\ottoal\Application Data\AOL
2008-07-09 17:40:03 0 d------c- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 16:41:21 0 d------c- C:\Program Files\eSoftware
2008-07-09 15:31:28 0 d------c- C:\Program Files\Common Files\Adaptec Shared
2008-07-09 15:31:22 0 d------c- C:\Program Files\Roxio
2008-07-09 15:31:21 1044480 --a----c- C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2008-07-09 13:41:00 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-06-07 10:27:29 0 d------c- C:\Program Files\Messenger
2008-06-07 10:25:28 0 d------c- C:\Program Files\Movie Maker
2008-06-07 10:13:11 0 d------c- C:\Program Files\Windows NT
2008-06-05 14:13:20 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2008-05-05 17:02:55 130971 --a----c- C:\WINDOWS\hpoins12.dat
2008-04-18 09:34:26 96577 --a----c- C:\WINDOWS\hpqins16.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE84A6AA-A333-4B92-B276-C11E2212E4FE}]
12/15/2006 07:34 PM 599472 --a--c--- C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/09/2008 04:02 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [07/04/2008 12:58 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\ottoal\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 3:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 3:36:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e739116e-f6af-11dc-abad-00038a000015}]
AutoRun\command- E:\LapNetWizard.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8784 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-12 10:03:55 ------------

I just want to make sure I got everything. He's an hour away, so I don't want to get it back to him only to find out I missed something.

Thanks,
Jack

BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 14 July 2008 - 01:42 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Open CCleaner. On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
________________

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -
  • Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, so we may continue cleansing the system -

- the Combofix log (C:\ComboFix.txt)
- a new HijackThis log
- the CCleaner Uninstall List (install.txt)
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 18 July 2008 - 02:27 PM

Do you still need help?
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#4 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 AM

Posted 20 July 2008 - 11:11 AM

Due to inactivity this topic will be closed.

If you need help please start a new thread and post a new HijackThis log.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users