Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Application error, cmd.exe


  • Please log in to reply

#1
antisocialbutterfly

antisocialbutterfly

    Member

  • Member
  • PipPip
  • 24 posts
This is a minor bug, but I have been unable to find a fix for it and it IRRITATES me.

I get this error every time I shut down the computer (Alienware Area-51 m-5700, Intel Celeron-M 1.5G, 1G RAM, Windows XP Home), and -only- when I shut down.

The error code is 0xc0000142.

After a couple of seconds the computer "doinks" and shuts down anyway. Like I said, minor. But annoying.

Posted this in the Windows area; it was suggested I might have a malware problem and should post here.

Spyware and Panda scans came back clean. Here are the HJT logfiles:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:51 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.v.../main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

StartupList report, 4/8/2007, 12:22:56 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
SmartDefrag = "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
IntelZeroConfig = "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
IntelWireless = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
nwiz = nwiz.exe /install
IntelliPoint = "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Microsoft_Hardware_Launch_IPoint_exe.job
SmartDefrag.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://download.micr.../OGAControl.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://download.micr...heckControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #2: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #3: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #27: C:\WINDOWS\system32\ZoneLabs\vetredir.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\LANEAD~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\LANEAD~1\LOCALS~1\History\History.IE5\index.dat||C:\DOCUME~1\LANEAD~1\LOCALS~1\History\History.IE5\MSHIST~2\index.dat|||t

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,163 bytes
Report generated in 0.188 seconds


Process list saved on 12:24:57 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
1920 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
888 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
1024 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
1084 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
580 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1172 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1384 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe 10.5.1.22 Intel Corporation
1900 C:\Program Files\AlienGUIse\wbload.exe 4.5.1.0 Stardock Systems, Inc
188 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe 10.5.1.5 Intel Corporation
804 C:\WINDOWS\system32\ZoneLabs\vsmon.exe 6.5.737.0 Zone Labs, LLC
1480 C:\WINDOWS\Explorer.EXE 6.0.2900.2647 Microsoft Corporation
276 C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe 10.1.1.10 SafeNet
684 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
992 C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe 10.1.1.10 SafeNet
340 C:\WINDOWS\system32\nvsvc32.exe 6.14.10.7810 NVIDIA Corporation
1240 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe 10.5.1.5 Intel Corporation
1944 C:\WINDOWS\system32\SearchIndexer.exe 6.0.6000.16431 Microsoft Corporation
1724 C:\WINDOWS\system32\ZoneLabs\isafe.exe 10.67.0.0 Computer Associates International, Inc.
1408 C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
2096 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe 10.5.1.11 Intel Corporation
2348 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe 10.5.1.18 Intel Corporation
2752 C:\Program Files\Microsoft IntelliPoint\ipoint.exe 6.10.157.0 Microsoft Corporation
3456 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe 6.5.737.0 Zone Labs, LLC
3716 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 8.3.4.0 Synaptics, Inc.
2220 C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
2236 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
2696 C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe 10.1.1.10 SafeNet
3244 C:\Program Files\Windows Desktop Search\WindowsSearch.exe 6.0.6000.16431 Microsoft Corporation
3632 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe 10.5.1.11 Intel Corporation
3920 C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe 4.8.2.7565
3396 C:\WINDOWS\system32\SearchProtocolHost.exe 6.0.6000.16431 Microsoft Corporation
3288 C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE 12.0.4518.1014 Microsoft Corporation
1756 C:\Program Files\Hijackthis\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.
  • 0

Advertisements


#2
Technical_1

Technical_1

    Visiting Staff

  • Member
  • PipPipPip
  • 735 posts
Hi antisocialbutterfly.

I don't think that sounds Malware related, but we'll have a look.
  • Please download Deckard's System Scanner to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
  • Please also copy the contents of Extra.txt to your post as well.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
  • What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
[*]Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner
Note: This Scan requires Internet Explorer to run.
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.
[*]Post Logs
  • DSS Scan Results
  • Kaspersky Results

[/list]
  • 0

#3
antisocialbutterfly

antisocialbutterfly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here are the result logs as requested. Kapersky indicates an infection, [bleep].

