Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defender Reports Infections


  • This topic is locked This topic is locked
21 replies to this topic

#1 alvintc

alvintc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 24 July 2008 - 05:44 AM

Hi,
Hope someone can help! I appear to have picked up a couple of unwanted programs on my laptop.
Windows defender reports win32/ conhook.d then the system hangs on removal.

I have tried to run the guide listed in the first steps, however notepad reports errors when trying to run.
Kaspersky online won't run (can't load site)
Windows update no longer runs.

Any advice/ help would be very much appreciated!

UPDATE AVG managed to clear enough to get notepad running:
----------SNIPPED as there is an updated below-------

Edited by alvintc, 24 July 2008 - 05:55 PM.


BC AdBot (Login to Remove)

 


#2 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 24 July 2008 - 12:56 PM

okay... so windows update now runs (the service was disabled by one of the nasties)
I can get to most websites.

Booting windows gives 2 errors, however I can get rid of them by disabling from msconfig.


Am now attempting to run kaspersky. Will post latest DSS/ HJT logs afterwards in case I missed anything.

#3 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 24 July 2008 - 05:56 PM

Kaspersky dected nothing :thumbsup:
DSS results are:
Deckard's System Scanner v20071014.68
Run by MMagee on 2008-07-24 23:52:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MMagee.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53:40, on 24/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
D:\Program Files\VMware\VMware Workstation\hqtray.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\mmagee\Desktop\dss.exe
D:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
D:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
D:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
D:\PROGRA~1\HIJACK~1\MMagee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://primnet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C4CF2E3-CF3D-43DE-B226-5CCC621FB61B} - C:\Windows\system32\cbXpMGYP.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "D:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [8c4b2834] rundll32.exe "C:\Windows\system32\tiwcsqkm.dll",b
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: SnagIt 9.lnk = D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://oep.primavera.com
O15 - Trusted Zone: http://servicedesk.primavera.com
O15 - Trusted Zone: http://*.primnet
O15 - Trusted Zone: http://*.primuseserv
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://londntsrv1.primavera.com/dwa8W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.primavera.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ad.primavera.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: kvxqmtre - {5BAA4182-F7D5-499C-87BC-FF058C2B9405} - (no file)
O21 - SSODL: evgratsm - {FEBDF2F4-C099-47E8-93A7-0109A21C96E2} - (no file)
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - D:\Notes\ntmulti.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10950 bytes

