Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fakealert F Trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 hawkchief

hawkchief

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 03 August 2008 - 06:04 PM

I'm getting a popup window "Windows Security System Center Warning", warning of a threat and trying to get me into downloading software to remove the malware.
After searching the internet I believe this is the "FakeAlert F Trojan". Symantec Corp. Edition didn't find this problem. I have been unable to remove this.
Thank you

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Mobile Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 511.35 MiB / 85.46 MiB
Pagefile Memory (total/avail): 1248.17 MiB / 803.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.38 MiB

C: is Fixed (NTFS) - 37.22 GiB total, 8.02 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N040ATCS05-0 - 37.26 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.22 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:Connection Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"="C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Steve\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=XPLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Steve
LOGONSERVER=\\XPLAPTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\CFusionMX7\verity\k2\_nti40\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;"C:\Program Files\Symantec\Norton Ghost 2003\";C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
TMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=XPLAPTOP
USERNAME=Steve
USERPROFILE=C:\Documents and Settings\Steve
VERITY_CFG=C:\CFusionMX7\verity\k2\common\verity.cfg
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Steve (admin)
Rachelle (admin)
Kristin (admin)
Kharlyn (admin)
Royal Rangers
Administrator (admin)
swright (new local, net ready)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type5655 / Warning
Event Submitted/Written: 08/03/2008 04:23:52 PM
Event ID/Source: 19011 / MSSQL$SOSHOME22
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type5652 / Warning
Event Submitted/Written: 08/03/2008 04:23:47 PM
Event ID/Source: 2 / SQLBrowser
Event Description:
The configuration of the SQL instance SOSHOME22 is not valid.

Event Record #/Type5651 / Warning
Event Submitted/Written: 08/03/2008 04:23:47 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type91242 / Error
Event Submitted/Written: 08/03/2008 04:34:33 PM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.



-- End of Deckard's System Scanner: finished at 2008-08-03 16:37:28 ------------




Deckard's System Scanner v20071014.68
Run by Steve on 2008-08-03 16:31:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-03 22:31:59 UTC - RP704 - Deckard's System Scanner Restore Point
1: 2008-07-02 02:58:11 UTC - RP703 - Installed Norton Ghost


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).


-- HijackThis (run as Steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:32 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Steve.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\DESKTOP\EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\DOCUME~1\Steve\LOCALS~1\Temp\E_SE.tmp" /EF "HKCU"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128963559437
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5C12C05-9272-47F8-A748-A26255D8F2C1}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Secerrs - Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 12301 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 GhPciScan (GhostPciScanner) - c:\program files\symantec\norton ghost 2003\ghpciscan.sys <Not Verified; Symantec Corporation; Symantec Ghost PCI Scanner>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 MDC8021X (WPA Security Protocol (IEEE 802.1x) v1.5.1.65) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 1.5>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>

S3 BTWUSB (WIDCOMM USB Bluetooth Driver) - c:\windows\system32\drivers\btwusb.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 NuVision (Hauppauge WinTV USB (NTSC)) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Hauppauge Computer Works; WinTV USB>
S3 pepifilter (Volume Adapter) - c:\windows\system32\drivers\lv302af.sys (file missing)
S3 PID_08A0 (QuickCam IM(PID_08A0)) - c:\windows\system32\drivers\lv302av.sys (file missing)
S3 TnIDriver - c:\docume~1\kristin\locals~1\temp\tni196.tmp (file missing)
S3 W8100PCI (D-Link AirPlus G Wireless Driver) - c:\windows\system32\drivers\mrv8k51.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GhostStartService - c:\program files\symantec\norton ghost 2003\ghoststartservice.exe <Not Verified; Symantec Corporation; Norton Ghost Start Service>

