Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Winantivir2008


  • This topic is locked This topic is locked
53 replies to this topic

#1 bstrange

bstrange

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 10 August 2008 - 04:05 AM

I am having a problem getting winantivir2008 off of our computer. The problem started with the winantivir popups, but after it was purchased and installed, is when it really got bad. I followed the directions here and ran MBAM (and some other programs and it identifies a ton of stuff) but each time new objects are just recreated at startup after running MBAM. I followed the instructions and ran DSS and have attached the log (as well as the mbam log). Please help, nothing seems to be working.

I have to admit, I have been Google'ing solutions prior to finding this section on posting for help. (I found your site from one of the google results). With that in mind, I have tried a number of things a couple of which I found here and a bunch of others from elsewhere. I am going to post the logs from the most recent things (all found on this site) in the order I ran them. DSS log will be last as I just found this section...

SD Fix:
SDFix: Version 1.214
Run by Villa on Sat 08/09/2008 at 10:29 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\linkinfo.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 22:48:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 18 Aug 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Sun 13 Apr 2008 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Sat 9 Aug 2008 272,384 A..H. --- "C:\WINDOWS\system32\ddserh.dll"
Sat 9 Aug 2008 240,128 A..H. --- "C:\WINDOWS\system32\fmcvxy.dll"
Sat 9 Aug 2008 240,128 A..H. --- "C:\WINDOWS\system32\hhrdxd.dll"
Sat 9 Aug 2008 225,792 A..H. --- "C:\WINDOWS\system32\jfrwdh.dll"
Sun 13 Apr 2008 1,028,096 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Sun 13 Apr 2008 57,344 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Sun 13 Apr 2008 413,696 ..SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Sun 13 Apr 2008 343,040 ..SH. --- "C:\WINDOWS\system32\msvcrt.dll"
Sun 13 Apr 2008 551,936 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Sun 13 Apr 2008 84,992 ..SH. --- "C:\WINDOWS\system32\olepro32.dll"
Thu 9 Aug 2001 64,512 A..H. --- "C:\WINDOWS\system32\PackethSvc.exe"
Sat 9 Aug 2008 232,960 A..H. --- "C:\WINDOWS\system32\pedadt.dll"
Sun 13 Apr 2008 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Sat 9 Aug 2008 225,792 A..H. --- "C:\WINDOWS\system32\sgdewg.dll"
Sat 9 Aug 2008 247,296 A..H. --- "C:\WINDOWS\system32\tdfhex.dll"
Sat 9 Aug 2008 232,960 A..H. --- "C:\WINDOWS\system32\wrqszl.dll"
Tue 5 Aug 2008 229,376 A..H. --- "C:\WINDOWS\system32\wyrsdj.dll"
Sat 9 Aug 2008 265,216 A..H. --- "C:\WINDOWS\system32\wzcfsw.dll"
Sat 9 Aug 2008 232,960 A..H. --- "C:\WINDOWS\system32\zgtwfx.dll"

Finished!

MBAM
Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 3

2:43:28 AM 8/10/2008
mbam-log-8-10-2008 (02-43-28).txt

Scan type: Quick Scan
Objects scanned: 41184
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 11
Registry Keys Infected: 17
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jfrwdh.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\hhrdxd.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\wrqszl.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\sgdewg.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\jhfrxz.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\pedadt.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\zgtwfx.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\tdfhex.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\fmcvxy.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\ddserh.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{841529cb-7f77-4b99-a895-b5441e0d302f} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f99defdd-200b-4410-b572-e90883d527d2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8c41b7f7-3168-400d-a702-0e7efe0ba304} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7914e0aa-eccb-4311-b584-c49538227824} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e907a48-400e-4ea8-9792-ffae052d59e9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{006ca8a1-61bc-4774-a54c-f49034270bad} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b846b26-bfe6-4e8e-a948-1db17b77b483} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{73ae86e6-7f03-4c3b-8980-fb1da157d3c7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9895933-6636-4281-bc58-ee6de2af96e3} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{841529cb-7f77-4b99-a895-b5441e0d302f} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{17dfd111-bf3a-4cb4-adb0-88fcbfe69821} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f99defdd-200b-4410-b572-e90883d527d2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{8c41b7f7-3168-400d-a702-0e7efe0ba304} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7914e0aa-eccb-4311-b584-c49538227824} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5e907a48-400e-4ea8-9792-ffae052d59e9} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{006ca8a1-61bc-4774-a54c-f49034270bad} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0b846b26-bfe6-4e8e-a948-1db17b77b483} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{73ae86e6-7f03-4c3b-8980-fb1da157d3c7} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a9895933-6636-4281-bc58-ee6de2af96e3} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jfrwdh.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\hhrdxd.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\wrqszl.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\sgdewg.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\jhfrxz.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\pedadt.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\zgtwfx.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\tdfhex.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\fmcvxy.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\ddserh.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\sunesn.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jolinos.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\IsDrv122.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\3L5QJKKO\35[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\FRO9Z9NY\5[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\FRO9Z9NY\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LOWTFBP\21[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LOWTFBP\25[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LOWTFBP\29[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LOWTFBP\7[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

Deckard's Sys Scan:
Deckard's System Scanner v20071014.68
Run by Villa on 2008-08-10 04:33:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-10 08:34:21 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-08-10 05:59:47 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-10 04:43:29
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\alg.exe
C:\Documents and Settings\Villa\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: mssetd.dll lenowos.dll sunesn.dll esceps.dll offscrl.dll cxhole.dll therbrek.dll squalle.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll cmonos.dll
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe


--
End of file - 7954 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R3 eth8023 - c:\windows\system32\drivers\eth8023.sys