-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 23:39:57 0 d-------- C:\Program Files\Axon Data
2008-07-24 23:31:09 94848 --a------ C:\Windows\system32\tiwcsqkm.dll
2008-07-24 23:31:05 116864 --a------ C:\Windows\system32\nmurrq.dll
2008-07-24 23:31:04 116864 --a------ C:\Windows\system32\pngnavmv.dll
2008-07-24 13:50:57 0 d--h----- C:\$AVG8.VAULT$
2008-07-24 13:49:31 0 d-------- C:\Windows\system32\drivers\Avg
2008-07-24 13:49:25 0 d-------- C:\Users\All Users\avg8
2008-07-24 13:49:25 0 d-------- C:\Program Files\AVG
2008-07-23 22:53:58 47104 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-23 22:53:17 17408 --a------ C:\Windows\system32\rpcnetp.exe
2008-07-23 20:57:20 469159 --ahs---- C:\Windows\system32\PYGMpXbc.ini2
2008-07-23 20:57:15 323584 -----n--- C:\Windows\system32\cbXpMGYP.dll
2008-07-23 20:48:19 0 d-------- C:\Users\All Users\SecuriSoft SARL
2008-07-23 20:47:30 0 d-------- C:\Quarantine
2008-07-23 20:32:49 164352 --a------ C:\Windows\system32\unrar.dll
2008-07-23 20:32:48 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-07-23 20:25:42 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-07-23 20:18:45 0 d-------- C:\Users\All Users\TechSmith
2008-07-23 20:17:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:16:15 0 d-------- C:\Windows\WinRAR
2008-07-23 20:00:05 0 d-------- C:\Users\All Users\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\Common Files\VMware
2008-07-23 11:43:56 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 11:43:55 0 d-------- C:\Program Files\Windows Live
2008-07-23 11:43:51 0 d-------- C:\Users\All Users\WLInstaller
2008-07-23 11:39:58 0 d-------- C:\Users\All Users\FLEXnet
2008-07-23 11:39:56 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-23 11:39:13 0 d-------- C:\Users\mmagee\dwhelper
2008-07-23 11:31:21 0 --a------ C:\Windows\nsreg.dat
2008-07-23 11:25:59 0 d-------- C:\Program Files\uTorrent
2008-07-23 11:16:34 0 d-------- C:\Users\mmagee\SametimeTranscripts
2008-07-23 11:05:56 0 d-------- C:\Users\All Users\Roxio
2008-07-23 11:01:33 0 d-------- C:\Users\All Users\Yahoo!
2008-07-18 11:42:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Templates
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Start Menu
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\SendTo
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Recent
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\PrintHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\NetHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\My Documents
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Local Settings
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Cookies
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Application Data
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Videos
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Searches
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Saved Games
2008-07-17 17:23:07 0 d-------- C:\Users\mmagee\Roaming
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Pictures
2008-07-17 17:23:07 1835008 --ahs---- C:\Users\mmagee\NTUSER.DAT
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Music
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Links
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Favorites
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Downloads
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Desktop
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Contacts
2008-07-17 17:23:07 0 d--h----- C:\Users\mmagee\AppData
2008-07-17 13:31:56 47104 --a------ C:\Windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-17 13:29:44 17408 --a------ C:\Windows\system32\rpcnetp.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-24 23:49:29 12 --a------ C:\Windows\bthservsdp.dat
2008-07-23 20:17:38 0 d-------- C:\Program Files\Common Files
2008-07-23 11:39:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-23 11:09:47 0 d-------- C:\Program Files\Windows Mail
2008-07-23 11:07:12 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-17 13:45:02 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C4CF2E3-CF3D-43DE-B226-5CCC621FB61B}]
23/07/2008 20:57 323584 --------- C:\Windows\system32\cbXpMGYP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/01/2007 11:31]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [12/05/2008 15:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [13/09/2007 15:44]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [04/10/2007 22:24]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [04/10/2007 22:24]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [04/10/2007 22:24]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [04/10/2007 22:24]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/05/2007 22:46]
"vmware-tray"="D:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [08/10/2007 09:27]
"VMware hqtray"="D:\Program Files\VMware\VMware Workstation\hqtray.exe" [08/10/2007 09:26]
"WinampAgent"="d:\Program Files\Winamp\winampa.exe" [09/07/2008 22:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 00:38]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [24/07/2008 13:49]
"8c4b2834"="C:\Windows\system32\tiwcsqkm.dll" [24/07/2008 23:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 00:33]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 9.lnk - D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe [15/05/2008 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"HideFastUserSwitching"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6230596F-3A44-4CDF-815B-372FA03C75D6}"= C:\Windows\system32\dDsrqnNd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli CPNP
"Authentication Packages"= msv1_0 C:\Windows\system32\cbXpMGYP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c4b2834]
rundll32.exe "C:\Windows\system32\mgxsrtwq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\Program Files\VAV\vav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcl0lj0en57]
C:\Windows\system32\lphcl0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\geBtQJcy.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcg0lj0en57]
C:\Program Files\rhcg0lj0en57\rhcg0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys56B6.exe]
C:\Windows\Sys56B6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61BE.exe]
C:\Windows\Sys61BE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61DD.exe]
C:\Windows\Sys61DD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-07-24 23:54:14 ------------

#4 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 02 August 2008 - 07:10 AM