S3 Secerrs -
S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-30 18:52:16 380 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-06-16 16:00:00 398 --ah----- C:\WINDOWS\Tasks\{B6AEA6E4-D40B-4175-8B6A-A98AB5F255F2}_XPLAPTOP_Kristin.job
2008-06-16 16:00:00 400 --ah----- C:\WINDOWS\Tasks\{49AC0518-55FC-4D93-B143-48D9BE72F0A9}_XPLAPTOP_Rachelle.job
2008-06-12 09:00:04 398 --ah----- C:\WINDOWS\Tasks\{15FE50D4-7A55-421D-B353-F585902A6475}_XPLAPTOP_Kristin.job
2008-06-12 09:00:00 400 --ah----- C:\WINDOWS\Tasks\{13ACF236-8878-49FA-B2DA-A5B18E47CDC0}_XPLAPTOP_Rachelle.job
2008-06-06 16:00:03 398 --ah----- C:\WINDOWS\Tasks\{A63A1318-DE28-447A-A81E-4FA1CA22EACB}_XPLAPTOP_Kristin.job
2008-06-06 16:00:00 400 --ah----- C:\WINDOWS\Tasks\{5527C9EB-32F6-4DDE-A5AC-BA92C85AFD06}_XPLAPTOP_Rachelle.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 16:30:44 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-07-01 19:47:50 27262976 --a------ C:\VIRTPART.DAT
2008-07-01 17:32:23 90831 --a------ C:\WINDOWS\system32\nvModes.dat
2008-06-30 16:40:28 1100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-16 15:55:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 15:54:15 0 d-------- C:\Program Files\Symantec
2008-06-15 19:46:07 0 d-------- C:\Documents and Settings\Steve\Application Data\Aim
2008-06-15 14:09:18 21504 --a------ C:\WINDOWS\y.exe
2008-06-15 14:09:16 15616 --a------ C:\WINDOWS\xplugin.dll
2008-06-15 14:09:15 23552 --a------ C:\WINDOWS\x.exe
2008-06-15 14:09:14 31488 --a------ C:\WINDOWS\winmgnt.exe
2008-06-15 14:09:12 28416 --a------ C:\WINDOWS\window.exe
2008-06-15 14:09:11 12288 --a------ C:\WINDOWS\winajbm.dll
2008-06-15 14:09:11 20736 --a------ C:\WINDOWS\win64.exe
2008-06-15 14:09:10 32000 --a------ C:\WINDOWS\win32e.exe
2008-06-15 14:09:09 13312 --a------ C:\WINDOWS\waol.exe
2008-06-15 14:09:08 10752 --a------ C:\WINDOWS\users32.exe
2008-06-15 14:09:08 20992 --a------ C:\WINDOWS\time.exe
2008-06-15 14:09:07 30976 --a------ C:\WINDOWS\systemcritical.exe
2008-06-15 14:09:06 12800 --a------ C:\WINDOWS\systeem.exe
2008-06-15 14:09:05 24832 --a------ C:\WINDOWS\svcinit.exe
2008-06-15 14:09:05 23296 --a------ C:\WINDOWS\svchost32.exe
2008-06-15 14:09:04 11520 --a------ C:\WINDOWS\sistem.exe
2008-06-15 14:09:03 30976 --a------ C:\WINDOWS\searchword.dll
2008-06-15 14:09:01 19456 --a------ C:\WINDOWS\rundll16.exe
2008-06-15 14:09:00 16384 --a------ C:\WINDOWS\quicken.exe
2008-06-15 14:08:59 9728 --a------ C:\WINDOWS\qttasks.exe
2008-06-15 14:08:59 14848 --a------ C:\WINDOWS\olehelp.exe
2008-06-15 14:08:58 13056 --a------ C:\WINDOWS\notepad32.exe
2008-06-15 14:08:58 11520 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-15 14:08:57 31488 --a------ C:\WINDOWS\mswsc20.dll
2008-06-15 14:08:56 25088 --a------ C:\WINDOWS\mswsc10.dll
2008-06-15 14:08:55 14336 --a------ C:\WINDOWS\msupdate.exe
2008-06-15 14:08:55 12800 --a------ C:\WINDOWS\mssys.exe
2008-06-15 14:08:54 18432 --a------ C:\WINDOWS\msspi.dll
2008-06-15 14:08:54 13824 --a------ C:\WINDOWS\msconfd.dll
2008-06-15 14:08:54 14080 --a------ C:\WINDOWS\loader.exe
2008-06-15 14:08:53 21760 --a------ C:\WINDOWS\internet.exe
2008-06-15 14:08:53 11520 --a------ C:\WINDOWS\inetinf.exe
2008-06-15 14:08:52 14080 --a------ C:\WINDOWS\iexplorer.exe
2008-06-15 14:08:51 28928 --a------ C:\WINDOWS\iedll.exe
2008-06-15 14:08:50 27904 --a------ C:\WINDOWS\helpcvs.exe
2008-06-15 14:08:49 22784 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-15 14:08:49 21504 --a------ C:\WINDOWS\funny.exe
2008-06-15 14:08:48 14592 --a------ C:\WINDOWS\funniest.exe
2008-06-15 14:08:47 31744 --a------ C:\WINDOWS\explorer32.exe
2008-06-15 14:08:45 14592 --a------ C:\WINDOWS\explore.exe
2008-06-15 14:08:44 12032 --a------ C:\WINDOWS\editpad.exe
2008-06-15 14:08:44 25344 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-15 14:08:44 26368 --a------ C:\WINDOWS\directx32.exe
2008-06-15 14:08:43 30720 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-15 14:08:42 13312 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-15 14:08:41 18688 --a------ C:\WINDOWS\cpan.dll
2008-06-15 14:08:41 30208 --a------ C:\WINDOWS\clrssn.exe
2008-06-15 14:08:40 17920 --a------ C:\WINDOWS\avpcc.dll
2008-06-15 14:08:39 32000 --a------ C:\WINDOWS\accesss.exe
2008-06-14 21:37:06 0 d-------- C:\Program Files\Common Files
2008-06-14 21:37:06 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-06-14 21:34:23 0 d-------- C:\Program Files\uTorrent
2008-06-14 21:34:13 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-14 21:34:07 90073 --a------ C:\WINDOWS\system32\iftuyszv.exe <Not Verified; Microsoft; XML Media>
2008-06-13 21:45:43 8780 --a------ C:\WINDOWS\system32\000090.exe
2008-06-13 21:44:23 229516 --a------ C:\WINDOWS\system32\000070.exe
2008-06-13 21:42:40 209496 --a------ C:\WINDOWS\system32\000080.exe
2008-06-13 14:12:54 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-08-03 16:37:28 ------------

