Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware And Trojan Detected


  • This topic is locked This topic is locked
20 replies to this topic

#1 jasonTHX

jasonTHX

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 08 September 2008 - 09:08 AM

Hello,

I was unable to reply to a previous new post that I did, sorry for the reposting. Problems with misc. sounds and music for a couple of seconds and then a Spyware detected background (Windows Warning Message!). Ran Malwarebytes to get back up and running. Anyway, I then followed the Prep Guide, ran Ad-aware, spybot, Panda, ADVERT stinger and installed Zone Alarm.
Also unistalled CA anti-virus (outdated).

Here is the HijackThis Log:
_____________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:29 AM, on 9/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WRSHDNT\WRSHDNT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.com/Com...plateViewer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188418856109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} (EncryptedData Class) - http://salespoint.dealerconnection.com/Com...oldsCapicom.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Com...GridControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AcuConnect 7.2.0 on the default port (5632) (AcuConnect) - Acucorp, Inc. - C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Remote Shell Daemon - Denicomp Systems - C:\WRSHDNT\WRSHDNT.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7464 bytes

______________________________________
Should I remove the WildTangent dir and components?
BTB: This is not my PC. :thumbsup:
Thanks for the help in advance. Jason

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 15 September 2008 - 01:53 PM

Hello and welcome to BC


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
    Note: If you are using Windows Vista, right click at RSIT.exe and select 'Run as administrator'.

  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply please post back with the following reports:
  • RSIT log.txt
  • RSIT info.txt
  • Kaspersky report
Regards
SNOWHITE
Posted Image

#3 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 15 September 2008 - 04:47 PM

Thanks SNOWHITE,

Here are the reports:
_____________________________

Logfile of random's system information tool 1.01 (written by random/random)
Run by Administrator at 2008-09-15 16:28:32
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 14 GB (75%) free of 19 GB
Total RAM: 766 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:35 PM, on 9/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WRSHDNT\WRSHDNT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Administrator\Desktop\Tools\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.com/Com...plateViewer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188418856109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} (EncryptedData Class) - http://salespoint.dealerconnection.com/Com...oldsCapicom.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Com...GridControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AcuConnect 7.2.0 on the default port (5632) (AcuConnect) - Acucorp, Inc. - C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Remote Shell Daemon - Denicomp Systems - C:\WRSHDNT\WRSHDNT.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7353 bytes

Scheduled tasks folder

C:\WINNT\tasks\killapp.job
C:\WINNT\tasks\Symantec NetDetect.job

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2005-03-31 844560]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"IgfxTray"=C:\WINNT\system32\igfxtray.exe [2005-06-22 155648]
"HotKeysCmds"=C:\WINNT\system32\hkcmd.exe [2005-06-22 126976]
"POINTER"=point32.exe []
"DVDSentry"=C:\WINNT\System32\DSentry.exe [2002-08-14 28672]
"BO1HelperStartUp"=C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-09-12 98304]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-07 57344]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-08-09 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-08-09 81920]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"=C:\WINNT\system32\internat.exe [2001-05-08 20752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINNT\system32\igfxsrvc.dll [2005-06-22 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
C:\WINNT\system32\PCANotify.dll [2002-02-15 24638]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

