Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Type_Win32 Virus and SWP2009 Demo running


  • This topic is locked This topic is locked
26 replies to this topic

#1 JimmyS

JimmyS

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 07 February 2009 - 08:49 AM

PC is a Dell desktop. Using Windows XP. I use Zone Alarms virus protection and firewall. On 2/4/09 I started getting messages that my PC was under attack. (attack from 103.212.29.67, port 37870, attacked port 56778, thtreat Win32/Nuqel.E). My virus protection started doing scans and finding and quarantining viruses. Then a big white box blocked the middle of my screen. My browser (FireFox) started launching new windows to websites I never heard of. About one window every minute. And there is a program called SWP2009 Demo running and I can't kill it.

I updated my SpyBot Search and Destroy and ran a scan, it found and disabled hundreds of threats. After reboot I can't get on-line anymore, still have SWP2009 running, and still have white box blocking screen. I ran Zone Alarms virus scan again, it picked up and resolved 119 threats. (Type_Win32 115 times and Worm.Win32.AutoRun.yvq 4 times).

So now, PC is still a mess. Can't get on-line (DSL connection is valid as I am on-line with my laptop right now), still have SWP2009 running, and still have white box blocking screen. Threat box still shows my ports are under attack. (shows threats either BankerFox.A or Win32/Nuqel.E).


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jim at 8:12:06.00 on Sat 02/07/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.446 [GMT -5:00]

AV: ZoneAlarm Anti-virus Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Anti-virus Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\TEMP\winlognn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Documents and Settings\Jim\Desktop\dds.scr
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoflt07.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://dsl.sbc.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://dsl.sbc.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\jim\iub.exe \s
BHO: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\ycomp5_6_2_0.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Encarta &Researcher: {9455301c-cf6b-11d3-a266-00c04f689c50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [Yahoo! Pager] 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\jim\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [A00F350428E6.exe] c:\docume~1\jim\locals~1\temp\_A00F350428E6.exe
uRun: [jsf8uiw3jnjgffght] c:\windows\temp\winlognn.exe
uRun: [sysguard] c:\windows\sysguard.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\jim\locals~1\temp\csrssc.exe
uRun: [svschost.exe] c:\windows\system32\svschost.exe -check
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [jsf8uiw3jnjgffght] c:\windows\temp\winlognn.exe
mRun: [Jdowalafun] rundll32.exe "c:\windows\Skofipota.dll",e
dRun: [jsf8uiw3jnjgffght] c:\windows\temp\winlognn.exe
dRun: [tezrtsjhfr84iusjfo84f] c:\windows\temp\csrssc.exe
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\webshots.lnk - c:\internet\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet v series\bin\hpoant07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {9455301C-CF6B-11D3-A266-00C04F689C50} - {9455301C-CF6B-11D3-A266-00C04F689C50} - c:\program files\common files\microsoft shared\reference 2001\EROProj.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} - hxxp://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL
Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - c:\program files\common files\microsoft shared\reference 2001\msero.dll
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - c:\program files\common files\microsoft shared\reference 2001\MSREF.DLL
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: cllwcv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJCTKAp

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\0ptjhr6j.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://dsl.sbc.yahoo.com/
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\0ptjhr6j.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\evernote\evernote3\fftbclipper\components\enbar3.dll
FF - plugin: c:\documents and settings\jim\application data\mozilla\firefox\profiles\0ptjhr6j.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\jim\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-11-13 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-11-13 353680]
S3 znzolsgh;znzolsgh;\??\c:\windows\system32\drivers\znzolsgh.sys --> c:\windows\system32\drivers\znzolsgh.sys [?]

=============== Created Last 30 ================

2009-02-05 21:53 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-05 21:52 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-05 21:52 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-05 21:52 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-04 20:25 44 a------- c:\windows\system32\52.tmp
2009-02-04 19:14 616 a------- c:\windows\system32\1B.tmp
2009-02-04 19:13 44 a------- c:\windows\system32\12.tmp
2009-02-04 09:22 32,256 a---h--- c:\documents and settings\jim\iub.exe
2009-02-04 09:22 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-04 09:20 96,256 a------- c:\windows\system32\CDMODE.dll
2009-02-04 07:48 55 a------- C:\xcrashdump.dat
2009-02-04 07:46 39,936 a------- c:\windows\Skofipota.dll
2009-02-04 03:36 15,000 a------- c:\windows\system32\hs78k4rgf4d.dll
2009-02-04 01:37 9,216 a------- c:\windows\system32\iehelper.dll
2009-02-04 01:17 397,828 a------- c:\windows\sysguard.exe
2009-02-04 01:16 39,936 a------- C:\nwurjr.exe
2009-02-04 01:16 21,504 a------- C:\ywdhlny.exe
2009-02-04 01:16 2 a------- C:\-1192488682
2009-02-04 01:16 15,000 a------- c:\windows\system32\_hsfd83jfdg.dll
2009-02-03 14:29 72,704 a------- c:\windows\system32\mvsnldqn.dll
2009-02-03 14:26 129,024 a------- c:\windows\system32\cllwcv.dll
2009-02-03 14:26 129,024 a------- c:\windows\system32\gpvahfmc.dll
2009-02-02 14:32 129,024 a------- c:\windows\system32\swqcye.dll
2009-02-02 14:32 129,024 a------- c:\windows\system32\tgskxniq.dll
2009-02-02 14:26 75,776 a------- c:\windows\system32\kdlvgngp.dll
2009-02-01 14:26 75,776 a------- c:\windows\system32\pvpbaqeq.dll
2009-01-31 14:29 75,776 a------- c:\windows\system32\wdnpeuqw.dll
2009-01-31 14:26 129,024 a------- c:\windows\system32\ayhjjf.dll
2009-01-31 14:26 129,024 a------- c:\windows\system32\baumhqwp.dll
2009-01-31 14:23 315,904 a------- c:\windows\system32\mlJCTKAp.dll.vir
2009-01-31 14:17 36,352 a------- c:\windows\system32\vtUkjGwX.dll
2009-01-31 14:17 36,352 a------- c:\windows\system32\ssqrqOig.dll
2009-01-28 21:16 <DIR> --d----- c:\program files\Evernote