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:41 AM

Posted 03 August 2008 - 06:26 PM

Hello hawkchief

Welcome to BleepingComputer :thumbsup:
========================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new dss log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 hawkchief

hawkchief
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 03 August 2008 - 09:11 PM

:thumbsup: Things are looking up. I haven't received any of the popups and the computer is running better.


SDFix: Version 1.212
Run by Steve on Sun 08/03/2008 at 07:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted

Killing PID 836 'iftuyszv.exe'


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\POOLSV.EXE - Deleted
C:\WINDOWS\TTC-4444.EXE - Deleted
C:\Temp\0b9\tmpTF.log - Deleted
C:\Temp\iee\tmpZTF.log - Deleted
C:\Program Files\poolsv\k11u72.exe - Deleted
C:\Program Files\poolsv\wr-1-0000077.exe - Deleted
C:\Program Files\poolsv\YazzleBundle-1549.exe - Deleted
C:\Program Files\svhost\wr-1-0000077.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\system32\000070.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\poolsv.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\iftuyszv.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\TTC-4444.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted
C:\WINDOWS\system32\clbdll.dll - Deleted
C:\WINDOWS\system32\drivers\clbdriver.sys - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted



Folder C:\Program Files\poolsv - Removed
Folder C:\Program Files\svhost - Removed
Folder C:\Temp\0b9 - Removed
Folder C:\Temp\iee - Removed
Folder C:\WINDOWS\system32\netrax06 - Removed
Folder C:\WINDOWS\system32\X2 - Removed
Folder C:\WINDOWS\system32\X3 - Removed
Folder C:\WINDOWS\system32\X4 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 19:33:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000ea133988c]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea133988c]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea133988c]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:Connection Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"="C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 29 Aug 2002 94,784 ..SH. --- "C:\WINDOWS\TWAIN.DLL"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcirt.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcp60.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\SYSTEM32\regsvr32.exe"
Wed 6 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 9 Jan 2005 42,496 ...H. --- "C:\Documents and Settings\Rachelle\My Documents\~WRL0004.tmp"
Sun 9 Jan 2005 55,296 ...H. --- "C:\Documents and Settings\Rachelle\My Documents\~WRL1039.tmp"
Fri 27 Feb 2004 1,206 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 27 Feb 2004 12,368 ...HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Mon 24 May 2004 10,678 ...H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off331.tmp"
Mon 1 Dec 2003 10,678 ...H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off9.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT90.tmp"
Wed 8 Feb 2006 21,504 ...H. --- "C:\Documents and Settings\Rachelle\My Documents\Contributer Lists\Leesa's Computer\Republican Media Fund\~WRL3881.tmp"
Fri 2 Apr 2004 95,744 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Steve\LOCALS~1\Temp\~WRL0004.tmp"
Fri 2 Apr 2004 97,280 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Steve\LOCALS~1\Temp\~WRL0331.tmp"
Wed 17 Dec 2003 65,088 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 17 Dec 2003 12,732 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 17 Dec 2003 26,424 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 17 Dec 2003 28,062 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 17 Dec 2003 10,710 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 17 Dec 2003 10,083 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 17 Dec 2003 10,257 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 17 Dec 2003 29,499 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 17 Dec 2003 12,660 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 17 Dec 2003 11,031 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 17 Dec 2003 17,952 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 17 Dec 2003 9,424 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 17 Dec 2003 7,825 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 17 Dec 2003 13,673 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 17 Dec 2003 14,438 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 17 Dec 2003 7,825 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 17 Dec 2003 7,825 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 17 Dec 2003 7,825 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 17 Dec 2003 7,243 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 17 Dec 2003 24,767 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 17 Dec 2003 7,463 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 17 Dec 2003 7,825 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 17 Dec 2003 10,286 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 17 Dec 2003 25,460 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 17 Dec 2003 28,866 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 17 Dec 2003 14,438 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 17 Dec 2003 8,544 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 