File associations

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

List of files/folders created in the last three months

2008-09-15 16:28:32 ----D---- C:\rsit
2008-09-08 09:53:19 ----D---- C:\Program Files\Trend Micro
2008-09-08 09:42:13 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-08 09:42:03 ----A---- C:\WINNT\zllsputility.exe
2008-09-08 09:42:03 ----A---- C:\WINNT\system32\SpOrder.dll
2008-09-08 09:41:56 ----A---- C:\WINNT\system32\vsregexp.dll
2008-09-08 09:41:56 ----A---- C:\WINNT\system32\libeay32_0.9.6l.dll
2008-09-08 09:41:55 ----A---- C:\WINNT\system32\zlcommdb.dll
2008-09-08 09:41:55 ----A---- C:\WINNT\system32\zlcomm.dll
2008-09-08 09:41:50 ----D---- C:\WINNT\system32\ZoneLabs
2008-09-08 09:41:50 ----A---- C:\WINNT\system32\zpeng24.dll
2008-09-08 09:41:50 ----A---- C:\WINNT\system32\vsxml.dll
2008-09-08 09:41:50 ----A---- C:\WINNT\system32\vswmi.dll
2008-09-08 09:41:50 ----A---- C:\WINNT\system32\vspubapi.dll
2008-09-08 09:41:50 ----A---- C:\WINNT\system32\vsmonapi.dll
2008-09-08 09:40:43 ----A---- C:\WINNT\system32\vsutil.dll
2008-09-08 09:40:43 ----A---- C:\WINNT\system32\vsinit.dll
2008-09-08 09:40:43 ----A---- C:\WINNT\system32\vsdata.dll
2008-09-08 09:31:42 ----D---- C:\Program Files\Zone Labs
2008-09-08 09:30:47 ----AD---- C:\WINNT\Internet Logs
2008-09-07 12:43:41 ----D---- C:\Program Files\Panda Security
2008-09-07 10:27:30 ----A---- C:\WINNT\wininit.ini
2008-09-07 09:38:54 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-07 09:38:54 ----AD---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-23 08:21:43 ----HDC---- C:\WINNT\$NtUninstallKB952954$
2008-08-23 08:21:36 ----HDC---- C:\WINNT\$NtUninstallKB953839$
2008-08-23 08:21:27 ----HDC---- C:\WINNT\$NtUninstallKB950974$
2008-08-23 08:21:09 ----HDC---- C:\WINNT\$NtUninstallKB953838-IE6SP1-20080620.120000$
2008-08-23 08:20:56 ----HDC---- C:\WINNT\$NtUninstallKB951066-OE6SP1-20080625.120000$
2008-08-23 08:19:41 ----HDC---- C:\WINNT\$NtUninstallKB951748$
2008-08-23 08:19:33 ----HDC---- C:\WINNT\$NtUninstallKB951698_DX9$
2008-08-23 08:19:21 ----HDC---- C:\WINNT\$NtUninstallKB950749$
2008-08-22 10:29:12 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-22 10:29:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-22 10:29:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 12:26:36 ----D---- C:\WINNT\ERDNT
2008-08-02 12:26:00 ----D---- C:\Deckard
2008-08-02 10:05:37 ----D---- C:\WINNT\Sun
2008-08-02 10:05:37 ----D---- C:\Documents and Settings\Administrator\Application Data\Sun
2008-08-02 10:04:46 ----A---- C:\WINNT\system32\javaws.exe
2008-08-02 10:04:46 ----A---- C:\WINNT\system32\javaw.exe
2008-08-02 10:04:46 ----A---- C:\WINNT\system32\java.exe
2008-08-02 10:03:21 ----D---- C:\Program Files\Java
2008-08-02 10:03:02 ----D---- C:\Program Files\Common Files\Java
2008-08-02 08:17:32 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 08:17:21 ----D---- C:\Program Files\Spyware Doctor
2008-08-02 08:17:21 ----D---- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-02 08:17:21 ----A---- C:\WINNT\system32\oleaccrc.dll
2008-08-02 08:17:21 ----A---- C:\WINNT\system32\oleacc.dll
2008-08-02 08:17:21 ----A---- C:\WINNT\system32\msaatext.dll
2008-08-01 17:01:52 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 17:01:21 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 10:16:27 ----D---- C:\Acucorp
2008-07-23 16:46:02 ----D---- C:\Acu
2008-07-10 06:00:14 ----A---- C:\WINNT\system32\es.dll
2008-07-02 15:50:42 ----D---- C:\Program Files\Coupons
2008-06-25 05:41:54 ----A---- C:\WINNT\system32\mswsock.dll
2008-06-25 05:41:54 ----A---- C:\WINNT\system32\msafd.dll
2008-06-25 05:41:54 ----A---- C:\WINNT\system32\dnsapi.dll
2008-06-20 10:59:20 ----A---- C:\WINNT\system32\BROWSEUI.DLL
2008-06-20 10:59:12 ----A---- C:\WINNT\system32\SHDOCVW.DLL
2008-06-20 10:59:04 ----A---- C:\WINNT\system32\SHLWAPI.DLL
2008-06-20 09:53:58 ----A---- C:\WINNT\system32\WININET.DLL
2008-06-20 09:53:52 ----A---- C:\WINNT\system32\URLMON.DLL
2008-06-20 09:53:34 ----A---- C:\WINNT\system32\IEPEERS.DLL
2008-06-20 09:53:30 ----A---- C:\WINNT\system32\MSHTML.DLL
2008-06-20 09:53:28 ----A---- C:\WINNT\system32\DXTMSFT.DLL
2008-06-20 09:53:26 ----A---- C:\WINNT\system32\DXTRANS.DLL

List of drivers

R1 AW_HOST;AW_HOST; C:\WINNT\system32\drivers\aw_host5.sys [2002-02-11 33496]
R1 awlegacy;awlegacy; C:\WINNT\System32\Drivers\awlegacy.sys [2000-09-11 10816]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2003-03-11 58000]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2003-03-11 23420]
R1 omci;OMCI WDM Device Driver; C:\WINNT\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 vsdatant;vsdatant; C:\WINNT\System32\vsdatant.sys [2008-07-09 394952]
R2 NetAlrt;NetAlrt; \??\C:\WINNT\System32\drivers\NetAlrt.sys []
R2 PlatAlrt;PlatAlrt; \??\C:\WINNT\System32\drivers\PlatAlrt.sys []
R2 usbhub;Dual-Mode DSC (Controller); C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 aeaudio;aeaudio; C:\WINNT\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E1000;Intel® PRO/1000 Adapter Driver; C:\WINNT\System32\DRIVERS\e1000nt5.sys [2002-11-12 104224]
R3 ialm;ialm; C:\WINNT\System32\DRIVERS\ialmnt5.sys [2005-06-22 807998]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINNT\System32\DRIVERS\IPFilter.sys [2000-05-19 11504]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2002-05-28 500568]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\System32\DRIVERS\usbehci.sys [2003-06-19 19728]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\System32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINNT\system32\drivers\ialmsbw.sys [2003-01-14 108736]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINNT\system32\drivers\ialmkchw.sys [2003-01-14 78272]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\System32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 CO_Mon;CO_Mon; \??\C:\WINNT\system32\Drivers\CO_Mon.sys []
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera); C:\WINNT\System32\Drivers\GT891x1.SYS [2001-12-11 314792]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver; C:\WINNT\System32\DRIVERS\el90xbc5.sys [1999-10-23 61712]
S3 GT890x;Dual-Mode DSC (Still Camera); C:\WINNT\System32\Drivers\GT890x.SYS [2001-07-05 18088]
S3 ichaud;Service for AC'97 Driver (WDM); C:\WINNT\system32\drivers\ichaud.sys [1999-10-22 32592]
S3 IKFileSec;File Security Driver; C:\WINNT\system32\drivers\ikfilesec.sys [2008-06-02 42376]
S3 IKSysFlt;System Filter Driver; C:\WINNT\system32\drivers\iksysflt.sys [2008-06-02 66952]
S3 IKSysSec;System Security Driver; C:\WINNT\system32\drivers\iksyssec.sys [2008-06-10 81288]
S3 MPE;BDA MPE Filter; C:\WINNT\System32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\System32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 NMSCFG;NIC Management Service Configuration Driver; \??\C:\WINNT\system32\drivers\NMSCFG.SYS []
S3 nv4;nv4; C:\WINNT\System32\DRIVERS\nv4.sys [1999-10-27 345040]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]