S0 Winqx85 - c:\windows\system32\drivers\winqx85.sys (file missing)
S2 cdralw (NVIDIA Compatible Windows Miniport Driver) - c:\windows\system32\drivers\nvmini.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-10 04:04:38 486 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 04:02:19 0 dr-h----- C:\Documents and Settings\Villa\Recent
2008-08-10 02:28:29 28672 --a------ C:\WINDOWS\system32\cmonos.dll
2008-08-10 02:18:47 265216 --ah----- C:\WINDOWS\system32\wzcfsw.dll
2008-08-10 02:18:42 24576 --a------ C:\WINDOWS\system32\zlcdps.dll
2008-08-10 02:18:29 24576 --a------ C:\WINDOWS\system32\dickus.dll
2008-08-10 02:18:19 28672 --a------ C:\WINDOWS\system32\crtnumo.dll
2008-08-10 02:17:06 24576 --a------ C:\WINDOWS\system32\xpsbos.dll
2008-08-10 02:15:45 24576 --a------ C:\WINDOWS\system32\baccops.dll
2008-08-10 02:15:41 28672 --a------ C:\WINDOWS\system32\keyiftp.dll
2008-08-10 02:15:27 28672 --a------ C:\WINDOWS\system32\wdhotem.dll
2008-08-10 02:15:24 24576 --a------ C:\WINDOWS\system32\manleu.dll
2008-08-10 02:15:06 24576 --a------ C:\WINDOWS\system32\squalle.dll
2008-08-10 02:15:03 24576 --a------ C:\WINDOWS\system32\therbrek.dll
2008-08-10 02:15:01 28672 --a------ C:\WINDOWS\system32\cxhole.dll
2008-08-10 02:14:59 24576 --a------ C:\WINDOWS\system32\offscrl.dll
2008-08-10 02:13:45 28672 --a------ C:\WINDOWS\system32\esceps.dll
2008-08-10 02:13:31 28672 --a------ C:\WINDOWS\system32\lenowos.dll
2008-08-10 02:12:41 14848 --a------ C:\WINDOWS\system32\mssetdk.exe
2008-08-10 02:12:41 36864 --a------ C:\WINDOWS\system32\mssetd.dll
2008-08-10 02:08:41 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-08-10 01:59:58 53248 -----n--- C:\WINDOWS\linkinfo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-09 23:24:43 19456 --a------ C:\WINDOWS\sysocmgr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-09 23:23:44 12800 --a------ C:\WINDOWS\system32\keyiftpk.exe
2008-08-09 22:23:27 0 d-------- C:\WINDOWS\ERUNT
2008-08-09 22:11:28 10240 --a------ C:\WINDOWS\system32\offscrlk.exe
2008-08-04 15:09:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-04 13:57:25 0 d-------- C:\Program Files\Yahoo!
2008-08-04 13:56:59 0 d-------- C:\Program Files\CCleaner
2008-08-04 12:26:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 01:54:34 24576 --a------ C:\WINDOWS\system32\kicpsl.dll
2008-08-01 16:33:20 0 d-------- C:\cmdcons
2008-08-01 16:26:57 68096 --a------ C:\WINDOWS\zip.exe
2008-08-01 16:26:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-01 16:26:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-01 16:26:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-01 16:26:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-01 16:26:57 98816 --a------ C:\WINDOWS\sed.exe
2008-08-01 16:26:57 80412 --a------ C:\WINDOWS\grep.exe
2008-08-01 16:26:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-01 15:40:23 0 d-------- C:\Documents and Settings\Villa\Application Data\Malwarebytes
2008-08-01 15:39:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 14:34:18 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-08-10 01:55:01 0 d-------- C:\Program Files\Common Files
2008-08-04 14:40:32 0 d-------- C:\Program Files\Windows NT
2008-08-04 14:40:11 0 d-------- C:\Program Files\Movie Maker
2008-07-22 10:56:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 15:52:09 0 d-------- C:\Documents and Settings\Villa\Application Data\Template
2008-06-25 12:24:52 0 d-------- C:\Documents and Settings\Villa\Application Data\Adobe
2008-06-21 12:39:01 0 d-------- C:\Documents and Settings\Villa\Application Data\Macromedia
2008-06-20 15:09:45 68274 --a------ C:\WINDOWS\hpoins05.dat
2008-06-20 15:09:28 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-20 02:30:29 102859 --a------ C:\WINDOWS\HPFins09.dat
2008-06-20 02:29:53 0 d-------- C:\Program Files\HP
2008-06-19 18:06:17 0 d-------- C:\Program Files\Microsoft Works
2008-06-19 18:04:28 0 d-------- C:\Program Files\Microsoft.NET
2008-06-19 17:55:49 18283 -----n--- C:\WINDOWS\HPHins01.dat
2008-06-19 17:55:41 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-19 17:51:02 0 d-------- C:\Documents and Settings\Villa\Application Data\Share-to-Web Upload Folder
2008-06-19 17:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 17:44:47 0 d-------- C:\Documents and Settings\Villa\Application Data\Intuit
2008-06-19 17:44:29 0 d-------- C:\Program Files\Intuit
2008-06-19 17:44:18 0 d-------- C:\Program Files\Common Files\supportsoft
2008-06-19 17:36:13 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-19 17:32:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-19 17:28:46 0 d-------- C:\Program Files\MSXML 4.0
2008-06-19 02:50:11 0 d-------- C:\Documents and Settings\Villa\Application Data\TuneUp Software
2008-06-19 02:46:46 0 d-------- C:\Program Files\Java
2008-06-19 02:24:42 0 d-------- C:\Program Files\IObit
2008-06-19 02:24:12 0 d-------- C:\Program Files\Common Files\Java
2008-06-19 02:23:31 0 d-------- C:\Documents and Settings\Villa\Application Data\Sun
2008-06-19 02:22:56 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 01:48:56 0 d-------- C:\Program Files\MSBuild
2008-06-19 01:48:26 0 d-------- C:\Program Files\Reference Assemblies
2008-06-18 20:19:34 0 d-------- C:\Program Files\COMPAQ
2008-06-18 20:17:12 0 d-------- C:\Program Files\Online Services
2008-06-18 20:10:29 0 d-------- C:\Program Files\Common Files\Real
2008-06-18 17:41:23 0 d-------- C:\Program Files\Messenger


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 09:11 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 05:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 02:57 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24 AM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [08/20/2003 05:15 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [07/13/2000 03:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [9/19/2006 10:36:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{28766E1C-74B0-4417-8C75-F12AE309EF35}"= C:\WINDOWS\system32\wzcfsw.dll [08/10/2008 02:18 AM 265216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sysocmgr"= {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll [08/10/2008 02:29 AM 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=mssetd.dll lenowos.dll sunesn.dll esceps.dll offscrl.dll cxhole.dll therbrek.dll squalle.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll cmonos.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqx85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

202.165.102.205 972.aksjd11.com
202.165.102.205 w3og.cn
203.208.35.100 qazc.fourtw.cn
203.208.35.100 www.aujoy.cn
203.208.35.101 www.hao601.cn
203.208.35.101 www.psp476.cn
72.14.235.99 222.1212l112.net
72.14.235.99 444.1212l112.netn
72.14.235.99 555.1212l112.net
72.14.235.99 111.1212l112.net

9436 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-10 04:48:57 ------------

Any help you could give me would be greatly appreciated. I seem to be spinning my wheels and going nowhere :thumbsup:

EDIT TO ADD:

Forgot to include extra.txt (attached below)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1500MHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 511.42 MiB / 296.41 MiB
Pagefile Memory (total/avail): 1249.34 MiB / 1088.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.09 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.37 GiB total, 10.27 GiB free.
D: is Fixed (FAT32) - 3.89 GiB total, 1.29 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 33.37 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 3.9 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Villa\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Villa
LOGONSERVER=\\OFFICE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Villa\LOCALS~1\Temp
TMP=C:\DOCUME~1\Villa\LOCALS~1\Temp
USERDOMAIN=OFFICE
USERNAME=Villa
USERPROFILE=C:\Documents and Settings\Villa
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (new local, admin)
Villa (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com --> MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR --> c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Compaq WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
hp instant support --> C:\PROGRA~1\Hewlett-Packard\AiO\HPis\Uninstall.exe CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp officejet d series --> MsiExec.exe /X{C0B88772-EACC-4F69-9F77-59A4894CF170}
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
HP Software Update --> MsiExec.exe /X{D43BB532-3537-4CE9-9CBB-92533BD29F0C}
Intel® Network Connections Drivers --> Prounstl.exe
InterVideo Installer --> "C:\Program Files\Compaq\Installer\IVIUninstaller.exe" "C:\Program Files\Compaq\Installer"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access 2007 --> MsiExec.exe /X{91120000-0015-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
QuickBooks Premier: Retail Edition 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="retail" QBFULLNAME="QuickBooks Premier: Retail Edition 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
SoundMAX2 --> C:\Program Files\Analog Devices\SoundMAX 2\ADIOUT.BAT
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type907 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type906 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type905 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type904 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type903 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3079 / Error
Event Submitted/Written: 08/10/2008 04:13:53 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.4 for the Network Card with network address 0002A5C9D86B has been
denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type3073 / Warning
Event Submitted/Written: 08/10/2008 04:04:48 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.156.193 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type3063 / Error
Event Submitted/Written: 08/10/2008 04:04:44 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Ywy54

Event Record #/Type3051 / Error
Event Submitted/Written: 08/10/2008 02:26:13 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000007f, parameter1 00000008, parameter2 80042000, parameter3 00000000, parameter4 00000000.