==================== Find3M ====================

2009-02-07 08:12 246,595,360 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-05 22:52 3,302,948 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-04 10:03 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-25 15:28 4,096 a------- c:\windows\d3dx.dat
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-05-10 19:23 0 a------- c:\program files\temp01
2005-11-28 22:31 369,734 a--sh--- c:\windows\system32\sttss.ini2

============= FINISH: 8:14:42.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 10 February 2009 - 06:25 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 10 February 2009 - 10:50 PM

Malwarebytes log: Note: Can't get computer on-line so I wasn't able to update before running scan.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/10/2009 10:26:38 PM
mbam-log-2009-02-10 (22-26-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 181022
Time elapsed: 3 hour(s), 39 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 45

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ce70731d-f28d-4d81-9d61-c8ee60378401} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{978d570e-a338-40dd-b1ee-c4cfa583e78a} (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdowalafun (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f350428e6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svschost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Starware325 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\contexts (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0418994.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0419968.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0419999.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0421002.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1832\A0421334.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1833\A0421426.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1833\A0421451.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1833\A0421465.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1834\A0421484.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1834\A0422062.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1834\A0423338.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1835\A0423366.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1835\A0423380.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\newssearchicon.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\newssearchiconxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\newssearchiconxp_over.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\newssearchicon_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\starware_toolbar_icon.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware325\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\WINDOWS\Skofipota.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\winlognn.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\CDMODE.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssqrqOig.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vtUkjGwX.dll (Trojan.vundo) -> Quarantined and deleted successfully.

#4 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 10 February 2009 - 10:52 PM

RSIT LOG

Logfile of random's system information tool 1.05 (written by random/random)
Run by Jim at 2009-02-10 22:37:41
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 7 GB (9%) free of 76 GB
Total RAM: 1023 MB (50% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-324172146-558341521-2801709385-1007.job
C:\WINDOWS\tasks\Scan for Viruses.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Companion - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll [2005-04-22 328275]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 143360]
"DVDSentry"=C:\WINDOWS\System32\DSentry.exe [2003-08-13 49152]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-08-26 225280]
"diagent"=C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe [2002-04-03 155744]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 131072]
"ADUserMon"=C:\Program Files\Iomega\AutoDisk\ADUserMon.exe [2002-09-24 167936]
"Iomega Drive Icons"=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe [2002-08-13 106496]
"Deskup"=C:\Program Files\Iomega\DriveIcons\deskup.exe [2002-07-16 53248]
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [2006-10-12 401408]
"YOP"=C:\PROGRA~1\Yahoo!\YOP\yop.exe [2005-04-22 417792]
"WD Button Manager"=C:\WINDOWS\system32\WDBtnMgr.exe [2006-09-15 356352]
"SetIcon"=\Program Files\WDC\SetIcon.exe [2004-04-28 59392]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-05-17 185896]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 36864]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 143421]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2007-11-15 202544]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-10-01 111936]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-10-09 981904]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 434176]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"= []
"Yahoo! Pager"=1 []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1712128]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2007-11-15 202544]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Google Update"=C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 133104]
"tezrtsjhfr84iusjfo84f"=C:\DOCUME~1\Jim\LOCALS~1\Temp\csrssc.exe []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Documents and Settings\Jim\Start Menu\Programs\Startup
Webshots.lnk - C:\Internet\Webshots\Launcher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cllwcv.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\mlJCTKAp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2009-02-10 22:37:42 ----D---- C:\Program Files\trend micro
2009-02-10 22:37:41 ----D---- C:\rsit
2009-02-10 18:09:54 ----D---- C:\Documents and Settings\Jim\Application Data\Malwarebytes
2009-02-10 18:09:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-10 18:09:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-05 21:53:01 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-05 21:52:59 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-02-05 21:52:59 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-02-05 21:52:58 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-02-04 20:25:43 ----A---- C:\WINDOWS\system32\52.tmp
2009-02-04 19:14:17 ----A---- C:\WINDOWS\system32\1B.tmp
2009-02-04 19:13:56 ----A---- C:\WINDOWS\system32\12.tmp
2009-02-04 03:36:17 ----A---- C:\WINDOWS\system32\hs78k4rgf4d.dll
2009-02-04 01:16:52 ----A---- C:\nwurjr.exe
2009-02-04 01:16:42 ----A---- C:\ywdhlny.exe
2009-02-04 01:16:06 ----A---- C:\WINDOWS\system32\_hsfd83jfdg.dll
2009-02-03 14:29:12 ----A---- C:\WINDOWS\system32\mvsnldqn.dll
2009-02-03 14:26:13 ----A---- C:\WINDOWS\system32\cllwcv.dll
2009-02-03 14:26:12 ----A---- C:\WINDOWS\system32\gpvahfmc.dll
2009-02-02 14:32:16 ----A---- C:\WINDOWS\system32\swqcye.dll
2009-02-02 14:32:12 ----A---- C:\WINDOWS\system32\tgskxniq.dll
2009-02-02 14:26:12 ----A---- C:\WINDOWS\system32\kdlvgngp.dll
2009-02-01 14:26:12 ----A---- C:\WINDOWS\system32\pvpbaqeq.dll
2009-01-31 14:29:12 ----A---- C:\WINDOWS\system32\wdnpeuqw.dll
2009-01-31 14:26:13 ----A---- C:\WINDOWS\system32\ayhjjf.dll
2009-01-31 14:26:12 ----A---- C:\WINDOWS\system32\baumhqwp.dll
2009-01-31 14:23:53 ----A---- C:\WINDOWS\system32\b3cfd5c7-.txt
2009-01-31 14:23:04 ----A---- C:\WINDOWS\system32\mlJCTKAp.dll.vir
2009-01-28 21:16:45 ----D---- C:\Program Files\Evernote
2009-01-14 09:19:16 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2008-12-30 04:40:00 ----D---- C:\Program Files\Bonjour
2008-12-28 22:39:36 ----D---- C:\Program Files\Coupons
2008-12-26 09:18:17 ----D---- C:\Documents and Settings\Jim\Application Data\Big Fish Games
2008-12-25 15:28:26 ----D---- C:\Documents and Settings\Jim\Application Data\Wildfire
2008-12-24 22:31:24 ----D---- C:\Documents and Settings\All Users\Application Data\Friends Games
2008-12-24 21:10:28 ----D---- C:\Program Files\AOL Games
2008-12-18 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-12 11:18:16 ----A---- C:\WINDOWS\system32\dns-sd.exe
2008-12-12 11:11:46 ----A---- C:\WINDOWS\system32\dnssd.dll
2008-12-10 03:02:36 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 03:02:09 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-10 03:01:30 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 03:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 03:00:59 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-24 23:12:33 ----D---- C:\Program Files\iTunes
2008-11-24 23:12:33 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-22 12:29:17 ----D---- C:\Program Files\Shockwave.com
2008-11-13 21:38:57 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2008-11-13 21:38:57 ----A---- C:\WINDOWS\system32\zlcomm.dll
2008-11-13 21:38:52 ----A---- C:\WINDOWS\system32\vswmi.dll
2008-11-13 21:38:51 ----A---- C:\WINDOWS\system32\zpeng25.dll
2008-11-13 21:38:51 ----A---- C:\WINDOWS\system32\vspubapi.dll
2008-11-13 21:38:51 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2008-11-13 21:38:50 ----A---- C:\WINDOWS\system32\vsdata.dll
2008-11-13 21:36:22 ----A---- C:\WINDOWS\system32\vsutil.dll
2008-11-13 21:36:22 ----A---- C:\WINDOWS\system32\vsinit.dll
2008-11-13 03:02:56 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-13 03:02:46 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-13 03:02:29 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 3 months======