Deckard's System Scanner v20070411.38
Run by Lane Adamson on 2007-04-21 at 11:53:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2007-04-21 16:53:22 UTC - RP299 - Deckard's System Scanner Restore Point
28: 2007-04-20 21:47:41 UTC - RP298 - System Checkpoint
27: 2007-04-16 22:01:46 UTC - RP297 - System Checkpoint
26: 2007-04-14 23:48:51 UTC - RP296 - System Checkpoint
25: 2007-04-13 23:23:44 UTC - RP295 - System Checkpoint


-- First Restore Point --
1: 2007-03-19 02:48:04 UTC - RP271 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Lane Adamson.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:55:06 AM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Lane Adamson\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Lane Adamson.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.v.../main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys
R0 viamraid - c:\windows\system32\drivers\viamraid.sys
R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys
R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys
R1 VETMONNT (VET File and Macro Monitor) - c:\windows\system32\drivers\vetmonnt.sys
R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys
R2 Crypto - c:\windows\system32\drivers\crypto.sys
R2 IPSECDRV (SafeNet IPSec Plugin) - c:\windows\system32\drivers\ipsecdrv.sys
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys
R3 DNE (Deterministic Network Enhancer Miniport) - c:\windows\system32\drivers\dne2000.sys
R3 DniVap (SafeNet WAN Miniport (VA)) - c:\windows\system32\drivers\vap.sys
R3 NuidFltr (NUID filter driver) - c:\windows\system32\drivers\nuidfltr.sys
R3 smserial - c:\windows\system32\drivers\smserial.sys
R3 w29n51 (Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP) - c:\windows\system32\drivers\w29n51.sys

S3 ENTECH - c:\windows\system32\drivers\entech.sys
S3 ENUM1394 (%1394\031887&040892.DeviceDesc%) - c:\windows\system32\drivers\enum1394.sys
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys
S3 vncdrv - c:\windows\system32\drivers\vncdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IPSECMON (SafeNet Monitor Service) - "c:\program files\netgear\netgear prosafe vpn client\ipsecmon.exe"
R2 IREIKE (SafeNet IKE Service) - "c:\program files\netgear\netgear prosafe vpn client\ireike.exe"
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe
R3 CAISafe (CA ISafe) - c:\windows\system32\zonelabs\isafe.exe

S3 Microsoft Office Groove Audit Service - "c:\program files\microsoft office\office12\grooveauditservice.exe"
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-04-21 10:52:53 492 --a------ C:\WINDOWS\Tasks\SmartDefrag.job<SMARTD~1.JOB>
2007-03-06 10:32:27 304 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job<MICROS~1.JOB>


-- Files created between 2007-03-21 and 2007-04-21 -----------------------------

2007-03-25 01:36:30 1021504 --a------ C:\WINDOWS\system32\vete.dll
2007-03-25 01:28:54 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\MailFrontier<MAILFR~2>
2007-03-25 01:23:14 75776 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-03-25 01:23:12 12288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2007-03-25 01:23:12 15668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-03-25 01:23:12 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-25 01:23:12 21605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-03-25 01:23:12 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-03-25 01:23:12 77824 --a------ C:\WINDOWS\system32\driverif.dll
2007-03-24 01:57:56 0 d-------- C:\Program Files\Windows Resource Kits<WI8DE7~1>
2007-03-21 11:30:12 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\MailFrontier(2)<MAILFR~1>
2007-03-21 11:29:15 51744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-03-21 11:29:15 2223904 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat


-- Find3M Report ---------------------------------------------------------------

2007-04-21 10:55:51 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-09 17:28:07 0 d-------- C:\Program Files\Acoustica MP3 CD Burner<ACOUST~1>
2007-04-08 11:47:47 0 d-------- C:\Program Files\Windows Desktop Search<WI459E~1>
2007-04-08 11:45:08 0 d-------- C:\Program Files\Microsoft IntelliPoint<MICROS~3>
2007-04-08 11:43:53 0 d-------- C:\Program Files\AlienGUIse<ALIENG~1>
2007-03-30 00:31:04 69721 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2007-03-30 00:31:01 81920 --a------ C:\WINDOWS\system32\SynTPCo2.dll
2007-03-30 00:31:00 94297 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2007-03-30 00:30:55 114688 --a------ C:\WINDOWS\system32\SynCtrl.dll
2007-03-30 00:30:55 82012 --a------ C:\WINDOWS\system32\SynCOM.dll
2007-03-23 22:25:44 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\Ahead
2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-11 13:58:26 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\Windows Desktop Search<WINDOW~1>
2007-03-11 13:52:44 0 d-------- C:\Program Files\MSBuild
2007-03-11 13:48:08 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-03-10 19:23:36 0 d-------- C:\Program Files\IObit
2007-03-08 10:48:36 578048 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:48:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:48:36 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:49:49 1843968 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 20:46:48 0 d-------- C:\Program Files\Atwin
2007-03-04 02:44:20 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-03 22:48:23 0 d-------- C:\Documents and Settings\Lane Adamson\Application Data\WholeSecurity<WHOLES~1>
2007-03-03 21:13:24 3623736 --a----c- C:\WINDOWS\procexp.exe
2007-03-02 01:52:11 0 d---s---- C:\Documents and Settings\Lane Adamson\Application Data\Microsoft<MICROS~1>
2007-02-24 17:11:23 81920 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-02-24 17:05:11 0 d-------- C:\Program Files\Realtek
2007-02-24 16:41:44 315392 --a----c- C:\WINDOWS\HideWin.exe
2007-02-24 11:41:30 0 d-------- C:\Program Files\MSECache
2007-02-21 20:09:06 724992 --a----c- C:\WINDOWS\iun6002.exe
2007-02-05 15:43:06 1481728 -----n--- C:\WINDOWS\system32\mssrch.dll
2007-02-05 15:42:10 1504768 -----n--- C:\WINDOWS\system32\tquery.dll
2007-02-05 15:41:14 122368 -----n--- C:\WINDOWS\system32\UncPH.dll
2007-02-05 15:41:06 134656 -----n--- C:\WINDOWS\system32\UncDMS.dll
2007-02-05 15:41:04 108544 -----n--- C:\WINDOWS\system32\UncNE.dll
2007-02-05 15:40:58 98304 -----n--- C:\WINDOWS\system32\UncCplExt.dll<UNCCPL~1.DLL>
2007-02-05 15:40:56 260096 -----n--- C:\WINDOWS\system32\oeph.dll
2007-02-05 15:36:48 52224 -----n--- C:\WINDOWS\system32\msstrc.dll
2007-02-05 15:36:08 27136 -----n--- C:\WINDOWS\system32\rtffilt.dll
2007-02-05 15:36:06 111104 -----n--- C:\WINDOWS\system32\xmlfilter.dll<XMLFIL~1.DLL>
2007-02-05 15:35:38 248320 -----n--- C:\WINDOWS\system32\msshsq.dll
2007-02-05 15:35:24 167424 -----n--- C:\WINDOWS\system32\mssphtb.dll
2007-02-05 15:34:38 300032 -----n--- C:\WINDOWS\system32\searchindexer.exe<SEARCH~3.EXE>
2007-02-05 15:33:54 331776 -----n--- C:\WINDOWS\system32\mssph.dll
2007-02-05 15:32:28 182784 -----n--- C:\WINDOWS\system32\searchprotocolhost.exe<SEARCH~1.EXE>
2007-02-05 15:32:02 65536 -----n--- C:\WINDOWS\system32\propdefs.dll
2007-02-05 15:31:10 76800 -----n--- C:\WINDOWS\system32\searchfilterhost.exe<SEARCH~2.EXE>
2007-02-05 15:30:16 23552 -----n--- C:\WINDOWS\system32\msscb.dll
2007-02-05 15:29:24 51200 -----n--- C:\WINDOWS\system32\msscntrs.dll
2007-02-05 15:29:14 98816 -----n--- C:\WINDOWS\system32\mssitlb.dll
2007-02-05 15:29:12 255488 -----n--- C:\WINDOWS\system32\srchadmin.dll<SRCHAD~1.DLL>
2007-02-05 15:28:56 32256 -----n--- C:\WINDOWS\system32\mssprxy.dll
2007-02-05 15:28:46 733696 -----n--- C:\WINDOWS\system32\propsys.dll
2007-02-05 15:24:38 2048 -----n--- C:\WINDOWS\system32\UncRes.dll
2007-02-05 15:24:36 11264 -----n--- C:\WINDOWS\system32\oephRes.dll
2007-02-05 15:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-23 16:15:22 676224 --a------ C:\WINDOWS\system32\OGACheckControl.DLL<OGACHE~1.DLL>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"nwiz"="nwiz.exe /install"
"IntelliPoint"="\"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoInstrumentation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-21 at 11:56:18 ---------

Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2047.36 MiB / 1454.6 MiB
Pagefile Memory (total/avail): 3941.45 MiB / 3496.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1996.04 MiB

C: is Fixed (NTFS) - 74.51 GiB total, 53.27 GiB free.
D: is CDROM (Unformatted)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: ZoneAlarm Security Suite Firewall v6.5.737.000 (Zone Labs, Inc.)
AV: ZoneAlarm Security Suite Antivirus v6.5.737.000 (Zone Labs, Inc.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lane Adamson\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NEWLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lane Adamson
LOGONSERVER=\\NEWLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;;;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\LANEAD~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\LANEAD~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=NEWLAPTOP
USERNAME=Lane Adamson
USERPROFILE=C:\Documents and Settings\Lane Adamson
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lane Adamson (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AccuTerm 97 --> C:\PROGRA~1\Atwin\UNWISE.EXE C:\PROGRA~1\Atwin\INSTALL.LOG
Acoustica MP3 CD Burner --> C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AlienGUIse --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
AlienGUIse Theme Manager --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CutePDF Writer 2.7 --> C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola SM56 Data Fax Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Namu6 - Website Editor (Version 2.3) --> "C:\Program Files\Namu6\unins000.exe"
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR ProSafe VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\Setup\Setup.exe" -l0x9
PowerCinema Linux 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5F82F8F-4DE2-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RtlUpd.exe -r
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TaxACT 2006 --> C:\PROGRA~1\2NDSTO~1\TAXACT~1\Unta06.exe C:\PROGRA~1\2NDSTO~1\TAXACT~1\Install.log
Theme Manager --> C:\PROGRA~1\ALIENG~1\thememgr.exe /uninstallwise
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Outlook 2007 Junk Email Filter (KB932338) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E90DA454-DE6C-45FA-A702-47B614A0159F}
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-04-21 at 11:56:18 ---------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 21, 2007 1:22:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/04/2007
Kaspersky Anti-Virus database records: 300231
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44415
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:59:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.32.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.32.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy14.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_6d0.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\History\History.IE5\MSHist012007042120070422\index.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Temp\~DF24F0.tmp Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Temp\~DF9165.tmp Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Temp\~DF917C.tmp Object is locked skipped
C:\Documents and Settings\Lane Adamson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\ntuser.dat Object is locked skipped
C:\Documents and Settings\Lane Adamson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\isakmp.log Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP281\A0090294.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP281\A0090294.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{A8FB012F-BFEC-4849-8A67-726196FE896A}\RP299\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\NEWLAPTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{26621ECD-0064-4FBB-A97D-C27D967A6916}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT07c34.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07c3a.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Latest HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 1:23:14 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.v.../main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
Technical_1

Technical_1

    Visiting Staff

  • Member
  • PipPipPip
  • 735 posts
Hello again antisocialbutterfly.

The item that Kaspersky reports is in System Restore and should not be a problem unless you were to use System Restore to go back to an earlier setup. We'll clean it out in a bit.

That error you posted seems to be a generic error and I find that it appears related to many different error conditions.

I don't see anything at all in that report. Let's look for rootkits and make sure that's not causing our problem (but I don't think it is).
  • Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • Download GMER
    • Unzip it to the desktop.
    • Open the program and click on the Rootkit tab.
    • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
    • Click on Scan.
    • When the scan has run click Copy and paste the results (if any) into this thread.
  • Please re-open HiJackThis and scan and save a new log file.
  • Post Logs
    • gmer Results
    • New Hijack This Log

  • 0

#5
antisocialbutterfly

antisocialbutterfly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks for all your time and trouble so far. Hopefully I am malware-free and this is just a minor glitch as I originally thought. Like the vacuum cleaner guy, "I just think things should work properly."

Ran ATF as directed (cleaned about 10MB). I use CCleaner daily, ATF seems to dump more junk but offer less control -- should I change, or would ATF only be needed in these type situations?