I think I've cleared most of it... Here's the latest logs:
Deckard's System Scanner v20071014.68
Run by MMagee on 2008-08-02 13:09:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MMagee.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:10:03, on 02/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
D:\Program Files\VMware\VMware Workstation\hqtray.exe
D:\Program Files\Winamp\winampa.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
D:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\mmagee\Desktop\dss.exe
D:\PROGRA~1\HIJACK~1\MMagee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://primnet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "D:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: SnagIt 9.lnk = D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://oep.primavera.com
O15 - Trusted Zone: http://servicedesk.primavera.com
O15 - Trusted Zone: http://*.primnet
O15 - Trusted Zone: http://*.primuseserv
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://londntsrv1.primavera.com/dwa8W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.primavera.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - D:\Notes\ntmulti.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - d:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10854 bytes

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-07-25 11:37:56 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-25 00:29:22 0 d-------- C:\Users\All Users\Lavasoft
2008-07-25 00:21:26 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-24 23:39:57 0 d-------- C:\Program Files\Axon Data
2008-07-24 13:50:57 0 d--h----- C:\$AVG8.VAULT$
2008-07-24 13:49:31 0 d-------- C:\Windows\system32\drivers\Avg
2008-07-24 13:49:25 0 d-------- C:\Users\All Users\avg8
2008-07-24 13:49:25 0 d-------- C:\Program Files\AVG
2008-07-23 22:53:58 47104 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-23 22:53:17 17408 --a------ C:\Windows\system32\rpcnetp.exe
2008-07-23 20:54:48 14121 --a------ C:\Windows\system32\clbinit.dll
2008-07-23 20:47:30 0 d-------- C:\Quarantine
2008-07-23 20:32:49 164352 --a------ C:\Windows\system32\unrar.dll
2008-07-23 20:32:48 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-07-23 20:25:42 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-07-23 20:18:45 0 d-------- C:\Users\All Users\TechSmith
2008-07-23 20:17:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:16:15 0 d-------- C:\Windows\WinRAR
2008-07-23 20:00:05 0 d-------- C:\Users\All Users\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\Common Files\VMware
2008-07-23 11:43:56 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 11:43:55 0 d-------- C:\Program Files\Windows Live
2008-07-23 11:43:51 0 d-------- C:\Users\All Users\WLInstaller
2008-07-23 11:39:58 0 d-------- C:\Users\All Users\FLEXnet
2008-07-23 11:39:56 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-23 11:39:13 0 d-------- C:\Users\mmagee\dwhelper
2008-07-23 11:31:21 0 --a------ C:\Windows\nsreg.dat
2008-07-23 11:25:59 0 d-------- C:\Program Files\uTorrent
2008-07-23 11:16:34 0 d-------- C:\Users\mmagee\SametimeTranscripts
2008-07-23 11:05:56 0 d-------- C:\Users\All Users\Roxio
2008-07-23 11:01:33 0 d-------- C:\Users\All Users\Yahoo!
2008-07-18 11:42:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Templates
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Start Menu
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\SendTo
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Recent
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\PrintHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\NetHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\My Documents
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Local Settings
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Cookies
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Application Data
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Videos
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Searches
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Saved Games
2008-07-17 17:23:07 0 d-------- C:\Users\mmagee\Roaming
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Pictures
2008-07-17 17:23:07 4456448 --ahs---- C:\Users\mmagee\NTUSER.DAT
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Music
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Links
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Favorites
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Downloads
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Desktop
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Contacts
2008-07-17 17:23:07 0 d--h----- C:\Users\mmagee\AppData
2008-07-17 13:31:56 47104 --a------ C:\Windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-17 13:29:44 17408 --a------ C:\Windows\system32\rpcnetp.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-31 14:41:35 12 --a------ C:\Windows\bthservsdp.dat
2008-07-23 20:17:38 0 d-------- C:\Program Files\Common Files
2008-07-23 11:39:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-23 11:09:47 0 d-------- C:\Program Files\Windows Mail
2008-07-23 11:07:12 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-17 13:45:02 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/01/2007 11:31]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [12/05/2008 15:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [13/09/2007 15:44]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [04/10/2007 22:24]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [04/10/2007 22:24]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [04/10/2007 22:24]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [04/10/2007 22:24]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/05/2007 22:46]
"vmware-tray"="D:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [08/10/2007 09:27]
"VMware hqtray"="D:\Program Files\VMware\VMware Workstation\hqtray.exe" [08/10/2007 09:26]
"WinampAgent"="d:\Program Files\Winamp\winampa.exe" [09/07/2008 22:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 00:38]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [24/07/2008 13:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 00:33]
"SpybotSD TeaTimer"="d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SnagIt 9.lnk - D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe [15/05/2008 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"HideFastUserSwitching"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli CPNP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c4b2834]
rundll32.exe "C:\Windows\system32\mgxsrtwq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\Program Files\VAV\vav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcl0lj0en57]
C:\Windows\system32\lphcl0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\geBtQJcy.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcg0lj0en57]
C:\Program Files\rhcg0lj0en57\rhcg0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys56B6.exe]
C:\Windows\Sys56B6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61BE.exe]
C:\Windows\Sys61BE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61DD.exe]
C:\Windows\Sys61DD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-08-02 13:10:36 ------------