2009-02-10 22:37:42 ----RD---- C:\Program Files
2009-02-10 22:34:46 ----AD---- C:\WINDOWS\Temp
2009-02-10 22:32:18 ----D---- C:\WINDOWS\Prefetch
2009-02-10 22:31:12 ----D---- C:\WINDOWS\Internet Logs
2009-02-10 22:31:11 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-10 22:29:57 ----AH---- C:\WINDOWS\system32\FFASTLOG.TXT
2009-02-10 22:29:15 ----A---- C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
2009-02-10 22:28:33 ----D---- C:\WINDOWS
2009-02-10 22:28:31 ----D---- C:\WINDOWS\system32\DRIVERS
2009-02-10 22:28:31 ----D---- C:\WINDOWS\SYSTEM32
2009-02-10 22:27:50 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-07 21:14:54 ----D---- C:\Program Files\Mozilla Firefox
2009-02-07 08:12:59 ----D---- C:\Documents and Settings\All Users\Application Data\Retrospect
2009-02-05 22:30:30 ----D---- C:\WINDOWS\system32\WBEM
2009-02-05 22:28:31 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-02-05 22:23:10 ----HDC---- C:\WINDOWS\$NtUninstallQ810833$
2009-02-05 22:22:46 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2009-02-05 22:21:45 ----HDC---- C:\WINDOWS\$NtUninstallKB828741$
2009-02-05 22:21:41 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-02-05 22:18:04 ----D---- C:\Program Files\Windows Media Player
2009-02-05 22:15:40 ----D---- C:\Program Files\Modem Helper
2009-02-05 22:10:23 ----D---- C:\I386
2009-02-05 21:53:36 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-05 21:53:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 21:52:48 ----HD---- C:\WINDOWS\INF
2009-02-04 22:02:00 ----SD---- C:\WINDOWS\Tasks
2009-02-04 22:01:56 ----A---- C:\WINDOWS\wininit.ini
2009-02-04 20:35:39 ----A---- C:\rollback.ini
2009-02-04 09:22:20 ----D---- C:\WINDOWS\Minidump
2009-02-04 07:48:14 ----SHD---- C:\WINDOWS\Installer
2009-02-04 07:48:13 ----SHD---- C:\Config.Msi
2009-02-04 07:48:00 ----A---- C:\WINDOWS\OEWABLog.txt
2009-02-02 21:52:30 ----D---- C:\Program Files\Mozilla Thunderbird
2009-01-28 21:16:44 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-16 08:45:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-01-15 23:05:04 ----D---- C:\Program Files\Spirit Of Wandering The Legend
2009-01-15 22:23:36 ----D---- C:\Documents and Settings
2009-01-14 09:18:12 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-13 19:35:21 ----D---- C:\Program Files\Oberon Media
2009-01-09 20:35:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-08 21:37:40 ----HD---- C:\Documents and Settings\Jim\Application Data\Move Networks
2008-12-25 15:28:13 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-18 03:01:34 ----A---- C:\WINDOWS\imsins.BAK
2008-12-15 22:02:49 ----SD---- C:\Documents and Settings\Jim\Application Data\Microsoft
2008-12-12 12:01:00 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-11-24 23:12:49 ----D---- C:\Program Files\iPod
2008-11-24 23:12:47 ----D---- C:\Program Files\Common Files\Apple
2008-11-24 23:06:39 ----D---- C:\Program Files\QuickTime
2008-11-24 22:41:13 ----D---- C:\Program Files\Safari
2008-11-15 04:13:27 ----D---- C:\WINDOWS\Help
2008-11-13 21:43:14 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-11-13 21:36:21 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2008-09-18 148496]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-10-09 353680]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2004-01-23 8413]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2008-04-13 206976]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
R3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
R3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-17 23808]
R3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 P16X;Creative SB Live! Series (WDM); C:\WINDOWS\system32\drivers\P16X.sys [2003-08-14 1296384]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-04 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-04 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-04 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-04 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-04 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-04 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-04 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-04 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-04 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-04 23615]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Passthru;Service; C:\WINDOWS\system32\DRIVERS\ndisio.sys []
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCAMPR5.SYS []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 znzolsgh;znzolsgh; \??\C:\WINDOWS\System32\Drivers\znzolsgh.sys []
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 _IOMEGA_ACTIVE_DISK_SERVICE_;Iomega Active Disk; C:\Program Files\Iomega\AutoDisk\ADService.exe [2002-09-24 172032]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [1999-12-13 60928]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 94208]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 180292]
R2 RetroLauncher;Retrospect Launcher; C:\Program Files\Dantz\Retrospect\retrorun.exe [2003-11-12 69632]
R2 RetroWDSvc;Retrospect WD Service; C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe [2003-12-10 63488]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 202544]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45132]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe [2008-10-09 2405776]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 284672]
S2 Retrospect Helper;Retrospect Helper; C:\Program Files\Dantz\Retrospect\rthlpsvc.exe [2003-11-12 131072]
S2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 90112]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [2003-03-03 163840]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 930304]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------

