Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2009 Antivirus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Micolene

Micolene

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 07 August 2008 - 01:52 PM

I have the anitvirus 2009 infection. Use windows XP. I have tried manually removing the various infected files and it keeps coming back . I was using Macaffee antivirus when infected. I now have Trend Micro 2008. Also have tried to remove with the Malware bytes antimalware program. Kaspersky online scan keeps crashing. Here is the DSS Log. This thing won't go away. PLEASE HELP!

Logs follow:

Deckard's System Scanner v20071014.68
Run by Unknown User on 2008-08-07 14:33:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-07 18:33:08 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-07 14:37:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ngvpnmgr.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Unknown User\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {142BB099-F6A1-4997-99F5-BB4B4F0766C5} - C:\WINDOWS\SYSTEM32\geBqQGaY.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FBF85A20-FF88-4C46-90FB-B023E5C4ECA0} - C:\WINDOWS\SYSTEM32\xxyayYqn.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://i2.morkee.com (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} () - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: jlnvsx.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O20 - Winlogon Notify: xxyayYqn - C:\WINDOWS\system32\xxyayYqn.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\SYSTEM32\ngvpnmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe


--
End of file - 8303 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,-153
.com - comfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,2
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\SYSTEM32\SHELL32.DLL,23
.ini - inifile - DefaultIcon - shell32.dll,-151
.js - JSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,9
.reg - regfile - DefaultIcon - c:\windows\regedit.exe,1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - DefaultIcon - shell32.dll,-152
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\system32\migicons.exe,8


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Winxd72 - c:\windows\system32\drivers\winxd72.sys
R1 lanmandrv - c:\windows\system32\lanmandrv.sys

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S3 sysrest.sys - c:\windows\system32\sysrest.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NgVpnMgr (Aventail VPN Client) - c:\windows\system32\ngvpnmgr.exe <Not Verified; Aventail Corporation; Aventail® Connect™ with Smart Tunneling™>

S3 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-05 23:19:16 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-02-13 09:50:22 356 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1136603107.job


-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 14:20:12 0 d--hs---- C:\FOUND.000
2008-08-06 23:06:09 724 --a------ C:\WINDOWS\system32\qmopt.dll
2008-08-06 22:39:32 1206 --ahs---- C:\WINDOWS\system32\YaGQqBeg.ini2
2008-08-06 22:26:46 5765 --a------ C:\WINDOWS\system32\wddictio.dll
2008-08-06 22:23:57 5763 --a------ C:\WINDOWS\system32\cyhaslhi.dll
2008-08-06 21:49:42 0 d-------- C:\Documents and Settings\Unknown User\Application Data\Malwarebytes
2008-08-06 21:49:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:49:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 22:24:30 5763 --a------ C:\WINDOWS\system32\xjbgcnbg.dll
2008-08-05 22:24:25 5765 --a------ C:\WINDOWS\system32\yjoupnys.dll
2008-08-04 18:32:00 5765 --a------ C:\WINDOWS\system32\pigyhydw.dll
2008-08-04 18:28:32 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-08-02 23:25:17 5765 --a------ C:\WINDOWS\system32\mryabyld.dll
2008-08-02 23:22:17 5763 --a------ C:\WINDOWS\system32\rkovfyag.dll
2008-08-02 15:52:11 0 d-------- C:\Program Files\Trend Micro
2008-08-01 21:56:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-01 21:19:36 129920 -----n--- C:\WINDOWS\system32\jlnvsx.dll
2008-07-30 08:12:23 120960 --a------ C:\WINDOWS\system32\raagto.dll
2008-07-30 08:12:22 120960 --a------ C:\WINDOWS\system32\wyolxfte.dll
2008-07-30 01:03:51 323584 -----n--- C:\WINDOWS\system32\geBqQGaY.dll
2008-07-30 01:02:35 16896 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-07-30 00:58:38 34176 -----n--- C:\WINDOWS\system32\xxyayYqn.dll
2008-07-23 17:46:26 0 d-------- C:\Program Files\iTunes
2008-07-23 17:44:49 0 d-------- C:\Program Files\Bonjour
2008-07-23 17:42:14 0 d-------- C:\Program Files\QuickTime
2008-07-23 17:34:43 0 d-------- C:\Program Files\Safari
2008-07-12 08:38:41 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-06-14 11:58:44 0 d-------- C:\Program Files\Photo Viewer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{142BB099-F6A1-4997-99F5-BB4B4F0766C5}]
07/30/2008 01:03 AM 323584 --------- C:\WINDOWS\system32\geBqQGaY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBF85A20-FF88-4C46-90FB-B023E5C4ECA0}]
07/30/2008 12:58 AM 34176 --------- C:\WINDOWS\system32\xxyayYqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.ExE" [08/04/2004 12:00 PM C:\WINDOWS\SYSTEM32\systray.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"@"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"lanmanwrk.exe"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]