List of services

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-06 611664]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2002-05-08 212992]
R2 Iap;Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [2002-04-04 163840]
R2 LogWatch;Event Log Watch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINNT\System32\svchost.exe [2001-05-08 7952]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\System32\svchost.exe [2001-05-08 7952]
R2 Remote Shell Daemon;Remote Shell Daemon; C:\WRSHDNT\WRSHDNT.EXE [2000-04-18 203776]
R2 StiSvc;Still Image Service; C:\WINNT\system32\stisvc.exe [2003-06-19 61712]
S2 AcuConnect;AcuConnect 7.2.0 on the default port (5632); C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe [2006-06-13 94208]
S2 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2002-02-15 114749]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 CA_LIC_CLNT;CA License Client; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824]
S3 CA_LIC_SRVR;CA License Server; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NMSSvc;Intel® NMS; C:\WINNT\System32\NMSSvc.exe [2002-07-30 1118208]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-07-03 1073544]
S3 vsmon;TrueVector Internet Monitor; C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\System32\svchost.exe [2001-05-08 7952]

-----------------EOF-----------------

_______________________________________________

info.txt logfile of random's system information tool 1.01 2008-09-15 16:28:38

Uninstall list

123 Free Solitaire-->C:\PROGRA~1\123FRE~1\UNWISE.EXE C:\PROGRA~1\123FRE~1\INSTALL.LOG
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
AcuCobolSetupAndDeploymentComp-->MsiExec.exe /I{B4678488-DC19-44FF-B8CA-673F9FECDBBD}
Acucorp v7.2.0-->C:\WINNT\uninst.exe -fC:\Acucorp\Acucbl720\DeIsL1.isu -c"C:\Acucorp\Acucbl720\uninst.dll
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0-->C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX-->C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ArcSoft PhotoImpression-->C:\WINNT\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
Cash Receipts-->MsiExec.exe /I{11B88B68-FF85-400B-8FCB-D27064A69D63}
CRViewer10.0.0.1-->MsiExec.exe /I{A5C5EB26-CA62-413B-8915-95A20CCAEC69}
Data Collection Module-->C:\Program Files\InstallShield Installation Information\{8EF6BC7D-AFCE-4C1E-86A8-87871E04BFD9}\setup.exe -runfromtemp -l0x0009 -removeonly
DDSApps-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{995F5FDF-2EEF-47C9-ABC3-C613207BA472}
DiMAGE Viewer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\Setup.exe" -l0x9 anything
DVDSentry-->MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
FreeZip-->rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\freezip.inf,Uninstall
GameShark DS Gamesaves-->"C:\Fire International\GamesharkDS\uninstall.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for MDAC 2.53 (KB911562)-->"C:\WINNT\$SQLUninstallMDAC25SP3-KB911562-x86-ENU$\spuninst\spuninst.exe"
Hotfix for MDAC 2.71 (KB927779)-->"C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$\spuninst\spuninst.exe"
ICE.TCP Pro-->C:\WINNT\IsUninst.exe -f"C:\Program Files\J River\ICETCP5\Uninst.isu"
Intel® Extreme Graphics Driver-->RUNDLL32.EXE C:\WINNT\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
Intel® PROSet II-->MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Intel® Pro Alerting Agent, Version 3.0.0-->MsiExec.exe /I{6797B492-3814-4129-AD07-C727D23FB5BF}
Intel® PRO Network Adapters WMI Provider (2.0)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C701994-43D2-4B7B-A548-C6E6C224D9A9}\setup.exe"
Internet Explorer Q903235-->C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KONICA_MINOLTA DiMAGE remote camera driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99E67091-D392-4031-AD2A-E9547F3615F8}\setup.exe" -l0x9
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework (English) v1.0.3705-->C:\WINNT\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework (English)-->MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.0 Hotfix (KB928367)-->"C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft IntelliPoint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}\setup.exe" Uninstall
Microsoft Office 2000 Standard-->MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Live Meeting 2005-->MsiExec.exe /I{7228CB73-80E9-48D3-A7FD-C2A242686AB3}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
OMCI-->MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PrintKey2000-->C:\PROGRA~1\PRINTK~1\UNWISE.EXE C:\PROGRA~1\PRINTK~1\INSTALL.LOG
QuickTime-->C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
RealArcade-->C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
Scheduler-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{A29F5ABA-CDB7-44BA-9DB1-5DCBE7889949}
Security Update for DirectX 9 (KB941568)-->"C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for DirectX 9 (KB951698)-->"C:\WINNT\$NtUninstallKB951698_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706)-->"C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689)-->"C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINNT\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINNT\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINNT\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Shockwave-->C:\WINNT\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\SYSTEM32\Macromed\SHOCKW~1\Install.log
Snapshot-->MsiExec.exe /I{F35BEDD2-E4B3-4C81-8CEE-14BAE4C40BC6}
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec pcAnywhere-->MsiExec.exe /I{C05E8183-866A-11D3-97DF-0000F8D8F2E9}
Update Rollup 1 for Windows 2000 SP4-->"C:\WINNT\$NtUpdateRollupPackUninstall$\spuninst\spuninst.exe"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
ViviCam 30 and 40 and 50-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F05EA6DF-F2E9-4D13-8686-C365FF2B5073}\Setup.exe"
VX2 Cleaner plug-in for Ad-Aware SE-->C:\PROGRA~1\Lavasoft\Ad-Aware\Plugins\VX2CLE~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\Ad-Aware\Plugins\VX2CLE~1\INSTALL.LOG
WebEx-->C:\WINNT\DOWNLO~1\atcliun.exe
Windows 2000 Hotfix - KB834707-->C:\WINNT\$NtUninstallKB834707-IE6SP1-20040929.091901$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB883939-->"C:\WINNT\$NtUninstallKB883939-IE6SP1-20050428.125228$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB890046-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB893756-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB894320-->"C:\WINNT\$NtUninstallKB894320$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896358-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896422-->"C:\WINNT\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896423-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896424-->"C:\WINNT\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB897715-->"C:\WINNT\$NtUninstallKB897715-OE6SP1-20050503.210336$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899587-->"C:\WINNT\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899589-->"C:\WINNT\$NtUninstallKB899589$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB900725-->"C:\WINNT\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901017-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901214-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB902400-->"C:\WINNT\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB904368-->"C:\WINNT\$NtUninstallKB904368$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905414-->"C:\WINNT\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905495