#5 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 10 February 2009 - 10:54 PM

RSIT Info

info.txt logfile of random's system information tool 1.05 2009-02-10 22:37:49

======Uninstall list======

-->"C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
-->"C:\Program Files\SBC Yahoo!\umuninst.exe" /S
-->C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->MsiExec.exe /X{48FCCE4F-9D37-41BA-92C1-17BF5CFAA347}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Abandon Loader 0.8c-->"C:\Program Files\Abandon Loader\uninstall.exe"
Active Disk-->C:\WINDOWS\unvise32.exe C:\Program Files\Iomega\AutoDisk\uninstal.log
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AnswerWorks 4.0 Runtime - English-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AT&T Self Support Tool-->C:\WINDOWS\Motive\SBC\MCCUninst.exe
Azada (remove only)-->"C:\Program Files\AOL Games\Azada\Uninstall.exe"
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Big Fish Games Client-->C:\Program Files\bfgclient\Uninstall.exe
Big Kahuna Reef 2 - Chain Reaction (remove only)-->"C:\Program Files\AOL Games\Big Kahuna Reef 2 - Chain Reaction\Uninstall.exe"
Big Kahuna Reef 2 - Chain Reaction-->"C:\Program Files\Big Kahuna Reef 2\ReflexiveArcade\unins000.exe"
Big Kahuna Reef-->"C:\Program Files\Big Kahuna Reef\ReflexiveArcade\unins000.exe"
Big Kahuna Reef-->"C:\Program Files\Oberon Media\Big Kahuna Reef\Uninstall.exe" "C:\Program Files\Oberon Media\Big Kahuna Reef\install.log"
Big Kahuna Reef-->C:\PROGRA~1\SHOCKW~1.COM\BIGKAH~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\BIGKAH~1\INSTALL.LOG
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Buildalot-->"C:\Program Files\Buildalot\ReflexiveArcade\unins000.exe"
Cate West The Vanishing Files-->"C:\Program Files\Cate West The Vanishing Files\ReflexiveArcade\unins000.exe"
Civilization III: Conquests-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F31BC49F-AB7B-4A53-A399-EB7331B585BC}\setup.exe" -l0x9
Civilization III-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}\setup.exe"
CleanUp!-->C:\Program Files\CleanUp!\uninstall.exe
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell Digital Jukebox Driver-->C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support Center-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Drivers Install For Linksys Easylink Advisor-->MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6}
DS21Patch-->MsiExec.exe /I{9B79DCB0-AAD7-456B-8D07-433C936FA24B}
DVDSentry-->MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
ebgcInfra-->MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes-->MsiExec.exe /X{27A9932D-5D1C-4690-B64A-93E2581EBE83}
ebgcSDK-->MsiExec.exe /X{28E7B64D-150F-4A9E-B7A3-5A6AC8C2F822}
Evernote-->C:\Program Files\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe -runfromtemp -l0x0009 -removeonly
FoxyTunes for Firefox-->"C:\PROGRA~1\Mozilla Firefox\firefox.exe" -chrome chrome://foxytunes/content/extras/uninstallExtension.xul
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1-->C:\Program Files\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp officejet v series-->C:\WINDOWS\System32\hpocon09.exe /u 1077371052 /d "hp officejet v series"
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
Intel® PROSet-->MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
IomegaWare 4.0.2-->C:\WINDOWS\unvise32.exe C:\Program Files\Iomega\uninstal.log
iPod for Windows 2006-03-23-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iPod Updater 2004-11-15-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Jasc Paint Shop Photo Album-->MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition-->MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Linksys EasyLink Advisor 1.6 (0032)-->rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
Magic Ball 2-->"C:\Program Files\Oberon Media\Magic Ball 2\Uninstall.exe" "C:\Program Files\Oberon Media\Magic Ball 2\install.log"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2004-->MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Encarta Interactive World Atlas 2001-->MsiExec.exe /I{02001201-5D65-445A-B3B4-3DCE72BA0C6C}
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Office 97, Professional Edition-->C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MobileMe Control Panel-->MsiExec.exe /I{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.19)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OverDrive Media Console-->MsiExec.exe /I{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6}
Panzer General 2-->C:\WINDOWS\uninst.exe -fC:\Panzer2\DeIsL1.isu
People's General-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SSI\People's General\Uninst.isu"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Retrospect 6.5-->MsiExec.exe /I{73B69C5C-87D6-471E-B695-0BD736C4B644}
Safari-->MsiExec.exe /I{582D2A53-F426-4C5E-A2E6-43C1AB36B907}
Savings Bond Wizard-->C:\WINDOWS\unvise32.exe C:\Program Files\Savings Bond Wizard\uninstal.log
SBC Yahoo! Applications-->C:\PROGRA~1\Yahoo!\Common\uninstall.exe
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sid Meier's Civilization 4 Gold-->C:\Program Files\InstallShield Installation Information\{55502C49-F061-428C-BF26-06ECDFB3AC29}\setup.exe -runfromtemp -l0x0009 -removeonly
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sound Blaster Live!-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Steel Panthers III-->C:\WINDOWS\uninst.exe -fc:\games\steel3\DeIsL1.isu
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Top Ten Solitaire-->"C:\Program Files\Oberon Media\Top Ten Solitaire\Uninstall.exe" "C:\Program Files\Oberon Media\Top Ten Solitaire\install.log"
Tumblebugs-->C:\PROGRA~1\AOLGAM~1\TUMBLE~1\UNWISE.EXE /U C:\PROGRA~1\AOLGAM~1\TUMBLE~1\INSTALL.LOG
TurboTax Basic 2006-->C:\Program Files\TurboTax\Basic 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2006\Uninstall.log" -NoGui
TurboTax Basic 2007-->C:\Program Files\TurboTax\Basic 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2007\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005-->MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax ItsDeductible 2006-->MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
VDMSound 2.0.4-->MsiExec.exe /I{8ECBE643-8230-11D5-9D6B-00A024112F81}
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
WD Media Center Driver-->MsiExec.exe /X{3F70FB44-FD00-4ED2-9154-661AA9DB0B28}
Webshots Desktop-->C:\Internet\Webshots\UNWISE.EXE C:\Internet\Webshots\INSTALL.LOG
WexTech AnswerWorks-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
ZoneAlarm Anti-virus-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zuma Deluxe-->"C:\Program Files\Oberon Media\Zuma Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Zuma Deluxe\install.log"
Zuma® Deluxe-->C:\PROGRA~1\SHOCKW~1.COM\ZUMADE~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\ZUMADE~1\INSTALL.LOG