C:\Documents and Settings\Unknown User\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [6/22/2007 10:32:15 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF85A20-FF88-4C46-90FB-B023E5C4ECA0}"= C:\WINDOWS\system32\xxyayYqn.dll [07/30/2008 12:58 AM 34176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 08/07/2008 02:20 PM 16896 C:\WINDOWS\SYSTEM32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayYqn]
xxyayYqn.dll 07/30/2008 12:58 AM 34176 C:\WINDOWS\SYSTEM32\xxyayYqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=jlnvsx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBqQGaY

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
"MCAgentExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"VSOCheckTask"="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MCTskShd"=C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-08-07 14:41:03 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 510.3 MiB / 140.9 MiB
Pagefile Memory (total/avail): 673.56 MiB / 252.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.38 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 232.83 GiB total, 192.8 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 19 GiB total, 1.49 GiB free.

\\.\PHYSICALDRIVE1 - QUANTUM FIREBALLlct20 20 - 19.01 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 19.01 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD2500JB-55GVC0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Trend Micro Personal Firewall v5.2 (Trend Micro Inc.)
AV: Trend Micro Internet Security v16.10.1079 ()

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\WINDOWS\\System32\\fxsclnt.exe"="C:\\WINDOWS\\System32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Unknown User\\Local Settings\\Temp\\.tt5.tmp"="C:\\Documents and Settings\\Unknown User\\Local Settings\\Temp\\.tt5.tmp:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Unknown User\Application Data
BLASTER=A220 I7 D1 T2
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OEMCOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Unknown User
LOGONSERVER=\\OEMCOMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SNDSCAPE=C:\WINDOWS
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\UNKNOW~1\LOCALS~1\Temp
USERDOMAIN=OEMCOMPUTER
USERNAME=Unknown User
USERPROFILE=C:\Documents and Settings\Unknown User
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Unknown User (admin)
Micolene Lauch (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /UNINSTALL /PROMPT
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Acrobat Reader 3.01 --> C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Adobe® Photoshop® Album Starter Edition 3.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
AdvisorLink Installer --> C:\PROGRA~1\ALINST~1\UNWISE.EXE C:\PROGRA~1\ALINST~1\INSTALL.LOG
Ahead InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Ahead InCD EasyWrite Reader --> C:\WINDOWS\UNMrw.exe /UNINSTALL
Ahead NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Aventail Access Manager --> C:\Documents and Settings\Unknown User\Application Data\Aventail\epi\epuninstall.exe
Aventail Connect --> MsiExec.exe /I{A2A78788-2792-49BF-AF22-5E9296E568F3}
Aventail Web Proxy Agent --> MsiExec.exe /X{9B0B46B3-10DF-4ADA-9501-0129D784563D}
Aventail Webifiers --> MsiExec.exe /X{54D44AD1-A083-48B9-BD6F-AFD517B7C775}
BellSouth FastAccess DSL Help Center --> "C:\Program Files\Support.com\BellSouth\Uninstall.exe" /c "Remove BellSouth® FastAccess® DSL Help Center?"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FC3EEA54-C009-4D75-B753-3CD871BF3EBA}
Canon i960 --> C:\WINDOWS\system32\CNMCP5c.exe "-PRINTERNAMECanon i960" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i960 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i960 Installer\Inst2\cnmi0409.dll"
Canon PhotoRecord --> MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities Easy-PhotoPrint Plus --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint Plus\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint Plus\EZUNINST.DLL"
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Classic PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\SETUP.EXE" -l0x9 ControlPanel
Conexant HCF V.90 56K RTAD,Speakerphone PCI Modem --> infunist.exe VEN_14F1&DEV_1036&SUBSYS_020913E0
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Creative PCI Audio Drivers --> C:\SBPCI\sbsetup.exe -u
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Disney Software Update --> MsiExec.exe /X{C6339A05-42C3-48A2-81F9-552B320A9194}
Doras Rapido River Rafting Race (remove only) --> "C:\Program Files\Doras Rapido River Rafting Race\Uninstall.exe"
DriverGuide Toolkit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEA5EF64-B694-4B79-9A2C-0FF738906A1D}\setup.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp deskjet 3820 series (Remove only) --> C:\Program Files\hp deskjet 3820 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB004 -vproduct=3820 -huninstall
hp instant support --> C:\PROGRA~1\HEWLET~1\HPIS\Uninstall.exe /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_a000f_23203a\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
MyPublisher BookMaker --> C:\Program Files\MyPublisher\BookMaker\BookMaker.exe -uninstall
Nero - Burning ROM --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Photo Viewer 2.3 --> "C:\Program Files\Photo Viewer\uninstall.exe"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Safari --> MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
ScrewDrivers Client v4 --> C:\PROGRA~1\TRICERAT\SIMPLI~1\SCREWD~1\UNWISE.EXE C:\PROGRA~1\TRICERAT\SIMPLI~1\SCREWD~1\INSTALL.LOG
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
System Files Update --> MsiExec.exe /I{90200409-6000-11D3-8CFE-0050048383C9}
The Management Scientist 6.0 --> C:\WINDOWS\iun506.exe C:\Program Files\The Management Scientist\irunin.ini
The Print Shop Premier Edition 5.0 --> C:\WINDOWS\uninst.exe -f"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\DeIsL1.isu" -c"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\psfinst.dll"
Trend Micro Internet Security --> C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Uninstall --> %SYSTEMROOT%\system32\osuninst.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type864 / Error
Event Submitted/Written: 08/05/2008 10:31:38 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type863 / Error
Event Submitted/Written: 08/05/2008 10:31:38 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type822 / Error
Event Submitted/Written: 08/04/2008 07:06:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type809 / Error
Event Submitted/Written: 08/03/2008 10:21:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application itunes.exe, version 7.7.0.43, faulting module quicktime.qts, version 7.50.61.0, fault address 0x0015e693.
Processing media-specific event for [itunes.exe!ws!]

Event Record #/Type803 / Error
Event Submitted/Written: 08/03/2008 10:07:04 PM
Event ID/Source: 4001 / VSS
Event Description:
Volume Shadow Copy Service error: Cannot find diff areas for creating shadow copies.
Please add at least one NTFS drive to the system with enough free space.
The free space needed is at least 100 Mb for each volume to be backed up/shadowed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type25699 / Error
Event Submitted/Written: 08/07/2008 02:28:54 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 e4fc3a00, parameter2 000000ff, parameter3 00000000, parameter4 804e20e3.

Event Record #/Type25675 / Error
Event Submitted/Written: 08/07/2008 02:21:31 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg

Event Record #/Type25658 / Error
Event Submitted/Written: 08/06/2008 10:59:42 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type25636 / Error
Event Submitted/Written: 08/06/2008 10:36:07 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg

Event Record #/Type25610 / Error
Event Submitted/Written: 08/06/2008 10:15:15 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg



-- End of Deckard's System Scanner: finished at 2008-08-07 14:41:03 ------------

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 08 August 2008 - 06:04 PM

Hi Micolene

Please post the Malwarebytes antimalware log for me :thumbsup:

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 12 August 2008 - 05:10 PM

Here is the Malware Bytes most recent log. Thanks for taking a look:

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

5:58:28 PM 8/12/2008
mbam-log-8-12-2008 (17-58-28).txt

Scan type: Quick Scan
Objects scanned: 50063
Time elapsed: 18 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\xxyayYqn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyayyqn (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fbf85a20-ff88-4c46-90fb-b023e5c4eca0} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\xxyayYqn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nnnmmklK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\urqOGYpM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mlJDtsSk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vtUmMfDs.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winlq26.sys (Rootkit.Agent) -> Delete on reboot.

#4 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 12 August 2008 - 06:27 PM

Here is the Combo Fix Log. Thanks again-

ComboFix 08-08-12.01 - Unknown User 2008-08-12 18:57:18.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.187 [GMT -4:00]
Running from: C:\Documents and Settings\Unknown User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Unknown User\Application Data\macromedia\Flash Player\#SharedObjects\DZMRQKTK\interclick.com
C:\Documents and Settings\Unknown User\Application Data\macromedia\Flash Player\#SharedObjects\DZMRQKTK\interclick.com\ud.sol
C:\Documents and Settings\Unknown User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Unknown User\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\agyqrton.ini
C:\WINDOWS\SYSTEM32\bxgyiwmn.ini
C:\WINDOWS\system32\drivers\Winlq26.sys
C:\WINDOWS\SYSTEM32\mbdriwbj.ini
C:\WINDOWS\system32\raagto.dll
C:\WINDOWS\system32\rwoymimr.ini
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\wyolxfte.dll
C:\WINDOWS\system32\xbjqveol.ini
C:\WINDOWS\system32\xxyayYqn.dll
C:\WINDOWS\SYSTEM32\YaGQqBeg.ini
C:\WINDOWS\SYSTEM32\YaGQqBeg.ini2
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LANMANDRV
-------\Legacy_WINLQ26
-------\Service_sysrest.sys
-------\Service_Winlq26


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-12 18:08 . 2008-08-12 18:08 6,219 --a------ C:\WINDOWS\SYSTEM32\nnnoOhHb.dll
2008-08-11 21:19 . 2008-08-11 21:19 5,765 --a------ C:\WINDOWS\SYSTEM32\dvsecfay.dll
2008-08-11 21:19 . 2008-08-11 21:19 5,763 --a------ C:\WINDOWS\SYSTEM32\qeifyhhy.dll
2008-08-10 21:19 . 2008-08-10 21:19 5,763 --a------ C:\WINDOWS\SYSTEM32\khqkwoix.dll
2008-08-10 21:17 . 2008-08-10 21:17 5,765 --a------ C:\WINDOWS\SYSTEM32\yyjmpqce.dll
2008-08-08 22:28 . 2008-08-08 22:28 5,765 --a------ C:\WINDOWS\SYSTEM32\vwaqxusg.dll
2008-08-08 22:25 . 2008-08-08 22:25 5,763 --a------ C:\WINDOWS\SYSTEM32\cqpcqjcg.dll
2008-08-07 22:27 . 2008-08-07 22:27 5,765 --a------ C:\WINDOWS\SYSTEM32\wnqnpmjk.dll
2008-08-07 22:25 . 2008-08-07 22:25 5,763 --a------ C:\WINDOWS\SYSTEM32\pfvsnnlj.dll
2008-08-07 14:32 . 2008-08-07 14:32 <DIR> d-------- C:\Deckard
2008-08-07 14:20 . 2008-08-07 14:20 <DIR> d--hs---- C:\FOUND.000
2008-08-06 22:26 . 2008-08-06 22:26 5,765 --a------ C:\WINDOWS\SYSTEM32\wddictio.dll
2008-08-06 22:23 . 2008-08-06 22:23 5,763 --a------ C:\WINDOWS\SYSTEM32\cyhaslhi.dll
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Documents and Settings\Unknown User\Application Data\Malwarebytes
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 21:49 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-06 21:49 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-06 00:06 . 2008-08-06 00:06 114,688 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-06 00:06 . 2008-08-06 00:06 5,632 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-08-06 00:06 . 2008-08-06 00:06 5,120 --ahs---- C:\WINDOWS\SYSTEM\Thumbs.db
2008-08-05 22:24 . 2008-08-05 22:24 5,765 --a------ C:\WINDOWS\SYSTEM32\yjoupnys.dll
2008-08-05 22:24 . 2008-08-05 22:24 5,763 --a------ C:\WINDOWS\SYSTEM32\xjbgcnbg.dll
2008-08-04 18:58 . 2008-08-04 18:59 56,832 --ahs---- C:\Thumbs.db
2008-08-04 18:32 . 2008-08-04 18:32 5,765 --a------ C:\WINDOWS\SYSTEM32\pigyhydw.dll
2008-08-04 18:28 . 2008-08-08 00:41 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-08-02 23:25 . 2008-08-02 23:25 5,765 --a------ C:\WINDOWS\SYSTEM32\mryabyld.dll
2008-08-02 23:22 . 2008-08-02 23:22 5,763 --a------ C:\WINDOWS\SYSTEM32\rkovfyag.dll
2008-08-02 16:06 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-08-02 16:06 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-08-02 16:06 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-08-02 15:52 . 2008-08-02 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 21:56 . 2008-08-01 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-23 17:46 . 2008-07-23 17:46 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 17:44 . 2008-07-23 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 17:42 . 2008-07-23 17:42 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 17:34 . 2008-07-23 17:34 <DIR> d-------- C:\Program Files\Safari
2008-07-12 08:38 . 2008-07-12 08:38 <DIR> d-------- C:\Program Files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-14 15:58 --------- d-----w C:\Program Files\Photo Viewer
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2007-12-15 12:29 89,080 ----a-w C:\Documents and Settings\Unknown User\Application Data\GDIPFONTCACHEV1.DAT
2006-10-22 00:19 82,844 ----a-w C:\Documents and Settings\Unknown User\Winsock2.reg
2004-10-02 04:33 266 --sha-w C:\Program Files\desktop.ini
2004-10-02 04:33 11,079 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

C:\Documents and Settings\Unknown User\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-06-22 22:32:15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
"MCAgentExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"VSOCheckTask"="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MCTskShd"=C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\System32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2008-02-20 17:12]
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2008-02-20 17:10]
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2008-02-20 17:11]
S0 Winxd72;Winxd72;C:\WINDOWS\system32\Drivers\Winxd72.sys []
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2008-02-20 17:11]
S3 NgWfp;Aventail VPN Callout;C:\WINDOWS\system32\DRIVERS\ngwfp.sys [2008-02-20 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2006-02-13 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1136603107.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DF7F23E2-4A23-41A2-AA8E-7912D3F0F394} - C:\WINDOWS\system32\geBqQGaY.dll
Toolbar-SITEguard - (no file)
HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\qttask.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.comcast.net/explore.html
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;*.local
O8 -: E&xport to Microsoft Excel - c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 19:07:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-12 19:12:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 23:11:32

Pre-Run: 206,718,435,328 bytes free
Post-Run: 206,955,511,808 bytes free

218 --- E O F --- 2008-07-10 03:28:19

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 13 August 2008 - 03:41 PM

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\nnnoOhHb.dll
C:\WINDOWS\SYSTEM32\dvsecfay.dll
C:\WINDOWS\SYSTEM32\qeifyhhy.dll
C:\WINDOWS\SYSTEM32\khqkwoix.dll
C:\WINDOWS\SYSTEM32\yyjmpqce.dll
C:\WINDOWS\SYSTEM32\vwaqxusg.dll
C:\WINDOWS\SYSTEM32\cqpcqjcg.dll
C:\WINDOWS\SYSTEM32\wnqnpmjk.dll
C:\WINDOWS\SYSTEM32\pfvsnnlj.dll
C:\WINDOWS\SYSTEM32\wddictio.dll
C:\WINDOWS\SYSTEM32\cyhaslhi.dll
C:\WINDOWS\SYSTEM32\yjoupnys.dll
C:\WINDOWS\SYSTEM32\xjbgcnbg.dll
C:\WINDOWS\SYSTEM32\pigyhydw.dll
C:\WINDOWS\SYSTEM32\mryabyld.dll
C:\WINDOWS\SYSTEM32\rkovfyag.dll
C:\WINDOWS\DCEBoot.exe

Driver::
Winxd72

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxd72.sys]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 13 August 2008 - 08:21 PM

Here is the combofix log. How do I do HijackThis Log?

ComboFix 08-08-13.01 - Unknown User 2008-08-13 20:56:28.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -4:00]
Running from: C:\Documents and Settings\Unknown User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Unknown User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\SYSTEM32\cqpcqjcg.dll
C:\WINDOWS\SYSTEM32\cyhaslhi.dll
C:\WINDOWS\SYSTEM32\dvsecfay.dll
C:\WINDOWS\SYSTEM32\khqkwoix.dll
C:\WINDOWS\SYSTEM32\mryabyld.dll
C:\WINDOWS\SYSTEM32\nnnoOhHb.dll
C:\WINDOWS\SYSTEM32\pfvsnnlj.dll
C:\WINDOWS\SYSTEM32\pigyhydw.dll
C:\WINDOWS\SYSTEM32\qeifyhhy.dll
C:\WINDOWS\SYSTEM32\rkovfyag.dll
C:\WINDOWS\SYSTEM32\vwaqxusg.dll
C:\WINDOWS\SYSTEM32\wddictio.dll
C:\WINDOWS\SYSTEM32\wnqnpmjk.dll
C:\WINDOWS\SYSTEM32\xjbgcnbg.dll
C:\WINDOWS\SYSTEM32\yjoupnys.dll
C:\WINDOWS\SYSTEM32\yyjmpqce.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\SYSTEM32\cqpcqjcg.dll
C:\WINDOWS\SYSTEM32\cyhaslhi.dll
C:\WINDOWS\SYSTEM32\dvsecfay.dll
C:\WINDOWS\SYSTEM32\khqkwoix.dll
C:\WINDOWS\SYSTEM32\mryabyld.dll
C:\WINDOWS\SYSTEM32\nnnoOhHb.dll
C:\WINDOWS\SYSTEM32\pfvsnnlj.dll
C:\WINDOWS\SYSTEM32\pigyhydw.dll
C:\WINDOWS\SYSTEM32\qeifyhhy.dll
C:\WINDOWS\SYSTEM32\rkovfyag.dll
C:\WINDOWS\SYSTEM32\vwaqxusg.dll
C:\WINDOWS\SYSTEM32\wddictio.dll
C:\WINDOWS\SYSTEM32\wnqnpmjk.dll
C:\WINDOWS\SYSTEM32\xjbgcnbg.dll
C:\WINDOWS\SYSTEM32\yjoupnys.dll
C:\WINDOWS\SYSTEM32\yyjmpqce.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINXD72
-------\Service_Winxd72


((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-07 14:32 . 2008-08-07 14:32 <DIR> d-------- C:\Deckard
2008-08-07 14:20 . 2008-08-07 14:20 <DIR> d--hs---- C:\FOUND.000
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Documents and Settings\Unknown User\Application Data\Malwarebytes
2008-08-06 21:49 . 2008-08-06 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-06 21:49 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-08-06 21:49 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-06 00:06 . 2008-08-06 00:06 114,688 --ahs---- C:\WINDOWS\Thumbs.db
2008-08-06 00:06 . 2008-08-06 00:06 5,632 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-08-06 00:06 . 2008-08-06 00:06 5,120 --ahs---- C:\WINDOWS\SYSTEM\Thumbs.db
2008-08-04 18:58 . 2008-08-04 18:59 56,832 --ahs---- C:\Thumbs.db
2008-08-02 16:06 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-08-02 16:06 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-08-02 16:06 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-08-02 15:52 . 2008-08-02 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 21:56 . 2008-08-01 21:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-23 17:46 . 2008-07-23 17:46 <DIR> d-------- C:\Program Files\iTunes
2008-07-23 17:44 . 2008-07-23 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 17:42 . 2008-07-23 17:42 <DIR> d-------- C:\Program Files\QuickTime
2008-07-23 17:34 . 2008-07-23 17:34 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 12:38 --------- d-----w C:\Program Files\Sun
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-14 15:58 --------- d-----w C:\Program Files\Photo Viewer
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2007-12-15 12:29 89,080 ----a-w C:\Documents and Settings\Unknown User\Application Data\GDIPFONTCACHEV1.DAT
2006-10-22 00:19 82,844 ----a-w C:\Documents and Settings\Unknown User\Winsock2.reg
2004-10-02 04:33 266 --sha-w C:\Program Files\desktop.ini
2004-10-02 04:33 11,079 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-08-12_19.10.16.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FlashUtil9f.exe
- 2008-06-20 13:02:24 74,137 ----a-w C:\WINDOWS\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
+ 2008-08-13 21:28:52 74,649 ----a-w C:\WINDOWS\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2008-08-12 22:05:02 58,336 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
+ 2008-08-14 01:06:44 58,336 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
- 2008-08-12 22:05:02 392,924 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2008-08-14 01:06:44 392,924 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-08-13 17:29 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

C:\Documents and Settings\Unknown User\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-06-22 22:32:15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
"MCAgentExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"VSOCheckTask"="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MCTskShd"=C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\System32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2008-02-20 17:12]
R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2008-02-20 17:10]
R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2008-02-20 17:11]
S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2008-02-20 17:11]
S3 NgWfp;Aventail VPN Callout;C:\WINDOWS\system32\DRIVERS\ngwfp.sys [2008-02-20 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2006-02-13 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1136603107.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 21:11:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-13 21:15:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-14 01:15:16
ComboFix2.txt 2008-08-12 23:12:10

Pre-Run: 206,733,017,088 bytes free
Post-Run: 206,811,889,664 bytes free

204 --- E O F --- 2008-07-10 03:28:19

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 14 August 2008 - 03:49 PM

Hi

When you ran DSS (Deckard's System Scanner) it should have placed a shortcut to Hijackthis on your desktop, doubleclick it, run a scan & save a log (if it's there) if not run DSS again & post the new "main.txt"

You have 4 versions of java installed, when installing a new version, you should uninstal any old versions first or the old versions could be exploited ...

J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

Go to add/remove programs and uninstall these :-

J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Just leave this one :-

Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Finaly...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

Is your problem resolved ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 August 2008 - 07:46 PM

Here is DSS. I am working through the steps on your post.

Deckard's System Scanner v20071014.68
Run by Unknown User on 2008-08-14 20:42:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Unknown User.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:39 PM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Unknown User\Desktop\dss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Unknown User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6983 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-12 18:55:03 68096 --a------ C:\WINDOWS\zip.exe
2008-08-12 18:55:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-12 18:55:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-12 18:55:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-12 18:55:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-12 18:55:03 98816 --a------ C:\WINDOWS\sed.exe
2008-08-12 18:55:03 80412 --a------ C:\WINDOWS\grep.exe
2008-08-12 18:55:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-12 18:43:30 0 dr-hs---- C:\cmdcons
2008-08-12 18:43:11 0 d-------- C:\WINDOWS\setupupd
2008-08-07 14:20:12 0 d--hs---- C:\FOUND.000
2008-08-06 21:49:42 0 d-------- C:\Documents and Settings\Unknown User\Application Data\Malwarebytes
2008-08-06 21:49:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:49:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 15:52:11 0 d-------- C:\Program Files\Trend Micro
2008-08-01 21:56:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-23 17:46:26 0 d-------- C:\Program Files\iTunes
2008-07-23 17:44:49 0 d-------- C:\Program Files\Bonjour
2008-07-23 17:42:14 0 d-------- C:\Program Files\QuickTime
2008-07-23 17:34:43 0 d-------- C:\Program Files\Safari


-- Find3M Report ---------------------------------------------------------------

2008-07-12 08:38:42 0 d-------- C:\Program Files\Sun
2008-06-14 11:58:44 0 d-------- C:\Program Files\Photo Viewer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [02/16/2008 12:56 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [08/13/2008 05:29 PM]

C:\Documents and Settings\Unknown User\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [6/22/2007 10:32:15 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
"MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
"MCAgentExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
"VSOCheckTask"="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MCTskShd"=C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]
RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-08-14 20:44:13 ------------

#9 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 14 August 2008 - 10:01 PM

Once I completed the steps, Windows did an automatic update and now my Trend Micro Internet Security program will not open. Any ideas? I have re-booted several times. Thanks

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 15 August 2008 - 05:06 PM

Hi Micolene

The last DSS log which you posted (which is clean now) does not show Trend Micro Internet Security as running ,... post #8

My instructions to you in post #7 ...

1. Remove old versions of java
2. uninstall Combofix
3. remove temporary files with Ccleaner

Would not go anywhere near any Trend Micro Internet Security files ...

Your last Combofix log ... post #6 (after removing a lot of Trojan files) DOES show Trend Micro Internet Security as running ...

I have no idea what could have caused Trend Micro Internet Security to stop working, however when removing as much malware as this, anti-virus programs often do become corrupted ...

The only thing I can suggest is that you uninstall & re-install Trend Micro Internet Security ...

Are all your other problems resolved ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 Micolene

Micolene
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 15 August 2008 - 06:04 PM

I was about to uninstall and reload, but I thought I would check with you first since you have been so helpful. Other issues seem to be resolved!

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 August 2008 - 02:53 PM

Hi Micolene

Glad to hear all issues appear to be resolved :thumbsup:

Let me know if there's anything else ?

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 12 September 2008 - 05:19 PM

As this thread is resolved, :thumbsup: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users