-->"C:\WINNT\$NtUninstallKB905495-IE6SP1-20050805.184113$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905749-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905915-->"C:\WINNT\$NtUninstallKB905915-IE6SP1-20051122.175908$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908519-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908523-->"C:\WINNT\$NtUninstallKB908523$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908531-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911280-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911567-->"C:\WINNT\$NtUninstallKB911567-OE6SP1-20060316.165634$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912812-->"C:\WINNT\$NtUninstallKB912812-IE6SP1-20060322.182418$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912919-->"C:\WINNT\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB913580-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914388-->"C:\WINNT\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914389-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB916281-->"C:\WINNT\$NtUninstallKB916281-IE6SP1-20060526.162249$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917008-->"C:\WINNT\$NtUninstallKB917008$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917159-->"C:\WINNT\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917422-->"C:\WINNT\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917537-->"C:\WINNT\$NtUninstallKB917537$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917736-->"C:\WINNT\$NtUninstallKB917736$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917953-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB918118-->"C:\WINNT\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920213-->"C:\WINNT\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920670-->"C:\WINNT\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920683-->"C:\WINNT\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920685-->"C:\WINNT\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920958-->"C:\WINNT\$NtUninstallKB920958$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921398-->"C:\WINNT\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921503-->"C:\WINNT\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922582-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922616-->"C:\WINNT\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922760-->"C:\WINNT\$NtUninstallKB922760-IE6SP1-20061018.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923191-->"C:\WINNT\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923414-->"C:\WINNT\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923694-->"C:\WINNT\$NtUninstallKB923694-OE6SP1-20061106.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923810-->"C:\WINNT\$NtUninstallKB923810$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923980-->"C:\WINNT\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924191-->"C:\WINNT\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924270-->"C:\WINNT\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924667-->"C:\WINNT\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925486-->"C:\WINNT\$NtUninstallKB925486-IE6SP1-20060918.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925902-->"C:\WINNT\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926122-->"C:\WINNT\$NtUninstallKB926122$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926436-->"C:\WINNT\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB927891-->"C:\WINNT\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928090-->"C:\WINNT\$NtUninstallKB928090-IE6SP1-20070125.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928843-->"C:\WINNT\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB929969-->"C:\WINNT\$NtUninstallKB929969-IE6SP1-20061220.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB930178-->"C:\WINNT\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB931784-->"C:\WINNT\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB932168-->"C:\WINNT\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB933566-->"C:\WINNT\$NtUninstallKB933566-IE6SP1-20070417.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB933729-->"C:\WINNT\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935839-->"C:\WINNT\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935840-->"C:\WINNT\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB936021-->"C:\WINNT\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB937143-->"C:\WINNT\$NtUninstallKB937143-IE6SP1-20070717.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB937894-->"C:\WINNT\$NtUninstallKB937894$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938127-->"C:\WINNT\$NtUninstallKB938127-IE6SP1-20070626.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938827-->"C:\WINNT\$NtUninstallKB938827$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938829-->"C:\WINNT\$NtUninstallKB938829$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB941202-->"C:\WINNT\$NtUninstallKB941202-OE6SP1-20070820.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB941644-->"C:\WINNT\$NtUninstallKB941644$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB941693-->"C:\WINNT\$NtUninstallKB941693$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB942615-->"C:\WINNT\$NtUninstallKB942615-IE6SP1-20071029.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943055-->"C:\WINNT\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943484-->"C:\WINNT\$NtUninstallKB943484$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943485-->"C:\WINNT\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB944338-->"C:\WINNT\$NtUninstallKB944338$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB944533-->"C:\WINNT\$NtUninstallKB944533-IE6SP1-20071210.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB945553-->"C:\WINNT\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB947864-->"C:\WINNT\$NtUninstallKB947864-IE6SP1-20080215.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB948590-->"C:\WINNT\$NtUninstallKB948590$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB948881-->"C:\WINNT\$NtUninstallKB948881-IE6SP1-20080313.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB950749-->"C:\WINNT\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB950974-->"C:\WINNT\$NtUninstallKB950974$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB951066-->"C:\WINNT\$NtUninstallKB951066-OE6SP1-20080625.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB951748-->"C:\WINNT\$NtUninstallKB951748$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB952954-->"C:\WINNT\$NtUninstallKB952954$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB953838-->"C:\WINNT\$NtUninstallKB953838-IE6SP1-20080620.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB953839-->"C:\WINNT\$NtUninstallKB953839$\spuninst\spuninst.exe"
Windows 2000 Hotfix (SP5) Q818043-->C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
Windows 2000 Service Pack 4-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player 9 Hotfix [See KB885492 for more information]-->C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player Hotfix [See KB837272 for more information]-->C:\WINNT\$NtUninstallKB837272$\spuninst\spuninst.exe
Windows Media Player Hotfix [See wm828026 for more information]-->C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
Windows Media Player system update (9 Series)-->C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Winsock RSHD/NT by Denicomp Systems-->C:\WRSHDNT\WRSHDUN.EXE
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