=====HijackThis Backups=====

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

======Hosts File======

127.0.0.1 localhost
195.245.119.131 browser-security.microsoft.com

======Security center information======

AV: ZoneAlarm Anti-virus Antivirus
FW: ZoneAlarm Anti-virus Firewall

System event log

Computer Name: DHDKW441
Event Code: 7036
Message: The Network Connections service entered the running state.

Record Number: 35293
Source Name: Service Control Manager
Time Written: 20080612031207.000000-240
Event Type: information
User:

Computer Name: DHDKW441
Event Code: 7035
Message: The Network Connections service was successfully sent a start control.

Record Number: 35292
Source Name: Service Control Manager
Time Written: 20080612031207.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DHDKW441
Event Code: 7036
Message: The Terminal Services service entered the running state.

Record Number: 35291
Source Name: Service Control Manager
Time Written: 20080612031203.000000-240
Event Type: information
User:

Computer Name: DHDKW441
Event Code: 7035
Message: The Terminal Services service was successfully sent a start control.

Record Number: 35290
Source Name: Service Control Manager
Time Written: 20080612031203.000000-240
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DHDKW441
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 35289
Source Name: Service Control Manager
Time Written: 20080612031138.000000-240
Event Type: information
User:

Application event log

Computer Name: DHDKW441
Event Code: 5000
Message:
Record Number: 9125
Source Name: McLogEvent
Time Written: 20060118171806.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DHDKW441
Event Code: 5000
Message:
Record Number: 9124
Source Name: McLogEvent
Time Written: 20060117184730.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DHDKW441
Event Code: 5000
Message:
Record Number: 9123
Source Name: McLogEvent
Time Written: 20060116151154.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DHDKW441
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 9122
Source Name: SecurityCenter
Time Written: 20060114080532.000000-300
Event Type: information
User:

Computer Name: DHDKW441
Event Code: 105
Message:
Record Number: 9121
Source Name: WMDM PMSP Service
Time Written: 20060114080531.000000-300
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%VDMSPath%;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"VDMSPath"=C:\Program Files\VDMSound\
"tvdumpflags"=8
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip

-----------------EOF-----------------

#6 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 10 February 2009 - 10:57 PM

GMER results

GMER will not run. I get a Windows error "gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience"

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 10 February 2009 - 11:14 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 10 February 2009 - 11:45 PM

I wasn't able to install the Recovery Console because I needed to get on-line for that (and I can't). Here is ComboFix log report. Which file do I run for the HijackThis log?