17 Dec 2003 33,149 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 17 Dec 2003 51,150 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 17 Dec 2003 35,340 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 17 Dec 2003 14,378 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 17 Dec 2003 37,984 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 17 Dec 2003 44,828 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 17 Dec 2003 29,628 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 17 Dec 2003 52,106 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Wed 17 Dec 2003 49,250 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 17 Dec 2003 50,600 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 17 Dec 2003 161,792 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 17 Dec 2003 174,080 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 17 Dec 2003 21,971 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 17 Dec 2003 30,955 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 17 Dec 2003 202,517 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 17 Dec 2003 374,038 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 17 Dec 2003 22,158 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 17 Dec 2003 1,608 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 17 Dec 2003 15,345 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 17 Dec 2003 7,840 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 17 Dec 2003 56,821 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE"
Wed 17 Dec 2003 64,425 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 17 Dec 2003 32,396 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 17 Dec 2003 14,160 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 17 Dec 2003 10,898 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM"
Wed 17 Dec 2003 53,556 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 17 Dec 2003 15,777 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM"
Wed 17 Dec 2003 37,681 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 17 Dec 2003 354,304 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys"
Wed 17 Dec 2003 21,180 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 17 Dec 2003 354,263 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe"
Wed 17 Dec 2003 8,513 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 17 Dec 2003 41,302 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 17 Dec 2003 129,240 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 17 Dec 2003 28,439 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com"
Wed 17 Dec 2003 13,770 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 17 Dec 2003 130,980 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 17 Dec 2003 11,854 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 17 Dec 2003 52,715 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 17 Dec 2003 62,391 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 17 Dec 2003 11,491 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 17 Dec 2003 17,791 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 17 Dec 2003 17,043 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 17 Dec 2003 11,786 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 17 Dec 2003 18,300 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 17 Dec 2003 48,224 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 17 Dec 2003 13,360 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 17 Dec 2003 9,190 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 17 Dec 2003 12,567 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 17 Dec 2003 44,640 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 17 Dec 2003 56,896 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 17 Dec 2003 44,640 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 17 Dec 2003 9,692 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 17 Dec 2003 9,537 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 17 Dec 2003 32,484 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 17 Dec 2003 52,225 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 17 Dec 2003 48,491 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 17 Dec 2003 50,405 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 17 Dec 2003 33,860 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 17 Dec 2003 50,175 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 17 Dec 2003 50,795 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 17 Dec 2003 48,223 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 17 Dec 2003 48,641 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 17 Dec 2003 49,015 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Fri 3 Aug 2001 19,968 ...H. --- "C:\Documents and Settings\Steve\Desktop\New Folder (4)\New Folder (2)\Clean Up\New Folder\~WRL0351.tmp"
Wed 17 Dec 2003 53,786 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com"
Wed 17 Dec 2003 44,240 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Wed 17 Dec 2003 42,550 ...H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"
Fri 1 Feb 2002 0 ...H. --- "C:\Documents and Settings\Steve\Desktop\New Folder (4)\New Folder (2)\Clean Up\New Folder\Rachelle\~WRL2695.tmp"
Sat 4 Nov 2000 38,912 ...H. --- "C:\Documents and Settings\Steve\Desktop\New Folder (4)\New Folder (2)\Clean Up\Old Laptop\MyDocs\104th\TC 1-204\~WRL2564.tmp"