Environment variables

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"tvdumpflags"=8

-----------------EOF-----------------

_____________________________________________________________

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 15, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 15, 2008 20:55:44
Records in database: 1237511


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 42341
Threat name 10
Infected objects 11
Suspicious objects 0
Duration of the scan 00:57:15

File name Threat name Threats count
C:\WINNT\SYSTEM32\atsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ax 1

C:\WINNT\SYSTEM32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\WINNT\SYSTEM32\ceswxfst.sys Infected: Trojan-Clicker.Win32.VB.bjp 1

C:\WINNT\SYSTEM32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bft 1

C:\WINNT\SYSTEM32\edtxfst.sys Infected: Trojan-Clicker.Win32.VB.bof 1

C:\WINNT\SYSTEM32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\stsycod.sys Infected: Trojan.Win32.Delf.djl 1

C:\WINNT\SYSTEM32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\WINNT\SYSTEM32\sxtsyctd.sys Infected: Trojan.Win32.Delf.dsu 1

C:\WINNT\SYSTEM32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

The selected area was scanned.
_____________________________________________________________________

Thanks in advance,
Jason

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 19 September 2008 - 10:52 AM

Hello jasonTHX :)

You have a nasty infection there :thumbsup:

There is a backdoor trojan and rootkits detected on your system. This gives hackers full access to everything stored on the computer!

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

If you want to proceed cleaning of the computer follow these steps:

We need to fix the SecurityProviders value. Download the attachment named SecurityProvidersFix.zip extract it to your Desktop and double-click the SecurityProvidersFix.exe file to run it.Attached File  SecurityProvidersFix.zip   11.34KB   9 downloads

NOTE: I see you have Malwarebytes' Anti-Malware installed on your computer, please make sure you have the latest version of it on your computer ! MBAM had a bug recently which caused the SecurityProviders value to be overwritten wrongly, however this has been fixed with latest updates, therefor if you are planning to use MBAM for scanning before performing scan, make sure you have updated to latest version !


Lets proceed with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
When the tool is finished, it will produce a report for you.

Next run scan with GMER:

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Important! Please do not select the "Show all" checkbox during the scan..


Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
GMER report


Let me know how the things will go.

Regards
SNOWHITE
Posted Image

#5 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 20 September 2008 - 05:13 PM

I'll work on this Sunday. Thanks.

#6 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 23 September 2008 - 09:49 AM

Sorry about the delay. I have been :thumbsup: sick

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 23 September 2008 - 12:07 PM

Hello,

Sorry about the delay. I have been :thumbsup: sick


I hope you are feeling all good now :)

Have you followed my instructions ? If so could you please post the reports ?

Best regards :)
SNOWHITE
Posted Image

#8 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 26 September 2008 - 05:14 PM

This Computer has Windows 2000 SP4 OS on it. The ComboFix guide does not say how to or even if I have Recover Console. Can I go ahead and run ComboFix anyway? TX Jason

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 27 September 2008 - 12:05 PM

This Computer has Windows 2000 SP4 OS on it. The ComboFix guide does not say how to or even if I have Recover Console. Can I go ahead and run ComboFix anyway? TX Jason

Hello jasonTHX :thumbsup:

Go ahead and run Combofix, skip RC instructions.

Regards
SNOWHITE
Posted Image

#10 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 27 September 2008 - 02:03 PM

OK, here we are. ComboFix, GMER report and HijackThis: Enjoy
Thanks
______________________________________________________________________

ComboFix 08-09-26.06 - Administrator 09/27/2008 13:31:54.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.609 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\fiuser\Cookies\fiuser@2o7[1].txt
C:\Documents and Settings\fiuser\Cookies\fiuser@advertising[1].txt
C:\Documents and Settings\fiuser\Cookies\fiuser@ehg-theactivenetwork.hitbox[2].txt
C:\Documents and Settings\fiuser\Cookies\fiuser@revsci[1].txt
C:\WINNT\Install.txt
C:\WINNT\system32\Install.txt
C:\WINNT\system32\rtl60.bpl
C:\WINNT\system32\tmp0_352884335785.bk
C:\WINNT\system32\tmp0_611432821232.bk
C:\WINNT\system32\tmp1_2484875694.bk
C:\WINNT\system32\tmp1_518049399455.bk
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-24 14:52 . 08-09-24 14:52 197,976 -ra------ C:\WINNT\SYSTEM32\cpnprt2.cid
2008-09-15 16:28 . 08-09-15 16:28 <DIR> d-------- C:\rsit
2008-09-08 09:53 . 08-09-08 09:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 09:42 . 08-09-08 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-08 09:42 . 08-07-09 09:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-09-08 09:42 . 04-04-27 04:40 11,264 --a------ C:\WINNT\SYSTEM32\SpOrder.dll
2008-09-08 09:42 . 08-09-08 09:43 4,212 ---h----- C:\WINNT\SYSTEM32\zllictbl.dat
2008-09-08 09:31 . 08-09-08 09:31 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-08 09:30 . 08-09-12 09:38 <DIR> d-a------ C:\WINNT\Internet Logs
2008-09-07 12:43 . 08-09-07 12:43 <DIR> d-------- C:\Program Files\Panda Security
2008-09-07 12:43 . 08-06-19 17:24 28,544 --a------ C:\WINNT\SYSTEM32\DRIVERS\pavboot.sys
2008-09-07 10:27 . 08-09-07 10:27 84 --a------ C:\WINNT\wininit.ini
2008-09-07 09:38 . 08-09-10 08:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 09:38 . 08-09-10 08:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 20:17 --------- d-----w C:\Documents and Settings\fiuser\Application Data\webex
2008-09-24 18:52 --------- d-----w C:\Program Files\Coupons
2008-09-08 13:36 --------- d-----w C:\Program Files\CA
2008-09-06 13:51 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 04:16 38,528 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-08-22 18:13 --------- d-----w C:\Documents and Settings\fiuser\Application Data\Malwarebytes
2008-08-22 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-22 14:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-22 13:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 14:04 --------- d-----w C:\Program Files\Java
2008-08-02 14:03 --------- d-----w C:\Program Files\Common Files\Java
2008-08-02 12:18 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-02 12:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-01 21:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 21:02 --------- d-----w C:\Program Files\Lavasoft
2008-08-01 21:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-08-01 21:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-30 11:44 --------- d-----w C:\Documents and Settings\Default User\Application Data\AdobeUM
2002-03-12 16:53 271 ---ha-w C:\Program Files\DESKTOP.INI
2002-03-12 16:53 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [01-05-08 08:00 20752 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [05-06-22 00:48 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [05-06-22 00:44 126976]
"DVDSentry"="C:\WINNT\System32\DSentry.exe" [02-08-14 20:22 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-09-12 15:58 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [05-06-07 00:46 57344]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [04-08-09 07:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [04-08-09 07:03 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]
"internat.exe"="internat.exe" [01-05-08 08:00 20752 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2007-02-04 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
02-02-15 11:51 24638 C:\WINNT\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.GTCC"= GTCODEC.DLL

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [01-04-26 17:00 64418]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 13:11 11280]
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys [01-06-08 10:25 17258]
R0 pavboot;pavboot;C:\WINNT\system32\drivers\pavboot.sys [08-06-19 17:24 28544]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [02-05-08 11:51 212992]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-20 12:29 53248]
R2 NetAlrt;NetAlrt;C:\WINNT\System32\drivers\NetAlrt.sys [02-05-07 18:05 39680]
R2 PlatAlrt;PlatAlrt;C:\WINNT\System32\drivers\PlatAlrt.sys [02-05-07 18:06 23744]
R2 Remote Shell Daemon;Remote Shell Daemon;C:\WRSHDNT\WRSHDNT.EXE [00-04-18 00:10 203776]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 15:05 49776]
S2 AcuConnect;AcuConnect 7.2.0 on the default port (5632);C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe [06-06-13 11:01 94208]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [02-09-20 12:27 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [02-09-20 12:41 77824]
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINNT\system32\Drivers\GT891x1.SYS [01-12-11 21:27 314792]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 14:22 61712]
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINNT\system32\Drivers\GT890x.SYS [01-07-05 11:13 18088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BO1HelperStartUp - C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
O17 -: HKLM\CCS\Interface\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: PrintTemplateViewerCab - hxxp://salespoint.dealerconnection.com/Components/PrintTemplateViewer.cab
C:\WINNT\Downloaded Program Files\OSD108.OSD
C:\WINNT\Downloaded Program Files\PrintTemplateViewer.dll

O16 -: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} - hxxp://salespoint.dealerconnection.com/Components/ReynoldsCapicom.cab
C:\WINNT\Downloaded Program Files\ReynoldsCapicom.inf
C:\WINNT\Downloaded Program Files\capicom.dll

O16 -: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} - hxxp://salespoint.dealerconnection.com/Components/MPGridControl.cab
C:\WINNT\Downloaded Program Files\MPGridControl.inf
C:\WINNT\Downloaded Program Files\MPGridControl.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 13:39:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-27 13:42:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-27 17:42:21

Pre-Run: 14,841,376,256 bytes free
Post-Run: 15,129,416,704 bytes free

163

____________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:30 PM, on 9/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WRSHDNT\WRSHDNT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Desktop\Tools\gmer\gmer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.com/Com...plateViewer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188418856109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} (EncryptedData Class) - http://salespoint.dealerconnection.com/Com...oldsCapicom.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Com...GridControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AcuConnect 7.2.0 on the default port (5632) (AcuConnect) - Acucorp, Inc. - C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Remote Shell Daemon - Denicomp Systems - C:\WRSHDNT\WRSHDNT.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7294 bytes


______________________________________________________________

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-27 14:59:40
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB79CC930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB79D7A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB79CCF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB79D86E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB79D8440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB79D88B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB79CCD70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB79D8CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB79D9080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB79CD120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB79D8140]

---- Kernel code sections - GMER 1.0.14 ----

? srescan.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B79E2330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B79CD670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B79CD5C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B79CD770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B79CD2D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1128] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- EOF - GMER 1.0.14 ----


__________________________________________________

Thanks again,
Jason :thumbsup:

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 04 October 2008 - 07:29 PM

Hello jasonTHX,

Your reports are looking OK, except one suspicious folder and a file, otherwise looks good. How is the computer running ?


Anything you can tell me about this folder:
C:\Program Files\Coupons <-- ?