ComboFix 09-02-10.01 - Jim 2009-02-10 23:23:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.631 [GMT -5:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Anti-virus Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_hsfd83jfdg.dll
c:\windows\system32\ayhjjf.dll
c:\windows\system32\baumhqwp.dll
c:\windows\system32\cllwcv.dll
c:\windows\system32\gpvahfmc.dll
c:\windows\system32\hs78k4rgf4d.dll
c:\windows\system32\kdlvgngp.dll
c:\windows\system32\mlJCTKAp.dll.vir
c:\windows\system32\pvpbaqeq.dll
c:\windows\system32\sttss.ini
c:\windows\SYSTEM32\sttss.ini2
c:\windows\system32\swqcye.dll
c:\windows\system32\tgskxniq.dll
c:\windows\system32\wdnpeuqw.dll
c:\windows\winhelp.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 22:37 . 2009-02-10 22:37 <DIR> d-------- C:\rsit
2009-02-10 22:37 . 2009-02-10 22:37 <DIR> d-------- c:\program files\trend micro
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\documents and settings\Jim\Application Data\Malwarebytes
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 18:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-10 18:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-05 21:53 . 2009-02-05 21:53 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:53 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-04 20:25 . 2009-02-04 20:25 44 --a------ c:\windows\SYSTEM32\52.tmp
2009-02-04 19:14 . 2009-02-04 19:14 616 --a------ c:\windows\SYSTEM32\1B.tmp
2009-02-04 19:13 . 2009-02-04 19:14 44 --a------ c:\windows\SYSTEM32\12.tmp
2009-02-04 09:22 . 2009-02-04 09:22 66,560 ---h----- c:\windows\SYSTEM32\secupdat.dat
2009-02-04 09:22 . 2009-02-04 09:22 32,256 --ah----- c:\documents and settings\Jim\iub.exe
2009-02-04 01:16 . 2009-02-04 01:16 39,936 --a------ C:\nwurjr.exe
2009-02-04 01:16 . 2009-02-04 01:16 21,504 --a------ C:\ywdhlny.exe
2009-02-04 01:16 . 2009-02-04 01:16 2 --a------ C:\-1192488682
2009-02-03 14:29 . 2009-02-03 14:29 72,704 --a------ c:\windows\SYSTEM32\mvsnldqn.dll
2009-01-28 21:16 . 2009-01-28 21:16 <DIR> d-------- c:\program files\Evernote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 04:38 304,166,944 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-11 04:29 4,071,140 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-07 13:12 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2009-02-06 03:15 --------- d-----w c:\program files\Modem Helper
2009-02-06 02:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-06 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-04 17:57 5,099,520 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-02-04 17:57 2,692,608 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-03 02:52 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-29 02:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 13:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 04:08 --------- d-----w c:\program files\AOL Games
2009-01-16 04:05 --------- d-----w c:\program files\Spirit Of Wandering The Legend
2009-01-14 00:35 --------- d-----w c:\program files\Oberon Media
2009-01-09 02:37 --------- d--h--w c:\documents and settings\Jim\Application Data\Move Networks
2008-12-31 00:14 --------- d-----w c:\program files\Shockwave.com
2008-12-30 09:40 --------- d-----w c:\program files\Bonjour
2008-12-29 03:39 --------- d-----w c:\program files\Coupons
2008-12-26 14:18 --------- d-----w c:\documents and settings\Jim\Application Data\Big Fish Games
2008-12-26 13:57 --------- d-----w c:\documents and settings\Jim\Application Data\Wildfire
2008-12-25 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\Friends Games
2008-12-12 20:40 2,032,640 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-12 17:01 3,067,904 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\SYSTEM32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\SYSTEM32\dnssd.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-10 12:30 26,725,865 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-14 00:08 472,064 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-05-11 00:23 0 ----a-w c:\program files\temp01
2000-06-05 22:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
.

------- Sigcheck -------

2008-04-13 19:12 1050624 35e67476064aeddc493c397a04038788 c:\windows\explorer.exe
2007-06-13 06:26 1050112 7864af514605b8f2e27d365fe1fdaf98 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050112 a9c099ec5d3818174b714eb73934ad2e c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:56 1049088 c1bbb328b00113127478f514bc762bf0 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 7071384859450b11e1352820ce914035 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:56 32256 38f97dab4c44da45eb1433cf53dc987a c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32256 a9c92b7bdc3e8e1cd5bc1800afaf93ef c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32256 29e5ad4d2c96516d2cbc512f9f33eca4 c:\windows\SYSTEM32\ctfmon.exe

2005-06-10 19:17 74752 89bf2677b036c3ffaf2c270fc6331e39 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 74752 7621d727823fc5a88bdc7333eed44c74 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:56 74752 3fb072a416f13ce7aa5a68f2972dfc7d c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 74752 0835d12af6cd21282aaade95b54b6a2a c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 74752 b88d729570e4313e7c1586af8f0df115 c:\windows\SYSTEM32\spoolsv.exe

2004-08-04 02:56 41472 f22593fd7a9a294eeec9e4e925cbb115 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 293216c0d87433c34f2ec1203ae8a1ea c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 e2d2045f3c3320e6faf6c71a04f8da34 c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1712128]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-01 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 49152]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 225280]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 155744]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 131072]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 167936]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 106496]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 53248]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-10-12 401408]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-04-22 417792]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-04-28 59392]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-17 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 36864]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 143421]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-09-15 c:\windows\SYSTEM32\WDBtnMgr.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Webshots.lnk - c:\internet\Webshots\Launcher.exe [2004-01-19 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 46592]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-02-19 237568]
HPAiODevice(hp officejet v series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 507967]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 128272]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-11 68880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cllwcv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 45132]
S3 znzolsgh;znzolsgh;\??\c:\windows\System32\Drivers\znzolsgh.sys --> c:\windows\System32\Drivers\znzolsgh.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-324172146-558341521-2801709385-1007.job
- c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 21:15]

2009-02-02 c:\windows\Tasks\Scan for Viruses.job
- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
HKU-Default-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe
HKU-Default-Run-tezrtsjhfr84iusjfo84f - c:\windows\TEMP\csrssc.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://dsl.sbc.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://dsl.sbc.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542}
DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} - hxxp://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://dsl.sbc.yahoo.com/
FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - plugin: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 23:30:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\progra~1\Iomega\System32\AppServices.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\WDC\SetIcon.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\webshots.scr
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\SYSTEM32\hpoipm07.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-02-10 23:43:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 04:43:13

Pre-Run: 11,320,311,808 bytes free
Post-Run: 11,388,792,832 bytes free

267 --- E O F --- 2009-01-14 14:19:25

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 11 February 2009 - 12:13 AM

I wasn't able to install the Recovery Console because I needed to get on-line for that (and I can't)


What do you mean you can't?