GMER log:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-22 08:33:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwCreateDirectoryObject
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwCreateFile
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwEnumerateKey
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwEnumerateValueKey
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwFlushKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwMakeTemporaryObject
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwQueryInformationFile
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwQueryKey
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwQueryValueKey
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwReadFile
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwSetInformationFile
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwSetInformationThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwUnmapViewOfSection
SSDT \SystemRoot\System32\Drivers\Crypto.SYS ZwWriteFile

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ 60, 4C, DD, B2, E0, AE, DD, ... ]
? srescan.sys The system cannot find the file specified.
? C:\WINDOWS\system32\DRIVERS\update.sys
.text ntkrnlpa.exe!ZwYieldExecution + 28BC 805012B4 12 Bytes [ 60, 4C, DD, B2, E0, AE, DD, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[620] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 32605629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
.text C:\WINDOWS\system32\searchindexer.exe[1408] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 00D51B19 C:\WINDOWS\system32\mssrch.dll
.text C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe[2420] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 97, 3D, DF, 83 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!DialogBoxParamW 7E425F8F 5 Bytes JMP 00BEF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!DialogBoxIndirectParamW 7E432062 5 Bytes JMP 00D7FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!MessageBoxIndirectA 7E43A06A 5 Bytes JMP 00D7FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!DialogBoxParamA 7E43B12C 5 Bytes JMP 00D7FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!MessageBoxExW 7E450750 5 Bytes JMP 00D7FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!MessageBoxExA 7E450774 5 Bytes JMP 00D7FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!DialogBoxIndirectParamA 7E456CD0 5 Bytes JMP 00D7FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2908] USER32.dll!MessageBoxIndirectW 7E466425 5 Bytes JMP 00C115DA C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B2DE62A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B2DE62A0] vsdatant.sys

---- EOF - GMER 1.0.12 ----

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:27 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~2\mantispm.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lane Adamson\Desktop\gmer\gmer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.v.../main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR ProSafe VPN Client.lnk = C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Technical_1

Technical_1

    Visiting Staff

  • Member
  • PipPipPip
  • 735 posts

Things look good there, antisocialbutterfly.

It may indeed be a "minor glitch" as you describe it. Is it still happening now?

should I change, or would ATF only be needed in these type situations?

CCleaner is a good program as well. The reason I use ATF Cleaner mostly is because the tools creator (Attribune) can be found
here on this board incase something were to ever go wrong and the author would need to be contacted. You can certainly use whichever you prefer.

Congratulations. :blink: Your system is clean of Malware.

Below is my standard closing speech. You may already have some of these programs and/or performed some of these steps. Use what you can and skip the rest.
  • Please re-hide hidden files. (If applicable)
    Follow the directions you used earlier to show hidden files and undo the changes you made so that hidden files are actually hidden once again.
  • Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    • The easiest and safest way to do this is:
      • Go to Start > Programs > Accessories > System Tools and click "System Restore".
      • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
      • Then go to Start > Run and type: Cleanmgr
      • Click "OK".
      • Click the "More Options" Tab.
      • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
    • SpywareBlaster to help prevent spyware from installing in the first place.
    • SpywareGuard to catch and block spyware before it can execute.
    • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
  • You should also have a good firewall. Here are 2 free ones available for personal use:
  • You should also have a good Anti-Virus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
  • To keep your operating system up to date you should do a windows update monthly. Here's the link:
  • And to keep your system clean, run these free malware scanners weekly, and be aware of what emails you open and websites you visit.
  • To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
Safe Surfing!

:whistling:


If the problem persists, we may have to bring in some Software/OS experts.

Let me know.


  • 0

#7
antisocialbutterfly

antisocialbutterfly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Glad I am malware-free. "I washed my face and hands before I come, I did!"

The problem persists. Power down. Error box. Doink. Irritation.

Does not interfere with operation of the machine or anything else that I have to do -- but it isn't RIGHT. And that's annoying.

Should I move back to the Windows forum?
  • 0

#8
Technical_1

Technical_1

    Visiting Staff

  • Member
  • PipPipPip
  • 735 posts

Should I move back to the Windows forum?

Yes. I am convinced it's not Malware related as there isn't anything odd about any of the results of those
scans. You can link back to this thread if need be for the helper who picks your thread up there.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP