Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

privacy_danger error and no wallpaper [RESOLVED]


  • This topic is locked This topic is locked

#1
Chemical05

Chemical05

    Member

  • Member
  • PipPip
  • 16 posts
Hello,
I got a virus that bogged down my system (ate up 98% of processing power), it was a software referral virus that was trying to get me to buy a UltimateCleaner software. I found some instructions for removing most of the virus files from other people who had the same problem. I got the computer back up and running enought so I can use it. But now I have a white background covering my wallpaper and an error message telling me windows can't find a file for c:/windows/Privacy_Danger/index.htm.
I used hijackthis to remove suspicious file calls and I manually removed the files from the windows directory. I also ran SDFix. I would like some help in making sure I don't have any other possible virus/adware problems and to take care of this privacy_danger error message and get my wallpaper back. Any help would be greately appreciated.

Thanks,
Michael

Here is the HiJackThis! Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:15:38 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
D:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe
C:\WINDOWS\system32\ntvdm.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
D:\Program Files\Sony Handheld\PalmOneLiveConnect.exe
C:\OPLIMIT\ocrawr32.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\NORTON~2\NORTON~3\Navw32.exe
C:\Documents and Settings\Michael Bloom\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...=minisearch_dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...=minisearch_dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...i...&mn=2739352
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...i...&mn=2739352
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero DSL\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - d:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Internet Download Accelerator] d:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LifeDrive™ Manager.lnk = D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\PROGRA~1\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\PROGRA~1\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124491344102
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Doesn't look too bad actually

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Try this to restore the desktop

Open the Control Panel.
Open Display Properties.
Click the Desktop tab.
Click the Customize Desktop button.
Click the Web tab in the Desktop Items window.
Make sure all checkboxes in this window are un-checked including My Current Homepage.
Restart your computer.


Then to ensure that you are clean

Download and then run SuperAntispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply

  • 0

#3
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK,
I removed the two lines from hijackthis, and I made the changes to the desktop to get my wallpaper back so I have my wallpaper now. I downloaded the superantispyware and ran it but the program locks up while it is scanning my computer. I have tried it several times it is locks up in different places. It gets to about 650 total infected files when it freezes up. Do you want me to run a quick scan instead?

Thanks,
Michael
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmmm no I will run another tool first to clear the main ones so that I can see what it is

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi,
I couldn't download the ComboFix through my computer so I had to get it through my laptop and move it to my desktop via mem stick. I use NetZero for DSL and today I have been getting web page error messages saying that the DSL connection is lost. It is fixed with in a few seconds but I never had that problem before.

Here is the result of the ComboFix:

ComboFix 07-11-01.1 - Michael Bloom 2007-11-03 19:11:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -7:00]
Running from: C:\Documents and Settings\Michael Bloom\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Michael Bloom\Favorites\Error Cleaner.url
C:\Documents and Settings\Michael Bloom\Favorites\Privacy Protector.url
C:\Documents and Settings\Michael Bloom\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\sysinit32

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 19:10 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 09:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-03 09:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:59 <DIR> d-------- C:\Documents and Settings\Michael Bloom\Application Data\SUPERAntiSpyware.com
2007-11-03 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-02 12:59 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-01 23:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-01 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-01 23:12 <DIR> d-------- C:\Deckard
2007-11-01 22:44 2,792 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-01 08:50 38,224 --a------ C:\WINDOWS\system32\drivers\neokdss.sys
2007-10-31 23:36 <DIR> d-------- C:\Documents and Settings\Administrator.MICHAEL-RC14HL1\Application Data\AdobeUM
2007-10-30 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-30 09:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 09:54 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-30 06:58 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-30 00:41 106,496 --a------ C:\WINDOWS\kthemup.virus.exe
2007-10-09 23:25 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 06:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-20 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetZero DSL
2007-10-12 14:36 --------- d-----w C:\Program Files\NetZero DSL
2007-10-09 08:46 --------- d-----w C:\Documents and Settings\Michael Bloom\Application Data\Azureus
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4224FF33-C2EB-4039-B8C8-6EED565B9D96}]
2007-03-06 11:27 225240 --a------ C:\Program Files\NetZero DSL\PopupBlocker.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2007-09-13 14:34 264688]