Event Record #/Type3048 / Warning
Event Submitted/Written: 08/10/2008 02:25:50 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.15.63 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.



-- End of Deckard's System Scanner: finished at 2008-08-10 04:48:57 ------------

Also, have tried to access Kaspersky's Online scan. The page is still loading after 21+ minutes , the accept button on the TOS is still greyed out after scrolling throught all terms and conditions, and no system information is being collected, just a loading bar...

Second edit to add:
I was reading other posts and saw that most help requests required a 2nd DSS log from a "%userprofile%\Desktop\dss.ece" /config run prompt with everything in config checked, so I reran a more comprehensive DSS (attached below)

main.txt
Deckard's System Scanner v20071014.68
Run by Villa on 2008-08-10 05:44:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2008-08-10 08:34:21 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-08-10 05:59:47 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-10 05:52:25
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\alg.exe
C:\Documents and Settings\Villa\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 202.165.102.205 972.aksjd11.com
O1 - Hosts: 202.165.102.205 w3og.cn
O1 - Hosts: 203.208.35.100 qazc.fourtw.cn
O1 - Hosts: 203.208.35.100 www.aujoy.cn
O1 - Hosts: 203.208.35.101 www.hao601.cn
O1 - Hosts: 203.208.35.101 www.psp476.cn
O1 - Hosts: 72.14.235.99 222.1212l112.net
O1 - Hosts: 72.14.235.99 444.1212l112.netn
O1 - Hosts: 72.14.235.99 555.1212l112.net
O1 - Hosts: 72.14.235.99 111.1212l112.net
O1 - Hosts: 65.55.21.250 111.3243l24.com
O1 - Hosts: 65.55.21.250 222.3243l24.com
O1 - Hosts: 65.55.21.250 333.3243l24.com
O1 - Hosts: 125.64.8.112 kao2.gmwo03.com
O1 - Hosts: 125.64.8.112 kao.gmwo06.com
O1 - Hosts: 125.64.8.112 444.gmwo07.com
O1 - Hosts: 116.252.185.15 ru.update365.us
O1 - Hosts: 116.252.185.15 ad.update365.us
O1 - Hosts: 207.46.232.182 popmails.net
O1 - Hosts: 203.208.37.99 3.goodhh.com
O1 - Hosts: 220.181.37.55 down.rwixr.com
O1 - Hosts: 160.79.42.52 www.xdj2008.com
O1 - Hosts: 63.175.76.152 www.revtr.cn
O1 - Hosts: 219.133.40.91 qq.ljsll.com
O1 - Hosts: 203.208.35.102 www.aassccwe.cn
O1 - Hosts: 209.132.177.50 973.aksjd11.com
O1 - Hosts: 209.132.177.50 974.aksjd11.com
O1 - Hosts: 209.132.177.50 971.aksjd11.com
O1 - Hosts: 209.132.177.50 975.aksjd11.com
O1 - Hosts: 72.14.235.104 user1.12-39.net
O1 - Hosts: 72.14.235.147 www.infomt.net
O1 - Hosts: 192.150.18.101 ata1.sysions.net
O1 - Hosts: 192.150.18.101 ata2.sysions.net
O1 - Hosts: 192.150.18.101 ata3.sysions.net
O1 - Hosts: 192.150.18.101 ata4.sysions.net
O1 - Hosts: 193.120.42.226 8nnnnn99.cn
O1 - Hosts: 24.39.54.34 www.haoaoao.cn
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: mssetd.dll lenowos.dll sunesn.dll esceps.dll offscrl.dll cxhole.dll therbrek.dll squalle.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll cmonos.dll
O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe


--
End of file - 7954 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R3 eth8023 - c:\windows\system32\drivers\eth8023.sys

S0 Winqx85 - c:\windows\system32\drivers\winqx85.sys (file missing)
S2 cdralw (NVIDIA Compatible Windows Miniport Driver) - c:\windows\system32\drivers\nvmini.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 648)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 888)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 956)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1008)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1088)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>
2008-04-13 20:11:56 18432 --a------ C:\WINDOWS\system32\mshta.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>

C:\WINDOWS\system32\svchost.exe (pid 1176)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1216)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1232)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1540)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1848)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>
2008-04-13 20:11:48 98304 --a------ C:\WINDOWS\system32\actxprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