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:35 PM

Posted 07 August 2008 - 11:41 PM

Hello alvintc,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below, a staff member will review and take the steps necessary with you to get your machine back in working order, clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above, we still need to see the current state of the machine. A fresh scan and logs are still necessary

Click on Start then Run
Copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
Click on Check All
Click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#6 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 09 August 2008 - 06:58 AM

Hi Orange Blossom,
Please find requested attached:
Deckard's System Scanner v20071014.68
Run by MMagee on 2008-08-09 12:54:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-08-08 16:34:01 UTC - RP82 - Scheduled Checkpoint
8: 2008-08-07 22:51:37 UTC - RP81 - Windows Update
7: 2008-08-06 13:34:38 UTC - RP80 - Logitech SetPoint Mouse and Keyboard Device Drivers
6: 2008-08-06 11:57:48 UTC - RP78 - Windows Update
5: 2008-08-05 15:39:08 UTC - RP77 - Installed AVG Free 8.0


-- First Restore Point --
1: 2008-08-05 11:40:53 UTC - RP73 - Removed Lotus Notes 8.0.1.


Performed disk cleanup.



-- HijackThis (run as MMagee.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:15, on 09/08/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
D:\Program Files\VMware\VMware Workstation\hqtray.exe
D:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Dell\QuickSet\quickset.exe
D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
D:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\mmagee\Desktop\dss.exe
D:\PROGRA~1\HIJACK~1\MMagee.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://primnet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.68.162.22:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = )
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [vmware-tray] D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "D:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickSet.lnk = D:\Program Files\Dell\QuickSet\quickset.exe
O4 - Global Startup: SnagIt 9.lnk = D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://oep.primavera.com
O15 - Trusted Zone: http://servicedesk.primavera.com
O15 - Trusted Zone: http://*.primnet
O15 - Trusted Zone: http://*.primuseserv
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.euro.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://londntsrv1.primavera.com/dwa8W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.primavera.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.primavera.com
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - D:\Notes\nslsvice.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\Windows\SYSTEM32\LxrSII1s.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - D:\Notes\ntmulti.exe
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - D:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - d:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11559 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 CP_OMDRV (Check Point Office Mode Module) - c:\windows\system32\drivers\omdrv.sys <Not Verified; Check Point Software Technologies; vna>
R2 LxrSII1d (Secure II Driver) - \??\c:\windows\system32\drivers\lxrsii1d.sys
R2 VPN-1 (VPN-1 Module) - c:\windows\system32\drivers\vpn.sys <Not Verified; Check Point Software Technologies; vpn1>