[HKEY_CLASSES_ROOT\CLSID\{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2007-09-13 14:34 264688]
"{5BED3930-2E9E-76D8-BACC-80DF2188D455}"= C:\WINDOWS\CouponBarIE.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_CLASSES_ROOT\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}]
[HKEY_CLASSES_ROOT\TTB000001.TTB000001.1]
[HKEY_CLASSES_ROOT\TypeLib\{9BA983B1-0C05-2DAF-9D1D-7E160077CAF4}]
[HKEY_CLASSES_ROOT\TTB000001.TTB000001]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-02-07 01:03]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2003-12-04 03:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-07-14 21:16]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-08-02 11:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 00:15]
"NetZeroDSL"="C:\Program Files\NetZero DSL\ConnectionCenter.exe" [2007-09-17 16:48]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton SystemWorks"="D:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 19:12]
"Internet Download Accelerator"="d:\Program Files\IDA\ida.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\Michael Bloom\Start Menu\Programs\Startup\
LifeDriveT Manager.lnk - D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe [2005-04-28 11:49:30]
Microsoft Find Fast.lnk - D:\Program Files\Microsoft Office\Office\FINDFAST.EXE [2000-07-12 21:53:09]
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2005-08-01 23:38:31]
Office Startup.lnk - D:\Program Files\Microsoft Office\Office\OSA.EXE [2000-07-12 21:53:18]
PowerReg Scheduler V3.exe [2005-08-19 22:56:14]
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2005-08-01 23:37:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-11 15:08:47]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HotSync Manager.lnk - D:\Program Files\Sony Handheld\Hotsync.exe [2004-06-09 14:16:08]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 06:26:28]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2002-07-07 19:33:22]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 sonypvl2;sonypvl2;C:\WINDOWS\system32\drivers\sonypvl2.sys
R1 sonypvf2;sonypvf2;C:\WINDOWS\system32\drivers\sonypvf2.sys
R1 sonypvt2;sonypvt2;C:\WINDOWS\system32\drivers\sonypvt2.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S1 sonypvd2;sonypvd2;C:\WINDOWS\system32\DRIVERS\sonypvd2.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\System32\Drivers\sddriver.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\ONSPCLCK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 16:02:32 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Michael Bloom.job"
- D:\PROGRA~1\NORTON~2\NORTON~3\Navw32.exe
"2007-10-29 19:29:52 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-03 07:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 19:14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsUpdate.log:cjcxbh 11758 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-03 19:15:43
.
--- E O F ---


And here is the HiJackThis result:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:50 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
D:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\VSTASCAN\vsaccess.exe
D:\Program Files\Sony Handheld\PalmOneLiveConnect.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Michael Bloom\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...i...&mn=2739352
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero DSL\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {4224FF33-C2EB-4039-B8C8-6EED565B9D96} - C:\Program Files\NetZero DSL\PopupBlocker.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - d:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Internet Download Accelerator] d:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: LifeDrive™ Manager.lnk = D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://D:\PROGRA~1\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://D:\PROGRA~1\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124491344102
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi you have a possible rootkit, I will try a normal deletion and then follow up with a rootkit scan to see if it goes. This is a long fix/post so I would recommend copying it to a text file for reference

I have been unable to find a great deal of information on this rootkit so to err on the side of caution

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\drivers\neokdss.sys
    C:\WINDOWS\kthemup.virus.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Click "Exit" to close OTMoveIt.

THEN

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg Posted Image

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5BED3930-2E9E-76D8-BACC-80DF2188D455}]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]


Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

A BIT MORE

Download AVG Anti-Rootkit Beta from here and save it to your Desktop.
Close all open programs as this will require a reboot.
Double click AVG_AntiRootkit_version number.exe to install the program.
(By default this will be to C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta.)
Once the program has installed, you will be prompted to reboot - please allow this to happen.
When the PC has rebooted, click the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click Perform in-depth search and put your feet up as this can take a while.
Once the scan has completed, if any files have been detected, right click the window and select Save results from the menu that appears.
Save the file as "AVGRootkit.txt", including the quotation marks, to the location of your choice.
If anything has been detected, copy and paste the log into your next reply. If not, just let me know.