Finished!




Deckard's System Scanner v20071014.68
Run by Steve on 2008-08-03 19:44:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).


-- HijackThis (run as Steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:58 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Steve.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\DESKTOP\EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\DOCUME~1\Steve\LOCALS~1\Temp\E_SE.tmp" /EF "HKCU"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128963559437
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5C12C05-9272-47F8-A748-A26255D8F2C1}: NameServer = 192.168.1.100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Secerrs - Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10490 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 19:01:11 0 d-------- C:\WINDOWS\ERUNT
2008-08-03 16:30:44 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-08-03 19:25:20 90831 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-03 19:19:38 0 d-------- C:\Program Files\Common Files
2008-07-01 19:47:50 27262976 --a------ C:\VIRTPART.DAT
2008-06-30 16:40:28 1100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-16 15:55:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 15:54:15 0 d-------- C:\Program Files\Symantec
2008-06-15 19:46:07 0 d-------- C:\Documents and Settings\Steve\Application Data\Aim
2008-06-15 14:10:01 1693 --a------ C:\WINDOWS\system32\clbinit.dll
2008-06-14 21:34:23 0 d-------- C:\Program Files\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [01/03/2008 07:11 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/19/2004 12:44 AM]
"nwiz"="nwiz.exe" [08/19/2004 12:44 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/22/2004 04:23 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/22/2004 04:23 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [06/20/2003 02:18 PM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [07/17/2002 10:18 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [10/13/2005 10:26 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/10/2004 10:15 PM]
"WD Button Manager"="WDBtnMgr.exe" [05/23/2005 09:30 PM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/05/2005 08:46 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/07/2005 01:33 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05/14/2005 12:20 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [01/14/2003 06:02 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 01:56 AM C:\WINDOWS\SYSTEM32\bthprops.cpl]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [01/13/2006 06:28 PM]
"poolsv"="C:\WINDOWS\poolsv.exe" []
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [03/11/2004 12:26 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [12/17/2003 03:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [01/07/2002 04:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"\\DESKTOP\EPSON Stylus Photo RX595 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.exe" [03/30/2007 06:00 AM]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [10/23/2006 1:48:20 AM]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [10/23/2006 12:01:50 AM]
D-Link AirPlus G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus G\AirPlus.exe [7/5/2004 3:24:43 PM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [10/28/2005 12:53:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-08-03 19:46:01 ------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:41 AM

Posted 04 August 2008 - 02:33 AM

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"


Now click on Fix Checked and then close Hijackthis.
====================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\clbinit.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=================================
Post those logs and a new dss log in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 hawkchief

hawkchief
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 04 August 2008 - 11:06 AM

:thumbsup: Here they are.