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\WINNT\SYSTEM32\cpnprt2.cid
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know about that folder, also how is the computer running. Re-run combofix and post back with new HJT log and combofix report and the OTMoveIt3 report. If combofix uninstall it self while trying to run it, please re-download it then run it again.

Regards
SNOWHITE
Posted Image

#12 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 05 October 2008 - 09:34 AM

Hello Snowhite,

That is an online coupon printing program (coupons.com). I thought that was a problem. Do you want me to unistall it?

Here are the results:

========== FILES ==========
C:\WINNT\SYSTEM32\cpnprt2.cid moved successfully.
File/Folder [EmptyTemp] not found.

OTMoveIt3 by OldTimer - Version 1.0.3.1 log created on 10052008_101402


__________________________________________________

ComboFix 08-10-04.07 - Administrator 10/05/2008 10:22:22.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.610 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_NOBICYT


((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-05 10:26 . 08-10-05 10:26 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_4a4.dat
2008-10-05 10:14 . 08-10-05 10:14 <DIR> d-------- C:\_OTMoveIt
2008-09-27 13:49 . 08-09-27 13:53 345 --a------ C:\WINNT\gmer.ini
2008-09-15 16:28 . 08-09-15 16:28 <DIR> d-------- C:\rsit
2008-09-08 09:53 . 08-09-08 09:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 09:42 . 08-09-08 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-08 09:42 . 08-07-09 09:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-09-08 09:42 . 04-04-27 04:40 11,264 --a------ C:\WINNT\SYSTEM32\SpOrder.dll
2008-09-08 09:42 . 08-09-08 09:43 4,212 ---h----- C:\WINNT\SYSTEM32\zllictbl.dat
2008-09-08 09:31 . 08-09-08 09:31 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-08 09:30 . 08-09-12 09:38 <DIR> d-a------ C:\WINNT\Internet Logs
2008-09-07 12:43 . 08-09-07 12:43 <DIR> d-------- C:\Program Files\Panda Security
2008-09-07 12:43 . 08-06-19 17:24 28,544 --a------ C:\WINNT\SYSTEM32\DRIVERS\pavboot.sys
2008-09-07 10:27 . 08-09-07 10:27 84 --a------ C:\WINNT\wininit.ini
2008-09-07 09:38 . 08-09-10 08:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-07 09:38 . 08-09-10 08:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 20:17 --------- d-----w C:\Documents and Settings\fiuser\Application Data\webex
2008-09-24 18:52 --------- d-----w C:\Program Files\Coupons
2008-09-08 13:36 --------- d-----w C:\Program Files\CA
2008-09-06 13:51 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-02 04:16 38,528 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-08-22 18:13 --------- d-----w C:\Documents and Settings\fiuser\Application Data\Malwarebytes
2008-08-22 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-22 14:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-22 13:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2002-03-12 16:53 271 ---ha-w C:\Program Files\DESKTOP.INI
2002-03-12 16:53 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
.

((((((((((((((((((((((((((((( snapshot@Sat 2008-09-27_13.42.02.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-27 17:49:02 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-18 01:13:02 811,008 ----a-w C:\WINNT\gmer.exe
+ 2008-09-27 17:49:02 85,969 ----a-w C:\WINNT\SYSTEM32\DRIVERS\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [01-05-08 08:00 20752 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [05-06-22 00:48 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [05-06-22 00:44 126976]
"DVDSentry"="C:\WINNT\System32\DSentry.exe" [02-08-14 20:22 28672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-09-12 15:58 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [05-06-07 00:46 57344]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [04-08-09 07:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [04-08-09 07:03 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\SYSTEM32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]
"internat.exe"="internat.exe" [01-05-08 08:00 20752 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 15:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2007-02-04 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
02-02-15 11:51 24638 C:\WINNT\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.GTCC"= GTCODEC.DLL

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [01-04-26 17:00 64418]
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys [99-09-25 13:11 11280]
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys [01-06-08 10:25 17258]
R0 pavboot;pavboot;C:\WINNT\system32\drivers\pavboot.sys [08-06-19 17:24 28544]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [02-05-08 11:51 212992]
R2 LogWatch;Event Log Watch;C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [02-09-20 12:29 53248]
R2 NetAlrt;NetAlrt;C:\WINNT\System32\drivers\NetAlrt.sys [02-05-07 18:05 39680]
R2 PlatAlrt;PlatAlrt;C:\WINNT\System32\drivers\PlatAlrt.sys [02-05-07 18:06 23744]
R2 Remote Shell Daemon;Remote Shell Daemon;C:\WRSHDNT\WRSHDNT.EXE [00-04-18 00:10 203776]
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 15:05 49776]
S2 AcuConnect;AcuConnect 7.2.0 on the default port (5632);C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe [06-06-13 11:01 94208]
S3 CA_LIC_CLNT;CA License Client;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [02-09-20 12:27 77824]
S3 CA_LIC_SRVR;CA License Server;C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [02-09-20 12:41 77824]
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINNT\system32\Drivers\GT891x1.SYS [01-12-11 21:27 314792]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 14:22 61712]
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINNT\system32\Drivers\GT890x.SYS [01-07-05 11:13 18088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2003-03-12 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [02-08-07 10:04 ]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
O17 -: HKLM\CCS\Interface\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242

O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: PrintTemplateViewerCab - hxxp://salespoint.dealerconnection.com/Components/PrintTemplateViewer.cab
C:\WINNT\Downloaded Program Files\OSD108.OSD
C:\WINNT\Downloaded Program Files\PrintTemplateViewer.dll