AS A RIDER if this file appears in the AVG rootkit detector then select it for deletion C:\WINDOWS\system32\drivers\neokdss.sys

NEARLY THERE

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

AND FINALLY

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Logs required are OTMoveit, AVGRootkit report and Winpfind
  • 0

#7
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Try putting your reply in quotes

like this


  • 0

#9
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0

#10
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0

Advertisements


#11
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
"results from OTMoveIt:

c:\WINDOWS\system32\drivers\neokdss.sys moved successfully.
C:\WINDOWS\kthemup.virus.exe moved successfully.

Created on 11/04/2007 09:34:08"
  • 0

#12
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0

#13
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0

#14
Chemical05

Chemical05

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I guess there are too many lines of text from the AVG to display, so I attached a text file with all the info in it.

results from OTMoveIt:

c:\WINDOWS\system32\drivers\neokdss.sys moved successfully.
C:\WINDOWS\kthemup.virus.exe moved successfully.

Created on 11/04/2007 09:34:08



Here is a sample of the results from AVG Anit-Rootkit

c:\RECYCLER\NPROTECT,Hidden Directory
c:\RECYCLER\NPROTECT\00495941.gif,Hidden File
c:\RECYCLER\NPROTECT\00495942.GIF,Hidden File
c:\RECYCLER\NPROTECT\00495943.gif,Hidden File
c:\RECYCLER\NPROTECT\00495944.gif,Hidden File

all of the files found were from the RECYCLER\NPROTECT\ folder, I estimate there are almost 1800 files like this in 3 drives C,D,J



Here are the results from WinPFind3u.exe

WinPFind3 logfile created on: 11/4/2007 2:56:49 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\Michael Bloom\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