S3 CSRBC (CSRBC.Sys CSR test driver) - c:\windows\system32\drivers\csrbcxp.sys <Not Verified; CSR, plc; CsrUsb Device Driver>
S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BthFilterHelper (Bluetooth Feature Support) - "c:\program files\csr\vista profile pack\bthfilterhelper.exe" <Not Verified; CSR, plc; BthFilter Helper Service>
R2 Lotus Notes Single Logon - d:\notes\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 LxrSII1s (Lexar Secure II) - lxrsii1s.exe
R2 Multi-user Cleanup Service - d:\notes\ntmulti.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 rpcnet (Remote Procedure Call (RPC) Net) - c:\windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 SR_Service (Check Point VPN-1 Securemote service) - "c:\program files\checkpoint\securemote\bin\sr_service.exe" <Not Verified; Check Point Software Technologies; desktop>
S3 SR_Watchdog (Check Point VPN-1 Securemote watchdog) - "c:\program files\checkpoint\securemote\bin\sr_watchdog.exe" <Not Verified; Check Point Software Technologies; desktop>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\Windows\explorer.exe (pid 3348)
2007-01-11 11:31:42 106496 --a------ C:\Program Files\McAfee\Common Framework\JrMac.dll <Not Verified; McAfee, Inc.; McAfee Common Framework>