C:\WINDOWS\explorer.exe (pid 292)
2000-04-17 22:02:20 40828 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; Staccato Systems; Staccato Systems SynthCore R1.2 Synthesizer>
2008-04-13 20:11:48 98304 --a------ C:\WINDOWS\system32\actxprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-10 02:18:47 265216 --ah----- C:\WINDOWS\system32\wzcfsw.dll
2008-08-04 22:15:02 27136 --a------ C:\WINDOWS\AppPatch\AcPlugin.dll
2008-08-10 04:04:44 9728 --a------ C:\WINDOWS\AppPatch\AcSpecf.dll
2008-04-13 20:11:56 18432 --a------ C:\WINDOWS\system32\mshta.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-08-10 04:04:40 53248 -----n--- C:\WINDOWS\linkinfo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2001-07-03 09:10:36 131072 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wns.dll <Not Verified; Hewlett-Packard; Hewlett-Packard S2WNSRES>
2001-07-03 09:10:40 20480 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\S2WNSRes.dll <Not Verified; Hewlett-Packard; Hewlett-Packard S2WNSRES>
2001-07-03 09:17:06 24576 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-08-10 05:00:20 486 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 04:53:16 0 dr-h----- C:\Documents and Settings\Villa\Recent
2008-08-10 02:28:29 28672 --a------ C:\WINDOWS\system32\cmonos.dll
2008-08-10 02:18:47 265216 --ah----- C:\WINDOWS\system32\wzcfsw.dll
2008-08-10 02:18:42 24576 --a------ C:\WINDOWS\system32\zlcdps.dll
2008-08-10 02:18:29 24576 --a------ C:\WINDOWS\system32\dickus.dll
2008-08-10 02:18:19 28672 --a------ C:\WINDOWS\system32\crtnumo.dll
2008-08-10 02:17:06 24576 --a------ C:\WINDOWS\system32\xpsbos.dll
2008-08-10 02:15:45 24576 --a------ C:\WINDOWS\system32\baccops.dll
2008-08-10 02:15:41 28672 --a------ C:\WINDOWS\system32\keyiftp.dll
2008-08-10 02:15:27 28672 --a------ C:\WINDOWS\system32\wdhotem.dll
2008-08-10 02:15:24 24576 --a------ C:\WINDOWS\system32\manleu.dll
2008-08-10 02:15:06 24576 --a------ C:\WINDOWS\system32\squalle.dll
2008-08-10 02:15:03 24576 --a------ C:\WINDOWS\system32\therbrek.dll
2008-08-10 02:15:01 28672 --a------ C:\WINDOWS\system32\cxhole.dll
2008-08-10 02:14:59 24576 --a------ C:\WINDOWS\system32\offscrl.dll
2008-08-10 02:13:45 28672 --a------ C:\WINDOWS\system32\esceps.dll
2008-08-10 02:13:31 28672 --a------ C:\WINDOWS\system32\lenowos.dll
2008-08-10 02:12:41 14848 --a------ C:\WINDOWS\system32\mssetdk.exe
2008-08-10 02:12:41 36864 --a------ C:\WINDOWS\system32\mssetd.dll
2008-08-10 02:08:41 18048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-08-10 01:59:58 53248 -----n--- C:\WINDOWS\linkinfo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-09 23:24:43 19456 --a------ C:\WINDOWS\sysocmgr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-09 23:23:44 12800 --a------ C:\WINDOWS\system32\keyiftpk.exe
2008-08-09 22:23:27 0 d-------- C:\WINDOWS\ERUNT
2008-08-09 22:11:28 10240 --a------ C:\WINDOWS\system32\offscrlk.exe
2008-08-04 15:09:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-04 13:57:25 0 d-------- C:\Program Files\Yahoo!
2008-08-04 13:56:59 0 d-------- C:\Program Files\CCleaner
2008-08-04 12:26:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-03 01:54:34 24576 --a------ C:\WINDOWS\system32\kicpsl.dll
2008-08-01 16:33:20 0 d-------- C:\cmdcons
2008-08-01 16:26:57 68096 --a------ C:\WINDOWS\zip.exe
2008-08-01 16:26:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-01 16:26:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-01 16:26:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-01 16:26:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-01 16:26:57 98816 --a------ C:\WINDOWS\sed.exe
2008-08-01 16:26:57 80412 --a------ C:\WINDOWS\grep.exe
2008-08-01 16:26:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-01 15:40:23 0 d-------- C:\Documents and Settings\Villa\Application Data\Malwarebytes
2008-08-01 15:39:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 14:34:18 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-08-10 01:55:01 0 d-------- C:\Program Files\Common Files
2008-08-04 14:40:32 0 d-------- C:\Program Files\Windows NT
2008-08-04 14:40:11 0 d-------- C:\Program Files\Movie Maker
2008-07-22 10:56:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 15:52:09 0 d-------- C:\Documents and Settings\Villa\Application Data\Template
2008-06-25 12:24:52 0 d-------- C:\Documents and Settings\Villa\Application Data\Adobe
2008-06-21 12:39:01 0 d-------- C:\Documents and Settings\Villa\Application Data\Macromedia
2008-06-20 15:09:45 68274 --a------ C:\WINDOWS\hpoins05.dat
2008-06-20 15:09:28 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-20 02:30:29 102859 --a------ C:\WINDOWS\HPFins09.dat
2008-06-20 02:29:53 0 d-------- C:\Program Files\HP
2008-06-19 18:06:17 0 d-------- C:\Program Files\Microsoft Works
2008-06-19 18:04:28 0 d-------- C:\Program Files\Microsoft.NET
2008-06-19 17:55:49 18283 -----n--- C:\WINDOWS\HPHins01.dat
2008-06-19 17:55:41 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-19 17:51:02 0 d-------- C:\Documents and Settings\Villa\Application Data\Share-to-Web Upload Folder
2008-06-19 17:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 17:44:47 0 d-------- C:\Documents and Settings\Villa\Application Data\Intuit
2008-06-19 17:44:29 0 d-------- C:\Program Files\Intuit
2008-06-19 17:44:18 0 d-------- C:\Program Files\Common Files\supportsoft
2008-06-19 17:36:13 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-19 17:32:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-19 17:28:46 0 d-------- C:\Program Files\MSXML 4.0
2008-06-19 02:50:11 0 d-------- C:\Documents and Settings\Villa\Application Data\TuneUp Software
2008-06-19 02:46:46 0 d-------- C:\Program Files\Java
2008-06-19 02:24:42 0 d-------- C:\Program Files\IObit
2008-06-19 02:24:12 0 d-------- C:\Program Files\Common Files\Java
2008-06-19 02:23:31 0 d-------- C:\Documents and Settings\Villa\Application Data\Sun
2008-06-19 02:22:56 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 01:48:56 0 d-------- C:\Program Files\MSBuild
2008-06-19 01:48:26 0 d-------- C:\Program Files\Reference Assemblies
2008-06-18 20:19:34 0 d-------- C:\Program Files\COMPAQ
2008-06-18 20:17:12 0 d-------- C:\Program Files\Online Services
2008-06-18 20:10:29 0 d-------- C:\Program Files\Common Files\Real
2008-06-18 17:41:23 0 d-------- C:\Program Files\Messenger


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [07/03/2001 09:11 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/20/2003 05:23 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [08/20/2003 02:57 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [06/25/2003 11:24 AM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [08/20/2003 05:15 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [07/13/2000 03:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [9/19/2006 10:36:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{28766E1C-74B0-4417-8C75-F12AE309EF35}"= C:\WINDOWS\system32\wzcfsw.dll [08/10/2008 02:18 AM 265216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"sysocmgr"= {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll [08/10/2008 02:29 AM 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=mssetd.dll lenowos.dll sunesn.dll esceps.dll offscrl.dll cxhole.dll therbrek.dll squalle.dll manleu.dll wdhotem.dll jolinos.dll keyiftp.dll baccops.dll xpsbos.dll crtnumo.dll dickus.dll zlcdps.dll cmonos.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqx85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

202.165.102.205 972.aksjd11.com
202.165.102.205 w3og.cn
203.208.35.100 qazc.fourtw.cn
203.208.35.100 www.aujoy.cn
203.208.35.101 www.hao601.cn
203.208.35.101 www.psp476.cn
72.14.235.99 222.1212l112.net
72.14.235.99 444.1212l112.netn
72.14.235.99 555.1212l112.net
72.14.235.99 111.1212l112.net

9436 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-10 05:59:11 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1500MHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 511.42 MiB / 284.33 MiB
Pagefile Memory (total/avail): 1249.34 MiB / 1078.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.97 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.37 GiB total, 10.27 GiB free.
D: is Fixed (FAT32) - 3.89 GiB total, 1.29 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340810A - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 33.37 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 3.9 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Villa\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Villa
LOGONSERVER=\\OFFICE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Villa\LOCALS~1\Temp
TMP=C:\DOCUME~1\Villa\LOCALS~1\Temp
USERDOMAIN=OFFICE
USERNAME=Villa
USERPROFILE=C:\Documents and Settings\Villa
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (new local, admin)
Villa (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com --> MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR --> c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Compaq WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
hp instant support --> C:\PROGRA~1\Hewlett-Packard\AiO\HPis\Uninstall.exe CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp officejet d series --> MsiExec.exe /X{C0B88772-EACC-4F69-9F77-59A4894CF170}
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
HP Software Update --> MsiExec.exe /X{D43BB532-3537-4CE9-9CBB-92533BD29F0C}
Intel® Network Connections Drivers --> Prounstl.exe
InterVideo Installer --> "C:\Program Files\Compaq\Installer\IVIUninstaller.exe" "C:\Program Files\Compaq\Installer"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access 2007 --> MsiExec.exe /X{91120000-0015-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
QuickBooks Premier: Retail Edition 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="retail" QBFULLNAME="QuickBooks Premier: Retail Edition 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
SoundMAX2 --> C:\Program Files\Analog Devices\SoundMAX 2\ADIOUT.BAT
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type907 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type906 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type905 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type904 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type903 / Warning
Event Submitted/Written: 08/09/2008 10:18:16 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3079 / Error
Event Submitted/Written: 08/10/2008 04:13:53 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.4 for the Network Card with network address 0002A5C9D86B has been
denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type3073 / Warning
Event Submitted/Written: 08/10/2008 04:04:48 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.156.193 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type3063 / Error
Event Submitted/Written: 08/10/2008 04:04:44 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Ywy54

Event Record #/Type3051 / Error
Event Submitted/Written: 08/10/2008 02:26:13 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000007f, parameter1 00000008, parameter2 80042000, parameter3 00000000, parameter4 00000000.

Event Record #/Type3048 / Warning
Event Submitted/Written: 08/10/2008 02:25:50 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.15.63 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.



-- End of Deckard's System Scanner: finished at 2008-08-10 05:59:11 ------------

Edited by bstrange, 10 August 2008 - 05:39 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 14 August 2008 - 08:07 AM

Hello, my name is fenzodahl512 and welcome to BC... Looking at your system now, one or more of the identified infections is a backdoor Trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

After reading both articles, please let me know whether you choose to reformat or continue with the disinfection process..

Should you still want to continue with the cleaning process, please read my instructions carefully (save it if necessary) and do exactly as per request.. Be ready for a lengthy process :thumbsup:


==============================



Please take note that you have nasty backdoor infections that will respawn itself as soon as you connected to the internet.. I will try my best to clean it for you although it may means to be a lengthy process.. I will need you to download several programs prior to our fix and then I will need you to physically disconnect from the Internet.. That means, all logs, reports, download (if any) will have to go via another computer (you have to transfer via pendrive/cd/whatever)..



===============================


While still online, please download these programs and save it to your Desktop... Don't do anything with it yet.. We will use them later..


1. ComboFix
2. AVZ4
3. The Avenger
4. MVPSHostsfile



===============================


While still online, please do below...

1. Unzip AVZ4 to your Desktop. A folder named AVZ4 will be created
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.




NEXT


Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System. User Windows XP Service Pack 2


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.



=========================


Now, please physically disconnect from the internet and do below...


1. Unzip MVPS Hostsfile to your Desktop. Open the hosts folder and double-click mvps.bat file. Follow the instruction given..




NEXT


2. Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you (located in C:\combofix.txt). Post that log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




NEXT


  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply, along with a fresh DSS log


Don't do anything with The Avenger.. We may need it later.. Please stay offline with this computer.. Please post all logs from a different computer.. We don't want this computer to get re-infected as soon as it connected to the internet..


Please post the following logs in your next reply..

1. ComboFix
2. Attach virusinfo_syscheck.htm


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 08:44 AM

Running AVZ now and soon to be combofix. A number of 'IT' friends tried running everything from Avast AV to Combofix/SDFix/Vundo fix. I made them keep the logs incase you guys needed them, but nothing seemed to really 'work'. Avast removed 1168 viruses, combo fix seemed to work well but each new time it ran it had a different 2 files to be deleted. Mbam was the same way, always having one or two files remaining.

Whatever the case, no other 'IT' guys now, just you and me my friend :thumbsup:
(I just mentioned it incase you needed to see any of the logs)

AVZ seems to be at 70% so I should have an AVZ and combofix log posted within the hour

Thanks!

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 14 August 2008 - 08:50 AM

Its okay.. Just follow as per instruction and post the logs.. Your infection is very nasty one..

Just one question.. Do you play any online games? If yes, then what kind of Online games that you play? The baddies may originated from there.. :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 09:31 AM

Well, like 1 in 5 Americans, I play WOW :thumbsup: ; however, we have torrent and peer to peer patching disabled. All patches and updates are downloaded directly from Blizzard. The infected computer is only used for business and does not access any online games or forums. The source 'seems' to be an email that predicates the WinAntivirus2008 virus. In this case, it was an email that appeared to be from one of our known business associates (the email is gone, but I suspect it was a slight variant in the root domain/email address) with a link entitled "Fabric Samples". We clicked the link and that was it, numerous winav2008 and varriant popups immediately. To make matters worse, our office manager went ahead and purchased the virus and downloaded and fully installed the Win AntiVir2008 package. I have read a lot of these forum posts over the past couple days and what appears to be different with our infections (and some other local businesses) is that a 'tailored' email has been the source for infection.

When I say tailored, I mean ours appeared to be from a company we were awaiting fabric samples from. Our insurance agent, who was waiting on a package from UPS, got an email that appeared to be from UPS and said there was a problem with his shipment, Click the following tracking number to find out more about your order, and he wound up with the same virus. Both of us were running Trend Micro Antivirus with up to date definitions and regualr scans. We are assuming that WinAntiVir2008 has incorporated a 'benign' (unrecognized by Trend) tracking cookie that tracks user information that is then used to create an email close to emails that we would be expecting to receive. Obviously, we never open emails from unknown sources or the "A millionaire wants to deposit money into your account" type spam, but this was different.

#6 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 09:35 AM

I should probably mention that the infected PC was on the same network as these PCs that I am typing on, at the time of the infection, and intermittently since the infection. Mbam on both of the other two PCs shown no infection, so I think these are safe. We have been using an external HD to put programs and save logs from the infected PC as either by fault of the virus, or pure coincidence, our flash drive died while trying to use it to add diag/av programs onto the infected machine.

#7 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 10:07 AM

OK all scanned:

AVZ Log from first run:

Attention !!! Database was last updated 4/6/2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 8/14/2008 9:25:42 AM
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtClose (19) intercepted (805678DD->F5B36618), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (8057065D->F5B364D4), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80592D50->F5B369B2), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805715E0->F5B360AC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (80568D59->F5B365AE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805717C7->F5B35FEC), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (8058A1BD->F5B36050), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (8056A1F1->F5B366CE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (8064EC91->F5B3668E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80572889->F5B3680E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 10, restored: 10
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 30
Number of modules loaded: 343
Scanning memory - complete
3. Scanning disks
File quarantined succesfully (C:\Documents and Settings\Villa\Desktop\Villa Backup\LockDown Software\soft\backups\backup-20060918-182156-616.inf)
C:\Documents and Settings\Villa\Desktop\Villa Backup\LockDown Software\soft\backups\backup-20060918-182156-616.inf >>>>> Trojan-Downloader.Win32.Rameh.b deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{B9E2BB15-B458-4D49-B6D4-8E74CDCA04F2}\RP18\A0001438.inf)
C:\System Volume Information\_restore{B9E2BB15-B458-4D49-B6D4-8E74CDCA04F2}\RP18\A0001438.inf >>>>> Trojan-Downloader.Win32.Rameh.b deleted successfully
Removing traces of deleted files...
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
File quarantined succesfully (C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll)
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Security: automatic logon is enabled
Checking - complete
9. Troubleshooting wizard
>> Service termination timeout is out of admissible values
Checking - complete
Files scanned: 159205, extracted from archives: 121595, malicious software found 2, suspicions - 0
Scanning finished at 8/14/2008 10:28:51 AM
!!! Attention !!! Recovered 10 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 01:02:09
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
System Analysis - complete

Combofix Log:

ComboFix 08-08-13.05 - Villa 2008-08-14 10:41:40.14 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.306 [GMT -4:00]
Running from: C:\Documents and Settings\Villa\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\temp\wmsetup.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-14 03:00 . 2008-08-14 03:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-13 20:02 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 19:28 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 14:14 . 2008-08-13 14:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-08-12 13:43 . 2008-08-12 13:43 <DIR> d-------- C:\VundoFix Backups
2008-08-12 12:39 . 2008-08-12 12:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 12:36 . 2008-08-12 12:36 <DIR> d-------- C:\Deckard
2008-08-12 12:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-12 12:23 . 2008-08-12 12:25 <DIR> d-------- C:\Program Files\Java
2008-08-12 12:23 . 2008-08-12 12:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-12 12:10 . 2008-08-12 12:10 0 --a------ C:\WINDOWS\system32\REN44.tmp
2008-08-12 12:10 . 2008-08-12 12:10 0 --a------ C:\WINDOWS\system32\REN43.tmp
2008-08-12 12:10 . 2008-08-12 12:10 0 --a------ C:\WINDOWS\system32\REN42.tmp
2008-08-12 02:53 . 2008-08-12 02:53 5 --a------ C:\WINDOWS\system32\SndDrv32b.ini
2008-08-12 02:52 . 2008-08-12 06:06 <DIR> d-------- C:\Program Files\jv16 PowerTools
2008-08-11 12:30 . 2008-08-11 12:30 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-10 20:44 . 2008-08-11 22:37 <DIR> d-------- C:\Program Files\Sophos
2008-08-10 15:27 . 2008-08-10 15:27 250 --a------ C:\WINDOWS\gmer.ini
2008-08-09 22:27 . 2008-08-09 22:27 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-09 22:23 . 2008-08-09 22:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-04 13:57 . 2008-08-12 06:18 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-04 13:56 . 2008-08-04 13:58 <DIR> d-------- C:\Program Files\CCleaner
2008-08-04 13:40 . 2008-08-12 03:16 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-04 12:26 . 2008-08-09 21:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 12:26 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-04 12:26 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 15:40 . 2008-08-01 15:40 <DIR> d-------- C:\Documents and Settings\Villa\Application Data\Malwarebytes
2008-08-01 15:39 . 2008-08-01 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-29 09:47 . 2008-07-29 09:47 29 --a------ C:\WINDOWS\system32\qqwfaasi.tmp
2008-07-25 14:34 . 2008-07-25 14:34 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 16:50 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-22 14:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-26 19:52 --------- d-----w C:\Documents and Settings\Villa\Application Data\Template
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 19:09 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 06:29 --------- d-----w C:\Program Files\HP
2008-06-19 22:06 --------- d-----w C:\Program Files\Microsoft Works
2008-06-19 22:04 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-19 21:51 --------- d-----w C:\Documents and Settings\Villa\Application Data\Share-to-Web Upload Folder
2008-06-19 21:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 21:44 --------- d-----w C:\Program Files\Intuit
2008-06-19 21:44 --------- d-----w C:\Documents and Settings\Villa\Application Data\Intuit
2008-06-19 21:36 --------- d-----w C:\Program Files\Common Files\Intuit
2008-06-19 21:32 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-19 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-19 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-06-19 21:28 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-19 06:50 --------- d-----w C:\Documents and Settings\Villa\Application Data\TuneUp Software
2008-06-19 06:24 --------- d-----w C:\Program Files\IObit
2008-06-19 05:48 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-19 05:48 --------- d-----w C:\Program Files\MSBuild
2008-06-19 00:19 --------- d-----w C:\Program Files\COMPAQ
2008-06-19 00:10 --------- d-----w C:\Program Files\Common Files\Real
2001-08-18 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\WINDOWS\twain_32.dll
2008-04-14 00:11 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2008-04-14 00:12 57,344 --sh--w C:\WINDOWS\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w C:\WINDOWS\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w C:\WINDOWS\system32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-12_13.06.52.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-07 20:23:18 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-07-11 12:51:51 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\updspapi.dll
+ 2008-06-24 16:53:10 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-24 02:16:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
- 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:26:58 253,952 -c----w C:\WINDOWS\system32\dllcache\es.dll
- 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-04-22 07:40:18 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-06-23 09:20:52 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-24 16:43:16 74,240 -c----w C:\WINDOWS\system32\dllcache\mscms.dll
- 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-04-24 02:16:30 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-06-24 14:57:40 3,592,192 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-04-14 00:11:54 691,712 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 19:04:26 691,712 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-24 14:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ------w C:\WINDOWS\system32\pngfilt.dll
- 2008-03-27 10:40:24 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-07-11 12:42:28 62,976 ------w C:\WINDOWS\system32\tzchange.exe
- 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-09-19 10:36:08 960032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqx85.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-07-13 15:00 311350 C:\Program Files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-07-13 15:00 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-07-28 14:19 4841472 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2003-07-28 14:19 49152 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 14:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2001-05-31 22:32 224256 C:\WINDOWS\system32\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28]
S0 Winqx85;Winqx85;C:\WINDOWS\system32\Drivers\Winqx85.sys []
S2 cdralw;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\3.tmp []
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-14 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/

O16 -: Microsoft XML Parser for Java - C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 10:44:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\3.tmp"
.
Completion time: 2008-08-14 10:47:07
ComboFix-quarantined-files.txt 2008-08-14 14:47:03
ComboFix2.txt 2008-08-13 05:02:05
ComboFix3.txt 2008-08-13 04:02:24
ComboFix4.txt 2008-08-13 03:42:02
ComboFix5.txt 2008-08-14 14:39:12

Pre-Run: 11,356,262,400 bytes free
Post-Run: 11,343,904,768 bytes free

334 --- E O F --- 2008-08-14 07:03:51


New DSS Log:

Deckard's System Scanner v20071014.68
Run by Villa on 2008-08-14 10:56:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Villa.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:37 AM, on 8/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Villa\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\Villa.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 2587 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-14 10:37:00 0 dr-h----- C:\Documents and Settings\Villa\Recent
2008-08-14 09:23:21 0 d-------- C:\Documents and Settings\Villa\Application Data\Help
2008-08-13 14:14:27 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-08-12 13:43:30 0 d-------- C:\VundoFix Backups
2008-08-12 13:00:32 68096 --a------ C:\WINDOWS\zip.exe
2008-08-12 13:00:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-12 13:00:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-12 13:00:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-12 13:00:32 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-12 13:00:32 98816 --a------ C:\WINDOWS\sed.exe
2008-08-12 13:00:32 80412 --a------ C:\WINDOWS\grep.exe
2008-08-12 13:00:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-12 12:39:09 0 d-------- C:\Program Files\Trend Micro
2008-08-12 12:23:50 0 d-------- C:\Program Files\Java
2008-08-12 12:23:33 0 d-------- C:\Program Files\Common Files\Java
2008-08-12 02:52:49 0 d-------- C:\Program Files\jv16 PowerTools
2008-08-11 12:30:20 0 d-------- C:\Program Files\Alwil Software
2008-08-10 20:44:40 0 d-------- C:\Program Files\Sophos
2008-08-09 22:23:27 0 d-------- C:\WINDOWS\ERUNT
2008-08-04 13:57:25 0 d-------- C:\Program Files\Yahoo!
2008-08-04 13:56:59 0 d-------- C:\Program Files\CCleaner
2008-08-04 12:26:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:33:20 0 d-------- C:\cmdcons
2008-08-01 15:40:23 0 d-------- C:\Documents and Settings\Villa\Application Data\Malwarebytes
2008-08-01 15:39:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 14:34:18 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-08-14 10:43:05 0 d-------- C:\Program Files\Common Files
2008-08-14 03:03:40 0 d-------- C:\Program Files\Messenger
2008-08-12 12:50:21 0 d-------- C:\Program Files\Hewlett-Packard
2008-08-04 14:40:32 0 d-------- C:\Program Files\Windows NT
2008-08-04 14:40:11 0 d-------- C:\Program Files\Movie Maker
2008-07-22 10:56:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 15:52:09 0 d-------- C:\Documents and Settings\Villa\Application Data\Template
2008-06-25 12:24:52 0 d-------- C:\Documents and Settings\Villa\Application Data\Adobe
2008-06-21 12:39:01 0 d-------- C:\Documents and Settings\Villa\Application Data\Macromedia
2008-06-20 15:09:45 68274 --a------ C:\WINDOWS\hpoins05.dat
2008-06-20 15:09:28 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-20 02:30:29 102859 --a------ C:\WINDOWS\HPFins09.dat
2008-06-20 02:29:53 0 d-------- C:\Program Files\HP
2008-06-19 18:06:17 0 d-------- C:\Program Files\Microsoft Works
2008-06-19 18:04:28 0 d-------- C:\Program Files\Microsoft.NET
2008-06-19 17:55:49 18283 -----n--- C:\WINDOWS\HPHins01.dat
2008-06-19 17:51:02 0 d-------- C:\Documents and Settings\Villa\Application Data\Share-to-Web Upload Folder
2008-06-19 17:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 17:44:47 0 d-------- C:\Documents and Settings\Villa\Application Data\Intuit
2008-06-19 17:44:29 0 d-------- C:\Program Files\Intuit
2008-06-19 17:36:13 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-19 17:32:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-19 17:28:46 0 d-------- C:\Program Files\MSXML 4.0
2008-06-19 02:50:11 0 d-------- C:\Documents and Settings\Villa\Application Data\TuneUp Software
2008-06-19 02:24:42 0 d-------- C:\Program Files\IObit
2008-06-19 02:23:31 0 d-------- C:\Documents and Settings\Villa\Application Data\Sun
2008-06-19 01:48:56 0 d-------- C:\Program Files\MSBuild
2008-06-19 01:48:26 0 d-------- C:\Program Files\Reference Assemblies
2008-06-18 20:19:34 0 d-------- C:\Program Files\COMPAQ
2008-06-18 20:17:12 0 d-------- C:\Program Files\Online Services
2008-06-18 20:10:29 0 d-------- C:\Program Files\Common Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [9/19/2006 10:36:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqx85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-08-14 10:57:07 ------------

AVZ html report attached...

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 14 August 2008 - 10:41 AM

Erm.. DSS log looks very good.. Lets do this online...

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 11:16 AM

On Kasperskys site and waiting for DLs to finish before scan. DL is taking very long, only at 68% of database and I started shortly after you posted. Guessing DL should finish within 15 mins or so and then we'll start the scan. Will post log as soon as it finishes.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 14 August 2008 - 11:27 AM

On Kasperskys site and waiting for DLs to finish before scan. DL is taking very long, only at 68% of database and I started shortly after you posted. Guessing DL should finish within 15 mins or so and then we'll start the scan. Will post log as soon as it finishes.


Don't worry.. I expect it to be several hours depending on your hard disk size.. will wait for the report :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 07:23 PM

On Kasperskys site and waiting for DLs to finish before scan. DL is taking very long, only at 68% of database and I started shortly after you posted. Guessing DL should finish within 15 mins or so and then we'll start the scan. Will post log as soon as it finishes.


Don't worry.. I expect it to be several hours depending on your hard disk size.. will wait for the report :)


It's at 67% as of 8:23 PM :thumbsup:

It seems to be ticking away though...

#12 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 August 2008 - 09:53 PM

Wow, finally finished....

Here's the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 16:26:06
Records in database: 1093463
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 95601
Threat name: 12
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 08:26:11


File name / Threat name / Threats count
C:\Documents and Settings\Villa\Desktop\Home PC Patrol Remote Assistance.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\Villa\Desktop\Logs\Infected With Spyware, Trojans, Malware, Vundo!.mht Infected: Trojan-Downloader.JS.Timul.cv 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Documents and Settings\User\Desktop\Home PC Patrol Remote Assistance.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\10.tmp Infected: Backdoor.Win32.Agent.gau 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\11.tmp Infected: Backdoor.Win32.Agent.gau 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\13.tmp Infected: Backdoor.Win32.Agent.gau 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\25.tmp Infected: Trojan.Win32.Pakes.cml 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\26.tmp Infected: Backdoor.Win32.Agent.gau 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\413.tmp Infected: Trojan-Downloader.Win32.Agent.fjf 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002087.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002088.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002089.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002090.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002091.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\A0002092.exe Infected: Trojan.Win32.Patched.aa 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\C.tmp Infected: Trojan.Win32.Agent.kli 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\D.tmp Infected: Trojan.Win32.Pakes.cml 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\E.tmp Infected: Backdoor.Win32.Agent.gau 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\F.tmp Infected: Trojan.Win32.Pakes.cml 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\grande48.sys Infected: Rootkit.Win32.Agent.aih 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\grande48_930.VIR Infected: Rootkit.Win32.Agent.aih 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\sockins32.dll Infected: not-a-virus:AdWare.Win32.BHO.aqo 1
C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine\sockots64.dll Infected: not-a-virus:AdWare.Win32.BHO.aqo 1
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\HE8I55MV\wbk25.tmp Infected: Trojan-Downloader.JS.Timul.cv 1
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\HE8I55MV\wbk29.tmp Infected: Trojan-Downloader.JS.Timul.cv 1
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AclLayer.dll.vir Infected: Trojan-Downloader.Win32.Small.yhf 1
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\DesktopWin.dll.vir Infected: Trojan-Downloader.Win32.Small.xwr 1
C:\QooBox\Quarantine\C\WINDOWS\temp\wmsetup.dll.vir Infected: Trojan-Downloader.Win32.Murlo.nn 1

The selected area was scanned.

The winvnc is a program one of our technicians uses btw....but not a necessity in keeping


BTW when I mentioned recurring files when combofix ran (prior to your help) at least one of the following was always present, sometimes all 3 (of course they were in C\WINDOWS\AppPatch\ and \temp\ not their current location):
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\AclLayer.dll.vir Infected: Trojan-Downloader.Win32.Small.yhf 1
C:\QooBox\Quarantine\C\WINDOWS\AppPatch\DesktopWin.dll.vir Infected: Trojan-Downloader.Win32.Small.xwr 1
C:\QooBox\Quarantine\C\WINDOWS\temp\wmsetup.dll.vir Infected: Trojan-Downloader.Win32.Murlo.nn 1

#13 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 August 2008 - 02:14 AM

Curiously, one of the viruses is 'in' a saved single web page that I had transfered over to that PC when I was trying to figure out this problem prior to requesting assistance. The virus path C:\Documents and Settings\Villa\Desktop\Logs\Infected With Spyware, Trojans, Malware, Vundo!.mht Infected: Trojan-Downloader.JS.Timul.cv 1 refers to a saved mht file from this website... does the virus scan read virus log reports etc and interput them as viruses, or did the virus infect it after I moved it to that computer, or is it simply a false report?

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 15 August 2008 - 02:22 AM

Curiously, one of the viruses is 'in' a saved single web page that I had transfered over to that PC when I was trying to figure out this problem prior to requesting assistance. The virus path C:\Documents and Settings\Villa\Desktop\Logs\Infected With Spyware, Trojans, Malware, Vundo!.mht Infected: Trojan-Downloader.JS.Timul.cv 1 refers to a saved mht file from this website... does the virus scan read virus log reports etc and interput them as viruses, or did the virus infect it after I moved it to that computer, or is it simply a false report?


:thumbsup: I believe it is false positive... You can delete them though if you wish..


Please show hidden files and folders


Please delete this folder.. Then empty your Recycle Bin..

C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\HE8I55MV



Then go to this folder and delete everything inside it.. Don't delete the folder itself.. Just leave it empty.. Remember to empty your Recycle Bin

C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine



Then post me a fresh DSS log for my review... :)

Edited by fenzodahl512, 15 August 2008 - 02:22 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 August 2008 - 03:10 AM

Ok this is kindof weird....

:) C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\HE8I55MV does not exist
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\Content.IE5\ does not exist
C:\Documents and Settings\Villa\Local Settings\Temporary Internet Files\ is already empty

There are also 2 folders within \Local Settings\ "Apps", and "temp" (Unsure why "temp" does not have an uppercase 'T') which seem abnormal
To give an idea what is in the 2 foldersI have coppied some of their file trees:
C:\Documents and Settings\Villa\Local Settings\Apps\2.0\AAWHM3Q6.NTN

C:\Documents and Settings\Villa\Local Settings\temp\hsperfdata_Villa

C:\Documents and Settings\Villa\Local Settings\temp\jkos-Villa
C:\Documents and Settings\Villa\Local Settings\temp\jkos-Villa\binaries
C:\Documents and Settings\Villa\Local Settings\temp\jkos-Villa\engine
C:\Documents and Settings\Villa\Local Settings\temp\jkos-Villa\packages

C:\Documents and Settings\Villa\Local Settings\temp\KAV Updater update files

:) The contents of C:\Documents and Settings\Villa\Desktop\Villa Backup\Program Files\Trend Micro\Internet Security\Quarantine have been deleted and the recycle bin emptied.


:thumbsup: New DSS Log:

Deckard's System Scanner v20071014.68
Run by Villa on 2008-08-15 03:53:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Villa.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:51 AM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Villa\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\Villa.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2154702590-1180395095-3134616843-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2154702590-1180395095-3134616843-1003\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 3014 bytes

-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-15 03:53:28 0 dr-h----- C:\Documents and Settings\Villa\Recent
2008-08-14 09:23:21 0 d-------- C:\Documents and Settings\Villa\Application Data\Help
2008-08-13 14:14:27 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-08-12 13:43:30 0 d-------- C:\VundoFix Backups
2008-08-12 13:00:32 68096 --a------ C:\WINDOWS\zip.exe
2008-08-12 13:00:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-12 13:00:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-12 13:00:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-12 13:00:32 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-12 13:00:32 98816 --a------ C:\WINDOWS\sed.exe
2008-08-12 13:00:32 80412 --a------ C:\WINDOWS\grep.exe
2008-08-12 13:00:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-12 12:39:09 0 d-------- C:\Program Files\Trend Micro
2008-08-12 12:23:50 0 d-------- C:\Program Files\Java
2008-08-12 12:23:33 0 d-------- C:\Program Files\Common Files\Java
2008-08-12 02:52:49 0 d-------- C:\Program Files\jv16 PowerTools
2008-08-11 12:30:20 0 d-------- C:\Program Files\Alwil Software
2008-08-10 20:44:40 0 d-------- C:\Program Files\Sophos
2008-08-09 22:23:27 0 d-------- C:\WINDOWS\ERUNT
2008-08-04 13:57:25 0 d-------- C:\Program Files\Yahoo!
2008-08-04 13:56:59 0 d-------- C:\Program Files\CCleaner
2008-08-04 12:26:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:33:20 0 d-------- C:\cmdcons
2008-08-01 15:40:23 0 d-------- C:\Documents and Settings\Villa\Application Data\Malwarebytes
2008-08-01 15:39:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 14:34:18 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-08-14 10:43:05 0 d-------- C:\Program Files\Common Files
2008-08-14 03:03:40 0 d-------- C:\Program Files\Messenger
2008-08-12 12:50:21 0 d-------- C:\Program Files\Hewlett-Packard
2008-08-04 14:40:32 0 d-------- C:\Program Files\Windows NT
2008-08-04 14:40:11 0 d-------- C:\Program Files\Movie Maker
2008-07-22 10:56:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 15:52:09 0 d-------- C:\Documents and Settings\Villa\Application Data\Template
2008-06-25 12:24:52 0 d-------- C:\Documents and Settings\Villa\Application Data\Adobe
2008-06-21 12:39:01 0 d-------- C:\Documents and Settings\Villa\Application Data\Macromedia
2008-06-20 15:09:45 68274 --a------ C:\WINDOWS\hpoins05.dat
2008-06-20 15:09:28 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-20 02:30:29 102859 --a------ C:\WINDOWS\HPFins09.dat
2008-06-20 02:29:53 0 d-------- C:\Program Files\HP
2008-06-19 18:06:17 0 d-------- C:\Program Files\Microsoft Works
2008-06-19 18:04:28 0 d-------- C:\Program Files\Microsoft.NET
2008-06-19 17:55:49 18283 -----n--- C:\WINDOWS\HPHins01.dat
2008-06-19 17:51:02 0 d-------- C:\Documents and Settings\Villa\Application Data\Share-to-Web Upload Folder
2008-06-19 17:50:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 17:44:47 0 d-------- C:\Documents and Settings\Villa\Application Data\Intuit
2008-06-19 17:44:29 0 d-------- C:\Program Files\Intuit
2008-06-19 17:36:13 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-19 17:32:00 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-19 17:28:46 0 d-------- C:\Program Files\MSXML 4.0
2008-06-19 02:50:11 0 d-------- C:\Documents and Settings\Villa\Application Data\TuneUp Software
2008-06-19 02:24:42 0 d-------- C:\Program Files\IObit
2008-06-19 02:23:31 0 d-------- C:\Documents and Settings\Villa\Application Data\Sun
2008-06-19 01:48:56 0 d-------- C:\Program Files\MSBuild
2008-06-19 01:48:26 0 d-------- C:\Program Files\Reference Assemblies
2008-06-18 20:19:34 0 d-------- C:\Program Files\COMPAQ
2008-06-18 20:17:12 0 d-------- C:\Program Files\Online Services
2008-06-18 20:10:29 0 d-------- C:\Program Files\Common Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [9/19/2006 10:36:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqx85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pctspk"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-08-15 03:54:24 ------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users