511.48 Mb Total Physical Memory | 123.48 Mb Available Physical Memory | 24.14% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.27% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.39 Gb Total Space | 9.58 Gb Free Space | 25.62% Space Free
Drive D: | 37.14 Gb Total Space | 5.46 Gb Free Space | 14.70% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: MICHAEL-RC14HL1
Current User Name: Michael Bloom
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.160 | Size = 100032 bytes | Modified Date = 2/23/2006 11:41:04 AM | Attr = ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 58992 bytes | Modified Date = 7/14/2005 9:16:00 PM | Attr = ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 198256 bytes | Modified Date = 7/14/2005 9:16:30 PM | Attr = ]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 181872 bytes | Modified Date = 7/14/2005 9:16:44 PM | Attr = ]
connectioncenter.exe -> %ProgramFiles%\NetZero DSL\ConnectionCenter.exe -> NetZero, Inc. [Ver = 3.0.0.0 | Size = 1095152 bytes | Modified Date = 9/17/2007 4:48:48 PM | Attr = ]
dvd43_tray.exe -> %ProgramFiles%\dvd43\dvd43_tray.exe -> Captain Red [Ver = 1.3.0.54 | Size = 271360 bytes | Modified Date = 12/4/2003 3:50:00 AM | Attr = ]
easyshare.exe -> %ProgramFiles%\KODAK\Kodak EasyShare software\bin\EasyShare.exe -> [Ver = 5, 3, 33, 27 | Size = 180224 bytes | Modified Date = 6/7/2006 6:26:28 AM | Attr = ]
hotsync.exe -> D:\Program Files\Sony Handheld\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
java.exe -> D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe -> [Ver = | Size = 24681 bytes | Modified Date = 5/7/2004 9:20:52 AM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.50.5 | Size = 36975 bytes | Modified Date = 8/26/2005 6:14:44 PM | Attr = ]
lifedrivemgrtray.exe -> D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe -> palmOne, Inc. [Ver = 1.0.0.2 | Size = 86016 bytes | Modified Date = 4/28/2005 11:49:30 AM | Attr = ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,2,9 | Size = 229376 bytes | Modified Date = 11/28/2005 12:11:36 PM | Attr = ]
navapsvc.exe -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 177264 bytes | Modified Date = 1/10/2005 12:20:22 PM | Attr = ]
nopdb.exe -> D:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe -> Symantec Corporation [Ver = 7.00.0.24 | Size = 181416 bytes | Modified Date = 8/30/2004 11:50:38 PM | Attr = ]
npfmntor.exe -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMNTOR.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 46704 bytes | Modified Date = 1/10/2005 12:20:42 PM | Attr = ]
nprotect.exe -> D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -> Symantec Corporation [Ver = 18.0.0.62 | Size = 95328 bytes | Modified Date = 8/30/2004 11:52:10 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
ocrawr32.exe -> %SystemDrive%\OPLIMIT\OCRAWR32.EXE -> Caere Corporation [Ver = 5, 0, 0, 1 | Size = 41984 bytes | Modified Date = 3/19/1998 3:22:02 PM | Attr = ]
osa.exe -> D:\Program Files\Microsoft Office\Office\OSA.EXE -> [Ver = | Size = 61440 bytes | Modified Date = 7/12/2000 9:53:20 PM | Attr = ]
palmoneliveconnect.exe -> D:\Program Files\Sony Handheld\PalmOneLiveConnect.exe -> palmOne, Inc. [Ver = 2.0.0.1 | Size = 86016 bytes | Modified Date = 4/28/2005 11:48:56 AM | Attr = ]
pctspk.exe -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 3:36:54 PM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.4 | Size = 77824 bytes | Modified Date = 1/23/2006 12:15:16 AM | Attr = ]
sndsrvc.exe -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Modified Date = 4/5/2005 11:17:22 AM | Attr = ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 478 | Size = 819352 bytes | Modified Date = 8/2/2005 9:41:20 AM | Attr = ]
tfswctrl.exe -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 3.50.31a | Size = 114741 bytes | Modified Date = 2/7/2003 1:03:00 AM | Attr = ]
vsaccess.exe -> %SystemDrive%\VSTASCAN\VsAccess.exe -> UMAX [Ver = 2.0 | Size = 282624 bytes | Modified Date = 7/11/2001 8:18:28 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
wrapper.exe -> D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe -> [Ver = | Size = 126976 bytes | Modified Date = 7/16/2004 10:26:44 PM | Attr = ]
wzqkpick.exe -> D:\Program Files\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 11/27/2001 8:10:00 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
( 11Fßä#·ºÄÖ`I) Network Security Service [Win32_Shared | Disabled | Stopped] -> %System32%\appdl32.exe -> File not found
(Autodesk Licensing Service) Autodesk Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Autodesk Shared\Service\AdskScSrv.exe -> Autodesk [Ver = 2.80.011 | Size = 85096 bytes | Modified Date = 3/23/2007 10:41:34 PM | Attr = ]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.160 | Size = 100032 bytes | Modified Date = 2/23/2006 11:41:04 AM | Attr = ]