O16 -: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} - hxxp://salespoint.dealerconnection.com/Components/ReynoldsCapicom.cab
C:\WINNT\Downloaded Program Files\ReynoldsCapicom.inf
C:\WINNT\Downloaded Program Files\capicom.dll

O16 -: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} - hxxp://salespoint.dealerconnection.com/Components/MPGridControl.cab
C:\WINNT\Downloaded Program Files\MPGridControl.inf
C:\WINNT\Downloaded Program Files\MPGridControl.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 10:26:30
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-05 10:29:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 14:29:39
ComboFix2.txt 2008-09-27 17:42:27

Pre-Run: 15,070,130,688 bytes free
Post-Run: 15,126,064,128 bytes free

141

_______________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:08 AM, on 10/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WRSHDNT\WRSHDNT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.com/Com...plateViewer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188418856109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} (EncryptedData Class) - http://salespoint.dealerconnection.com/Com...oldsCapicom.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Com...GridControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AcuConnect 7.2.0 on the default port (5632) (AcuConnect) - Acucorp, Inc. - C:\Acucorp\Acucbl720\AcuGT\BIN\acurcl.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Remote Shell Daemon - Denicomp Systems - C:\WRSHDNT\WRSHDNT.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7491 bytes


Thanks again,
Jason

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 12 October 2008 - 11:27 AM

Hello jasonTHX,

That is an online coupon printing program (coupons.com). I thought that was a problem. Do you want me to unistall it?


It is classified as adware so it is better that you get rid of it. Uninstall it from add/remove programs then delete this folder:

C:\Program Files\Coupons <--


Start OTMoveIt3, click on the CleanUp! button.

Let me know how is the computer running, the reports look OK.

Also please re-run Kaspersky online scan :

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post and fresh HijackThis report.

Regards
SNOWHITE
Posted Image

#14 jasonTHX

jasonTHX
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:04:06 PM

Posted 14 October 2008 - 03:50 PM

Hi Snowhite,

Things are running smoothly. No strange sounds coming from the speakers. No weird stuff reported. :thumbsup: I removed the coupon program. Here is the Kaspersky log:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 14, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 14, 2008 10:36:49
Records in database: 1310847


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 38732
Threat name 11
Infected objects 12
Suspicious objects 0
Duration of the scan 00:54:45

File name Threat name Threats count
C:\WINNT\SYSTEM32\atsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ax 1

C:\WINNT\SYSTEM32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\WINNT\SYSTEM32\ceswxfst.sys Infected: Trojan-Clicker.Win32.VB.bjp 1

C:\WINNT\SYSTEM32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bft 1

C:\WINNT\SYSTEM32\edtxfst.sys Infected: Trojan-Clicker.Win32.VB.bof 1

C:\WINNT\SYSTEM32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\stsycod.sys Infected: Trojan.Win32.Delf.djl 1

C:\WINNT\SYSTEM32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\WINNT\SYSTEM32\sxtsyctd.sys Infected: Trojan.Win32.Delf.dsu 1

C:\WINNT\SYSTEM32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

C:\WINNT\SYSTEM32\sytsyctd.sys Infected: Trojan.Win32.Delf.fdg 1

The selected area was scanned.


Thanks,
Jason

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:06 PM

Posted 15 October 2008 - 02:58 AM

Hello jasonTHX,


Download this program:

suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\WINNT\SYSTEM32\atsck.exe
C:\WINNT\SYSTEM32\axtpsck.exe
C:\WINNT\SYSTEM32\ceswxfst.sys
C:\WINNT\SYSTEM32\cexwxfst.sys
C:\WINNT\SYSTEM32\edtxfst.sys
C:\WINNT\SYSTEM32\mtsycod.sys
C:\WINNT\SYSTEM32\ntscpd.sys
C:\WINNT\SYSTEM32\stsycod.sys
C:\WINNT\SYSTEM32\swand.sys
C:\WINNT\SYSTEM32\sxtsyctd.sys
C:\WINNT\SYSTEM32\sxwand.sys
C:\WINNT\SYSTEM32\sytsyctd.sys


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to jasonTHX.cab

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then Browse for this filename: jasonTHX.cab
Click on the Send File button.

Wait for message like "File was successfully submitted" to show up.

Thank you!

Next,

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\WINNT\SYSTEM32\atsck.exe
    C:\WINNT\SYSTEM32\axtpsck.exe
    C:\WINNT\SYSTEM32\ceswxfst.sys
    C:\WINNT\SYSTEM32\cexwxfst.sys
    C:\WINNT\SYSTEM32\edtxfst.sys
    C:\WINNT\SYSTEM32\mtsycod.sys
    C:\WINNT\SYSTEM32\ntscpd.sys
    C:\WINNT\SYSTEM32\stsycod.sys
    C:\WINNT\SYSTEM32\swand.sys
    C:\WINNT\SYSTEM32\sxtsyctd.sys
    C:\WINNT\SYSTEM32\sxwand.sys
    C:\WINNT\SYSTEM32\sytsyctd.sys
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run online scan with the ESET Online Scanner
Note: You need to use Internet Explorer
  • Place a checkmark at the box next to YES, I accept the Terms of Use.
  • Click on the Start button.
  • Allow the ActiveX control to install.
  • Click on the Start button.
  • Place a checkmark next to Remove found threats and Scan unwanted applications, then click on Scan
  • When the scan is done close the Internet Explorer.
  • Click Start>Run, into the Run box paste this filepath:

    • C:\Program Files\EsetOnlineScanner\log.txt
  • Press OK button.
  • The report from the scan will be opened in Notepad, copy and paste the results as a reply to this topic.
In your next post include OTMoveIt3 report, Eset Online Scanner report and fresh HijackThis log.


Regards
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users