LoadLibrary failed for C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\clbinit.dll NOT unregistered.
C:\WINDOWS\system32\clbinit.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08042008_090024



Malwarebytes' Anti-Malware 1.24
Database version: 1024
Windows 5.1.2600 Service Pack 2

10:03:51 AM 8/4/2008
mbam-log-8-4-2008 (10-03-51).txt

Scan type: Quick Scan
Objects scanned: 90840
Time elapsed: 48 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Kristin\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temp\bbbbti.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temp\snpp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temporary Internet Files\Content.IE5\0PYV45UB\td[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temporary Internet Files\Content.IE5\CDMR0L27\syswcc32[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temporary Internet Files\Content.IE5\E3QFKZMN\snpp[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temporary Internet Files\Content.IE5\IX2BO18L\bbbbti[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Application Data\Microsoft\dtsc\761.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Christia-Ray_Lara-106.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristin\Local Settings\Temp\yazzlesnet.exe (Heuristics.Malware) -> Quarantined and deleted successfully.





Deckard's System Scanner v20071014.68
Run by Steve on 2008-08-04 10:05:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:06 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\hpbpro.exe
C:\WINDOWS\system32\hpboid.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Steve.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\DESKTOP\EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\DOCUME~1\Steve\LOCALS~1\Temp\E_SE.tmp" /EF "HKCU"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128963559437
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Secerrs - Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10443 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 09:10:24 0 d-------- C:\Documents and Settings\Steve\Application Data\Malwarebytes
2008-08-04 09:10:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-04 09:10:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 19:01:11 0 d-------- C:\WINDOWS\ERUNT
2008-08-03 16:30:44 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-08-04 08:45:20 90831 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-03 19:19:38 0 d-------- C:\Program Files\Common Files
2008-07-01 19:47:50 27262976 --a------ C:\VIRTPART.DAT
2008-06-30 16:40:28 1100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-16 15:55:06 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 15:54:15 0 d-------- C:\Program Files\Symantec
2008-06-15 19:46:07 0 d-------- C:\Documents and Settings\Steve\Application Data\Aim
2008-06-14 21:34:23 0 d-------- C:\Program Files\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/19/2004 12:44 AM]
"nwiz"="nwiz.exe" [08/19/2004 12:44 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [04/22/2004 04:23 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/22/2004 04:23 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [06/20/2003 02:18 PM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [07/17/2002 10:18 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [10/13/2005 10:26 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/10/2004 10:15 PM]
"WD Button Manager"="WDBtnMgr.exe" [05/23/2005 09:30 PM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/05/2005 08:46 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/07/2005 01:33 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05/14/2005 12:20 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [01/14/2003 06:02 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 01:56 AM C:\WINDOWS\SYSTEM32\bthprops.cpl]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [01/13/2006 06:28 PM]
"poolsv"="C:\WINDOWS\poolsv.exe" []
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [03/11/2004 12:26 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [12/17/2003 03:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [01/07/2002 04:24 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"\\DESKTOP\EPSON Stylus Photo RX595 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.exe" [03/30/2007 06:00 AM]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [10/23/2006 1:48:20 AM]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [10/23/2006 12:01:50 AM]
D-Link AirPlus G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus G\AirPlus.exe [7/5/2004 3:24:43 PM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [10/28/2005 12:53:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-08-04 10:07:09 ------------

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:41 AM

Posted 04 August 2008 - 06:26 PM

Please uninstall Viewpoint then reboot and delete this folder > C:\Program Files\Viewpoint.

Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 hawkchief

hawkchief
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 07 August 2008 - 03:20 PM

:thumbsup: Thank you for your help. Everything went well and my computer is running good.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:41 AM

Posted 08 August 2008 - 10:13 AM

You are welcome :thumbsup:


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users