(Bonjour Service) Bonjour Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> Apple Computer, Inc. [Ver = 1,0,2,9 | Size = 229376 bytes | Modified Date = 11/28/2005 12:11:36 PM | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 198256 bytes | Modified Date = 7/14/2005 9:16:30 PM | Attr = ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\CCPWDSVC.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 79472 bytes | Modified Date = 7/14/2005 9:16:40 PM | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 181872 bytes | Modified Date = 7/14/2005 9:16:44 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 3:24:18 AM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.160 | Size = 2045632 bytes | Modified Date = 2/23/2006 11:41:04 AM | Attr = ]
(mple7docserver) Maya 7 PLE Documentation Server [Win32_Own | Auto | Running] -> D:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe -> [Ver = | Size = 126976 bytes | Modified Date = 7/16/2004 10:26:44 PM | Attr = ]
(navapsvc) Norton AntiVirus Auto-Protect Service [Win32_Own | Auto | Running] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 177264 bytes | Modified Date = 1/10/2005 12:20:22 PM | Attr = ]
(NPFMntor) Norton AntiVirus Firewall Monitor Service [Win32_Own | Auto | Running] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMNTOR.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 46704 bytes | Modified Date = 1/10/2005 12:20:42 PM | Attr = ]
(NProtectService) Norton Unerase Protection [Win32_Own | Auto | Running] -> D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -> Symantec Corporation [Ver = 18.0.0.62 | Size = 95328 bytes | Modified Date = 8/30/2004 11:52:10 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
(Pctspk) PCTEL Speaker Phone [Win32_Own | Auto | Running] -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 3:36:54 PM | Attr = ]
(SAVScan) SAVScan [Win32_Own | On_Demand | Stopped] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\savscan.exe -> Symantec Corporation [Ver = 9.4.2.1 | Size = 198368 bytes | Modified Date = 3/7/2005 2:59:36 PM | Attr = ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBSERV.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 67184 bytes | Modified Date = 1/10/2005 12:20:48 PM | Attr = ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 206552 bytes | Modified Date = 4/5/2005 11:17:22 AM | Attr = ]
(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 7/21/2004 9:24:04 AM | Attr = ]
(Speed Disk service) Speed Disk service [Win32_Own | Auto | Running] -> D:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe -> Symantec Corporation [Ver = 7.00.0.24 | Size = 181416 bytes | Modified Date = 8/30/2004 11:50:38 PM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 478 | Size = 819352 bytes | Modified Date = 8/2/2005 9:41:20 AM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ccApp -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 103.0.5.2 | Size = 58992 bytes | Modified Date = 7/14/2005 9:16:00 PM | Attr = ]
dla -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 3.50.31a | Size = 114741 bytes | Modified Date = 2/7/2003 1:03:00 AM | Attr = ]
dvd43 -> %ProgramFiles%\dvd43\dvd43_tray.exe -> Captain Red [Ver = 1.3.0.54 | Size = 271360 bytes | Modified Date = 12/4/2003 3:50:00 AM | Attr = ]
NetZeroDSL -> %ProgramFiles%\NetZero DSL\ConnectionCenter.exe -> NetZero, Inc. [Ver = 3.0.0.0 | Size = 1095152 bytes | Modified Date = 9/17/2007 4:48:48 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 86016 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1622016 bytes | Modified Date = 10/22/2006 12:22:00 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.4 | Size = 77824 bytes | Modified Date = 1/23/2006 12:15:16 AM | Attr = ]
StorageGuard -> %CommonProgramFiles%\Sonic\Update Manager\sgtray.exe -> Sonic Solutions [Ver = 1.01.11a | Size = 155648 bytes | Modified Date = 2/13/2003 1:01:00 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_05\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.50.5 | Size = 36975 bytes | Modified Date = 8/26/2005 6:14:44 PM | Attr = ]
Symantec NetDriver Monitor -> %ProgramFiles%\SymNetDrv\SNDMon.exe -> Symantec Corporation [Ver = 5.5.1.6 | Size = 100056 bytes | Modified Date = 8/2/2005 11:24:50 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Internet Download Accelerator -> d:\Program Files\IDA\ida.exe -> File not found
Norton SystemWorks -> D:\Program Files\Norton SystemWorks\CfgWiz.exe -> Symantec Corporation [Ver = 5.0.0.51 | Size = 132248 bytes | Modified Date = 9/9/2004 7:12:00 PM | Attr = ]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 3:06:48 PM | Attr = ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/23/2005 10:05:26 PM | Attr = ]