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
znzolsgh

File::
c:\windows\SYSTEM32\52.tmp
c:\windows\SYSTEM32\1B.tmp
c:\windows\SYSTEM32\12.tmp
c:\windows\SYSTEM32\secupdat.dat
c:\documents and settings\Jim\iub.exe
C:\nwurjr.exe
C:\ywdhlny.exe
C:\-1192488682
c:\windows\SYSTEM32\mvsnldqn.dll
c:\windows\System32\Drivers\znzolsgh.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 11 February 2009 - 08:51 PM

Thanks very much for working with me on this problem.

The infected PC will not connect to the internet, I'm getting connection error message from my SBC self support tool. I was planning to call SBC on this but thought I should resolve the virus problem first. So, I've been using a different PC to connect to the internet, communicate with you, and download the files. I use a flashdrive to transfer those files over to the problem PC and run them. So that's what I mean when I say I can't get on-line. (Note, my internet connection is fine -- its what I'm using right now. Its just the problem PC that I can't get to go on-line).

So, I did the CFScript update of ComboFix and below is new report.

I'll post HiJackThis log in another post, coming in a minute.
-------------------------------------------------------------------------------

ComboFix 09-02-10.01 - Jim 2009-02-11 20:26:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.592 [GMT -5:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Anti-virus Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-1192488682
c:\documents and settings\Jim\iub.exe
C:\nwurjr.exe
c:\windows\SYSTEM32\12.tmp
c:\windows\SYSTEM32\1B.tmp
c:\windows\SYSTEM32\52.tmp
c:\windows\System32\Drivers\znzolsgh.sys
c:\windows\SYSTEM32\mvsnldqn.dll
c:\windows\SYSTEM32\secupdat.dat
C:\ywdhlny.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1192488682
c:\documents and settings\Jim\iub.exe
C:\nwurjr.exe
c:\windows\SYSTEM32\12.tmp
c:\windows\SYSTEM32\1B.tmp
c:\windows\SYSTEM32\52.tmp
c:\windows\SYSTEM32\mvsnldqn.dll
c:\windows\SYSTEM32\secupdat.dat
C:\ywdhlny.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_znzolsgh


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-10 22:37 . 2009-02-10 22:37 <DIR> d-------- C:\rsit
2009-02-10 22:37 . 2009-02-10 22:37 <DIR> d-------- c:\program files\trend micro
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\documents and settings\Jim\Application Data\Malwarebytes
2009-02-10 18:09 . 2009-02-10 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-10 18:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-10 18:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-05 21:53 . 2009-02-05 21:53 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:52 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:53 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-05 21:52 . 2009-02-05 21:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-28 21:16 . 2009-01-28 21:16 <DIR> d-------- c:\program files\Evernote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 01:42 306,575,392 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-12 01:32 4,103,684 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-07 13:12 --------- d-----w c:\documents and settings\All Users\Application Data\Retrospect
2009-02-06 03:15 --------- d-----w c:\program files\Modem Helper
2009-02-06 02:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-06 02:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-04 17:57 5,099,520 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-02-04 17:57 2,692,608 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-03 02:52 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-29 02:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-16 13:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 04:08 --------- d-----w c:\program files\AOL Games
2009-01-16 04:05 --------- d-----w c:\program files\Spirit Of Wandering The Legend
2009-01-14 00:35 --------- d-----w c:\program files\Oberon Media
2009-01-09 02:37 --------- d--h--w c:\documents and settings\Jim\Application Data\Move Networks
2008-12-31 00:14 --------- d-----w c:\program files\Shockwave.com
2008-12-30 09:40 --------- d-----w c:\program files\Bonjour
2008-12-29 03:39 --------- d-----w c:\program files\Coupons
2008-12-26 14:18 --------- d-----w c:\documents and settings\Jim\Application Data\Big Fish Games
2008-12-26 13:57 --------- d-----w c:\documents and settings\Jim\Application Data\Wildfire
2008-12-25 03:31 --------- d-----w c:\documents and settings\All Users\Application Data\Friends Games
2008-12-12 20:40 2,032,640 ----a-w c:\windows\Internet Logs\xDBB.tmp
2008-12-12 17:01 3,067,904 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\SYSTEM32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\SYSTEM32\dnssd.dll
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-12-10 12:30 26,725,865 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-14 00:08 472,064 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-05-11 00:23 0 ----a-w c:\program files\temp01
2000-06-05 22:47 32,768 ----a-w c:\program files\mozilla firefox\plugins\AppSub32.dll
.

------- Sigcheck -------

2008-04-13 19:12 1050624 35e67476064aeddc493c397a04038788 c:\windows\explorer.exe
2007-06-13 06:26 1050112 7864af514605b8f2e27d365fe1fdaf98 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050112 a9c099ec5d3818174b714eb73934ad2e c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:56 1049088 c1bbb328b00113127478f514bc762bf0 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1050624 7071384859450b11e1352820ce914035 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:56 32256 38f97dab4c44da45eb1433cf53dc987a c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32256 a9c92b7bdc3e8e1cd5bc1800afaf93ef c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32256 29e5ad4d2c96516d2cbc512f9f33eca4 c:\windows\SYSTEM32\ctfmon.exe

2005-06-10 19:17 74752 89bf2677b036c3ffaf2c270fc6331e39 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 74752 7621d727823fc5a88bdc7333eed44c74 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:56 74752 3fb072a416f13ce7aa5a68f2972dfc7d c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 74752 0835d12af6cd21282aaade95b54b6a2a c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 74752 b88d729570e4313e7c1586af8f0df115 c:\windows\SYSTEM32\spoolsv.exe

2004-08-04 02:56 41472 f22593fd7a9a294eeec9e4e925cbb115 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 293216c0d87433c34f2ec1203ae8a1ea c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 e2d2045f3c3320e6faf6c71a04f8da34 c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-10_23.42.09.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 183,808 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2009-02-11 04:30:02 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2009-02-12 01:32:49 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2009-02-11 04:30:02 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-12 01:32:49 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-11 04:30:02 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-12 01:32:49 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-11 04:39:07 691,864 ----a-w c:\windows\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-02-12 01:34:16 691,864 ----a-w c:\windows\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-02-11 02:08:04 28,292,096 ----a-w c:\windows\SYSTEM32\ZoneLabs\zlqrtdb.dat
+ 2009-02-11 08:11:45 28,684,800 ----a-w c:\windows\SYSTEM32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1712128]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-01 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 49152]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 225280]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 155744]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 131072]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 167936]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 106496]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 53248]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-10-12 401408]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-04-22 417792]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-04-28 59392]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-17 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 36864]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 143421]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-09-15 c:\windows\SYSTEM32\WDBtnMgr.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Webshots.lnk - c:\internet\Webshots\Launcher.exe [2004-01-19 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 46592]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2005-02-19 237568]
HPAiODevice(hp officejet v series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 507967]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 128272]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-11 68880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 45132]
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-324172146-558341521-2801709385-1007.job
- c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 21:15]

2009-02-02 c:\windows\Tasks\Scan for Viruses.job
- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://dsl.sbc.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://dsl.sbc.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542}
DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} - hxxp://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://dsl.sbc.yahoo.com/
FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Evernote\Evernote3\FfTbClipper\components\enbar3.dll
FF - plugin: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\0ptjhr6j.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Jim\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NpIpx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 20:33:26
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTsvcCDA.EXE
c:\progra~1\Iomega\System32\AppServices.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\WDC\SetIcon.exe
c:\windows\SYSTEM32\rundll32.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\webshots.scr
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\SYSTEM32\hpoipm07.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-02-11 20:46:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 01:46:32
ComboFix2.txt 2009-02-11 04:43:21

Pre-Run: 11,946,774,528 bytes free
Post-Run: 11,944,329,216 bytes free

271 --- E O F --- 2009-01-14 14:19:25

#11 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 11 February 2009 - 08:53 PM

As requested, here is HiJackThis log . . .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:08 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jim\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;local.,;*.local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Internet\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab
O16 - DPF: {D2349304-8F9E-4A54-ACF6-0F6104B44209} (SketchCtl.Pic1) - http://auditor.cuyahogacounty.us/repi/sketch/Sketch.ocx
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 13157 bytes

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 11 February 2009 - 10:39 PM

Please uninstall Viewpoint from the computer...


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
    explorer.exe
    
    :files
    c:\program files\Coupons
    c:\windows\Internet Logs\xDB*.tmp
    c:\program files\temp01
    
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. OTMoveIt3
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 12 February 2009 - 11:35 PM

Below is OTMoveIt log. I wasn't able to run the ESET Online Scanner because I still can't get on-line with the problem PC. I called SBC support to trouble-shoot my DSL connection issues. They were not able to resolve. Since I am online with another PC they have concluded that my connection is valid but I have problems with my PC (duh). Not sure if that is something you can help me with. The issue, apparantly, is that there is no IP Address when I check the Local Area Connection Status. We tried entering one manually and it didn't help. The SBC guy mentioned that cleaning up the virus may have damaged library or registry files and that is causing the issue. If you have any suggestions about what I can do, I would be very pleased to hear them.

In terms of the virus issues, I no longer see any signs of infection. The big white box in the middle of the screen is gone and the SWP2009 program is nowhere in sight. As far as I can tell the PC is behaving normally except I can't get online. Oh, there is one other thing, when I boot up I get an error . . . "dsca.exe application error -- application failed to initialize properly." I click OK and the boot continues. Could that be causing my connection problem?

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\program files\Coupons not found.
File/Folder c:\windows\Internet Logs\xDB*.tmp not found.
File/Folder c:\program files\temp01 not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jim\LOCALS~1\Temp\~DF5E4D.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\ZLT00168.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02122009_230641

Files moved on Reboot...
C:\DOCUME~1\Jim\LOCALS~1\Temp\~DF5E4D.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\ZLT00168.TMP not found!

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 13 February 2009 - 03:54 AM

The SBC guy mentioned that cleaning up the virus may have damaged library or registry files and that is causing the issue.


Not of my doing, because you already mentioned you could not get online in your very first post..

I updated my SpyBot Search and Destroy and ran a scan, it found and disabled hundreds of threats. After reboot I can't get on-line anymore, still have SWP2009 running, and still have white box blocking screen. I ran Zone Alarms virus scan again, it picked up and resolved 119 threats. (Type_Win32 115 times and Worm.Win32.AutoRun.yvq 4 times).



Lets do this and see if you can get your pc online back...


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE



Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will ask you to restart your computer in attempt to fix the internet connection. Please do so..



After that, tell me, can you surf internet now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 JimmyS

JimmyS
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 13 February 2009 - 07:59 PM

Wow, you are a genius! I'm back on-line! (Don't worry, I remember that I couldn't get on-line before I contacted you, so I know you didn't cause it). So, thanks very much.

Sorry to keep hitting you with more stuff, but my Zone Alarm anti-virus just now picked up 5 more virus items. Four of them are Virus.Win32.Virut.ce and the fifth is Rootkit.Win32.Pakes.gb. Does this mean I still have issues? Wow, now another 10 new virus items just got picked up by Zone Alarms. All are Virus.Win32.Virut.ce. So I think for sure I still have virus issues. My Firefox browser works but IE won't launch, the program cannot be found. What now?

Aw darn. I just rebooted and now I can't get on-line again. Seems like I've got some real demons attacking me. Tell me what to try now, I'm game. Thanks.

Edited by JimmyS, 13 February 2009 - 08:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users