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-06 15:33:36 0 d-------- C:\Users\All Users\Dell
2008-08-06 14:36:24 0 d-------- C:\Users\All Users\LogiShrd
2008-08-06 14:34:13 0 d-------- C:\Users\All Users\Logitech
2008-08-06 14:34:11 0 d-------- C:\Program Files\Common Files\Logishrd
2008-08-06 13:06:03 49152 --a------ C:\Windows\system32\LxrSII1s.exe
2008-08-06 13:06:03 139264 --a------ C:\Windows\system32\LxrSII1.dll <Not Verified; Lexar Media, Inc.; Secure II Dynamic Link Library>
2008-08-06 13:06:03 72672 --a------ C:\Windows\system32\drivers\LxrSII1d.sys
2008-08-05 16:39:21 0 d-------- C:\Users\All Users\Avg8
2008-08-05 09:00:38 0 d-------- C:\Windows\system32\Dell
2008-07-25 11:37:56 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-25 00:29:22 0 d-------- C:\Users\All Users\Lavasoft
2008-07-25 00:21:26 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-24 23:39:57 0 d-------- C:\Program Files\Axon Data
2008-07-23 22:53:58 47104 --a------ C:\Windows\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-23 22:53:17 17408 --a------ C:\Windows\system32\rpcnetp.exe
2008-07-23 20:54:48 14121 --a------ C:\Windows\system32\clbinit.dll
2008-07-23 20:47:30 0 d-------- C:\Quarantine
2008-07-23 20:32:49 164352 --a------ C:\Windows\system32\unrar.dll
2008-07-23 20:32:48 755027 --a------ C:\Windows\system32\xvidcore.dll
2008-07-23 20:25:42 717296 --a------ C:\Windows\system32\drivers\sptd.sys
2008-07-23 20:18:45 0 d-------- C:\Users\All Users\TechSmith
2008-07-23 20:17:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:16:15 0 d-------- C:\Windows\WinRAR
2008-07-23 20:00:05 0 d-------- C:\Users\All Users\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\VMware
2008-07-23 20:00:00 0 d-------- C:\Program Files\Common Files\VMware
2008-07-23 11:43:56 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-23 11:43:55 0 d-------- C:\Program Files\Windows Live
2008-07-23 11:43:51 0 d-------- C:\Users\All Users\WLInstaller
2008-07-23 11:39:58 0 d-------- C:\Users\All Users\FLEXnet
2008-07-23 11:39:56 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-23 11:39:13 0 d-------- C:\Users\mmagee\dwhelper
2008-07-23 11:31:21 0 --a------ C:\Windows\nsreg.dat
2008-07-23 11:25:59 0 d-------- C:\Program Files\uTorrent
2008-07-23 11:16:34 0 d-------- C:\Users\mmagee\SametimeTranscripts
2008-07-23 11:05:56 0 d-------- C:\Users\All Users\Roxio
2008-07-23 11:01:33 0 d-------- C:\Users\All Users\Yahoo!
2008-07-18 11:42:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Templates
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Start Menu
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\SendTo
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Recent
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\PrintHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\NetHood
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\My Documents
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Local Settings
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Cookies
2008-07-17 17:23:08 0 d--hs---- C:\Users\mmagee\Application Data
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Videos
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Searches
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Saved Games
2008-07-17 17:23:07 0 d-------- C:\Users\mmagee\Roaming
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Pictures
2008-07-17 17:23:07 4718592 --ahs---- C:\Users\mmagee\NTUSER.DAT
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Music
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Links
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Favorites
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Downloads
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Desktop
2008-07-17 17:23:07 0 dr------- C:\Users\mmagee\Contacts
2008-07-17 17:23:07 0 d--h----- C:\Users\mmagee\AppData
2008-07-17 13:31:56 47104 --a------ C:\Windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-17 13:29:44 17408 --a------ C:\Windows\system32\rpcnetp.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-07 23:53:47 12 --a------ C:\Windows\bthservsdp.dat
2008-08-06 14:34:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 14:34:11 0 d-------- C:\Program Files\Common Files
2008-08-05 16:39:08 0 d-------- C:\Users\Wilma\AppData\Roaming\Microsoft
2008-08-05 09:00:38 0 d-------- C:\Program Files\Dell
2008-07-23 11:39:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-23 11:09:47 0 d-------- C:\Program Files\Windows Mail
2008-07-23 11:07:12 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-17 13:45:02 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/01/2007 11:31]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [12/05/2008 15:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [13/09/2007 15:44]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [04/10/2007 22:24]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [04/10/2007 22:24]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [04/10/2007 22:24]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [04/10/2007 22:24]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/05/2007 22:46]
"vmware-tray"="D:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [08/10/2007 09:27]
"VMware hqtray"="D:\Program Files\VMware\VMware Workstation\hqtray.exe" [08/10/2007 09:26]
"WinampAgent"="d:\Program Files\Winamp\winampa.exe" [09/07/2008 22:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 00:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [29/02/2008 03:12 C:\Windows\KHALMNPR.Exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 00:33]
"SpybotSD TeaTimer"="d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe [06/08/2008 14:34:22]
QuickSet.lnk - D:\Program Files\Dell\QuickSet\quickset.exe [22/02/2008 17:01:38]
SnagIt 9.lnk - D:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe [15/05/2008 16:49:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"HideFastUserSwitching"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli CPNP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c4b2834]
rundll32.exe "C:\Windows\system32\mgxsrtwq.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus]
C:\Program Files\VAV\vav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphcl0lj0en57]
C:\Windows\system32\lphcl0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\geBtQJcy.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcg0lj0en57]
C:\Program Files\rhcg0lj0en57\rhcg0lj0en57.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys56B6.exe]
C:\Windows\Sys56B6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61BE.exe]
C:\Windows\Sys61BE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys61DD.exe]
C:\Windows\Sys61DD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-09 12:56:16 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T9500 @ 2.60GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 3581.21 MiB / 1883.14 MiB
Pagefile Memory (total/avail): 9616.2 MiB / 7919.06 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.04 MiB

C: is Fixed (NTFS) - 60 GiB total, 23.61 GiB free.
D: is Fixed (NTFS) - 126.3 GiB total, 62.6 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK2051GSY ATA Device - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 60 GiB - C:
\PARTITION1 - Installable File System - 126.3 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)
AS: Spybot - Search and Destroy v1.0.0.6 (Safer Networking Ltd.) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\mmagee\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MMAGEE6300
ComSpec=C:\Windows\system32\cmd.exe
DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection

FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\mmagee
LOCALAPPDATA=C:\Users\mmagee\AppData\Local
LOGONSERVER=\\LNDCIS01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\mmagee\AppData\Local\Temp
TMP=C:\Users\mmagee\AppData\Local\Temp
USERDNSDOMAIN=AD.PRIMAVERA.COM
USERDOMAIN=PRIMAVERA
USERNAME=MMagee
USERPROFILE=C:\Users\mmagee
VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

mmagee (admin)
local-ukis (admin)


-- Add/Remove Programs ---------------------------------------------------------

2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Acrobat 8.1.0 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AxCrypt (Remove Only) --> "D:\Program Files\Axon Data\AxCrypt\AxCryptU.exe"
BlackBerry Desktop Software 4.3 --> MsiExec.exe /i{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /I{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{FC57FC53-104C-415C-98D7-B05E659461A9}
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2 --> MsiExec.exe /X{057f6911-35fd-4c8d-883f-11b8814480c9}
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000fz.inf
Dell Mobile Broadband Card Utility --> MsiExec.exe /X{DF62D775-BB7C-4AFA-9CA4-DDA1C4855F28}
HijackThis 2.0.2 --> "G:\HijackThis\HijackThis.exe" /uninstall
Intel® PROSet/Wireless Software --> C:\Windows\Installer\iProInst.exe
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 3.8.0 Basic --> "d:\Program Files\K-Lite Codec Pack\unins000.exe"
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Lotus Notes 8.0 --> MsiExec.exe /X{2B2CA7B9-7658-4242-88C8-93D21053D8E3}
McAfee VirusScan Enterprise --> MsiExec.exe /X{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCorev32.ism_new --> MsiExec.exe /I{A945BD16-4774-4A1F-96A7-118BEC004881}
mCPlug --> MsiExec.exe /I{F32ED8B1-2442-4B0E-8DEC-3F3BFC1C2B7F}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRO /dll OSETUP.DLL
Microsoft Office Professional 2007 --> MsiExec.exe /X{90120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.0) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OEM Logo and Information --> C:\Windows\System32\oobe\oem_uninst.exe
Oz776 SCR Driver V1.1.4.2 --> C:\Program Files\InstallShield Installation Information\{C336A3DB-FA32-42BE-97D0-FFD42D807FD6}\setup.exe -runfromtemp -l0x0409
QuickSet --> MsiExec.exe /I{4B6AD248-D3BF-426A-8D64-847288154F13}
RICOH R5C83x/84x Media Driver x86 Ver.3.34.03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SnagIt 9 --> MsiExec.exe /I{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Spybot - Search & Destroy --> "d:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {90120000-0014-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
Vista Profile Pack --> MsiExec.exe /X{D31FB582-86AE-4A05-BFC1-5C5CA944E234}
VMware Workstation --> MsiExec.exe /I{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}
Winamp --> "d:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR --> "C:\Windows\WinRAR\uninstall.exe" "/U:d:\Program Files\WinRAR\Uninstall\uninstall.xml"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type52595 / Error
Event Submitted/Written: 08/09/2008 00:54:11 PM
Event ID/Source: 3013 / Windows Search Service
Event Description:
The entry <C:\USERS\MMAGEE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\8TJATGS7.DEFAULT\CACHE\_CACHE_MAP_> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Event Record #/Type52594 / Error
Event Submitted/Written: 08/09/2008 00:54:10 PM
Event ID/Source: 3013 / Windows Search Service
Event Description:
The entry <C:\USERS\MMAGEE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\8TJATGS7.DEFAULT\CACHE\_CACHE_003_> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Event Record #/Type52593 / Error
Event Submitted/Written: 08/09/2008 00:54:09 PM
Event ID/Source: 3013 / Windows Search Service
Event Description:
The entry <C:\USERS\MMAGEE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\8TJATGS7.DEFAULT\CACHE\_CACHE_002_> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Event Record #/Type52592 / Error
Event Submitted/Written: 08/09/2008 00:54:08 PM
Event ID/Source: 3013 / Windows Search Service
Event Description:
The entry <C:\USERS\MMAGEE\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\8TJATGS7.DEFAULT\CACHE\_CACHE_001_> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Event Record #/Type52582 / Warning
Event Submitted/Written: 08/09/2008 00:09:18 PM
Event ID/Source: 3006 / LoadPerf
Event Description:
0098



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38367 / Error
Event Submitted/Written: 08/09/2008 00:55:04 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
This computer was not able to set up a secure session with a domain
controller in domain PRIMAVERA due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Event Record #/Type38366 / Error
Event Submitted/Written: 08/09/2008 00:54:39 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 540FA8ECB40F. The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type38364 / Error
Event Submitted/Written: 08/09/2008 00:48:46 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 540FA8ECB40F. The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type38363 / Error
Event Submitted/Written: 08/09/2008 00:42:31 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 540FA8ECB40F. The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type38360 / Error
Event Submitted/Written: 08/09/2008 00:36:52 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 540FA8ECB40F. The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-08-09 12:56:16 ------------

I'm running the Kaspersky now.

Regards,
AlvinTC

#7 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 09 August 2008 - 07:02 AM

Kaspersky fails to run (have run as admin)

Error is on the update: ERROR: Invalid file signature.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:35 PM

Posted 10 August 2008 - 12:39 AM

Hello, alvintc.
We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 10 August 2008 - 06:32 AM

Hi,
I don't have the vista cd (pre-installed) and the combofix instructions only point to XP being able to download the file. Will this work for vista as well?

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:35 PM

Posted 10 August 2008 - 10:06 AM

If vista was preinstalled by an OEM, go ahead and skip the recovery console for now. Vista provides recovery modes XP does not. ;)

Go ahead and Download and Run CF anyway.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 11 August 2008 - 01:31 PM

Here we go, please find the combofix log attached.

Attached Files

  • Attached File  log.txt   25.79KB   27 downloads


#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:35 PM

Posted 11 August 2008 - 10:52 PM

Hello, alvintc.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/159417/defender-reports-infections/?p=908636
    
    suspect::[54]
    C:\Windows\System32\KemWnd.dll
    C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    C:\Windows\System32\pool.bin
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 12 August 2008 - 04:27 AM

Please find the requested attached.
Once again thankyou for all the time and effort!

Attached Files

  • Attached File  log.txt   24.49KB   28 downloads


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:35 PM

Posted 12 August 2008 - 06:48 AM

Hello, alvintc.
Please set your system to show hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select the "Show hidden files and folders" radio button.
  • Uncheck the "Hide file extensions for known file types" checkbox.
  • Uncheck the "Hide protected operating system files (Recommended)" checkbox.
  • Click OK to confirm.
  • Close/exit My Computer.
We need to see if some files are malware.
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to each of the following files and click Submit.
    C:\Windows\System32\rpcnetp.exe
    C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    C:\Windows\System32\pool.bin

    Note: You will have to scan each file individually.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
  • Please post back the results of the scan in your next post.
In your next reply, please include the following:
  • Jotti/VirusTotal's Logs

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 alvintc

alvintc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 12 August 2008 - 07:10 AM

Jotti:
C:\Windows\System32\rpcnetp.exe
Ikarus: Found BehavesLikeWin32.ExplorerHijack

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

C:\Windows\System32\pool.bin
found nothing

Virus total:
C:\Windows\System32\rpcnetp.exe
F-Secure 7.60.13501.0 2008.08.12 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.34.0 2008.08.12 not-a-virus:Dialer.Win32.Rpcnet.a
K7AntiVirus 7.10.411 2008.08.11 Backdoor.Win32.ExplorerHijack
Sunbelt 3.1.1542.1 2008.08.12 Trojan.Win32.ExplorerHijack

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
0 bytes size received / Se ha recibido un archivo vacio

C:\Windows\System32\pool.bin
found nothing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users