%AllUsersStartup%\HotSync Manager.lnk -> D:\Program Files\Sony Handheld\Hotsync.exe -> PalmSource, Inc [Ver = 6.0.1 | Size = 471040 bytes | Modified Date = 6/9/2004 2:16:08 PM | Attr = ]
%AllUsersStartup%\Kodak EasyShare software.lnk -> %ProgramFiles%\KODAK\Kodak EasyShare software\bin\EasyShare.exe -> [Ver = 5, 3, 33, 27 | Size = 180224 bytes | Modified Date = 6/7/2006 6:26:28 AM | Attr = ]
%AllUsersStartup%\WinZip Quick Pick.lnk -> D:\Program Files\WinZip\WZQKPICK.EXE -> WinZip Computing, Inc. [Ver = 1.0 (32-bit) | Size = 106560 bytes | Modified Date = 11/27/2001 8:10:00 AM | Attr = ]
< User Startup > -> C:\Documents and Settings\Michael Bloom\Start Menu\Programs\Startup ->
%UserStartup%\LifeDrive™ Manager.lnk -> D:\Program Files\Sony Handheld\LifeDriveMgrTray.exe -> palmOne, Inc. [Ver = 1.0.0.2 | Size = 86016 bytes | Modified Date = 4/28/2005 11:49:30 AM | Attr = ]
%UserStartup%\Microsoft Find Fast.lnk -> D:\Program Files\Microsoft Office\Office\FINDFAST.EXE -> [Ver = | Size = 122880 bytes | Modified Date = 7/12/2000 9:53:10 PM | Attr = ]
%UserStartup%\OCRAWARE.lnk -> %SystemDrive%\OPLIMIT\OCRAWARE.EXE -> Caere Corporation [Ver = | Size = 51360 bytes | Modified Date = 7/18/1998 11:26:06 AM | Attr = ]
%UserStartup%\Office Startup.lnk -> D:\Program Files\Microsoft Office\Office\OSA.EXE -> [Ver = | Size = 61440 bytes | Modified Date = 7/12/2000 9:53:20 PM | Attr = ]
-> %UserStartup%\PowerReg Scheduler V3.exe -> Leader Technologies [Ver = 3,0,0,0 | Size = 225280 bytes | Modified Date = 8/19/2005 10:56:16 PM | Attr = ]
%UserStartup%\UMAX VistaAccess.lnk -> %SystemDrive%\VSTASCAN\VsAccess.exe -> UMAX [Ver = 2.0 | Size = 282624 bytes | Modified Date = 7/11/2001 8:18:28 AM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft...p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft...p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft...amp;ar=iesearch ->
HKLM: SearchAssistant -> http://my.netzero.ne...i...&mn=2739352 ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://my.netzero.ne...=minisearch_dsl ->
HKCU: Search Page -> http://my.netzero.ne...=minisearch_dsl ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} [HKLM] -> %ProgramFiles%\NetZero DSL\SearchEnh1.dll [URLSearchHook Class] -> NetZero, Inc. [Ver = 3.0.0.0 | Size = 284144 bytes | Modified Date = 9/13/2007 2:34:20 PM | Attr = ]
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> *.local ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
turbotax.com [https] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{4224FF33-C2EB-4039-B8C8-6EED565B9D96} [HKLM] -> %ProgramFiles%\NetZero DSL\PopupBlocker.dll [Pop-up Blocker] -> United Online, Inc. [Ver = 1.0.0.0 | Size = 225240 bytes | Modified Date = 3/6/2007 11:27:46 AM | Attr = ]
{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} [HKLM] -> %ProgramFiles%\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll [FlpLauncher Class] -> [Ver = 1, 0, 0, 1 | Size = 61440 bytes | Modified Date = 8/21/2000 12:39:30 PM | Attr = ]
{52706EF7-D7A2-49AD-A615-E903858CF284} [HKLM] -> d:\Program Files\NetZero\qsacc\X1IEBHO.dll [Popup-Blocker Class] -> NetZero, Inc. [Ver = 3.6.00 | Size = 175560 bytes | Modified Date = 6/27/2005 4:02:02 PM | Attr = ]
{BDF3E430-B101-42AD-A544-FADC6B084872} [HKLM] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVSHEXT.DLL [CNavExtBho Class] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr = ]
{8E613EAF-E16E-415C-BD39-F71D6A3B5518} [HKLM] -> %ProgramFiles%\NetZero DSL\Toolbar.dll [NetZero DSL] -> NetZero, Inc. [Ver = 3.0.0.0 | Size = 264688 bytes | Modified Date = 9/13/2007 2:34:26 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> D:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr = ]
WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} [HKLM] -> %SystemRoot%\CouponBarIE.dll [CouponBar] -> File not found
WebBrowser\\{8E613EAF-E16E-415C-BD39-F71D6A3B5518} [HKLM] -> %ProgramFiles%\NetZero DSL\Toolbar.dll [NetZero DSL] -> NetZero, Inc. [Ver = 3.0.0.0 | Size = 264688 bytes | Modified Date = 9/13/2007 2:34:26 PM | Attr = ]
WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> d:\Program Files\NetZero\Toolbar.dll [ZeroBar] -> [Ver = 2, 0, 0, 1 | Size = 292304 bytes | Modified Date = 12/1/2005 4:10:56 PM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_05\bin\npjpi150_05.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.50.5 | Size = 69746 bytes | Modified Date = 8/26/2005 6:33:54 PM | Attr = ]
{7F9DB11C-E358-4ca6-A83D-ACC663939424} -> Reg Data - Value does not exist [ButtonText: Bonjour] -> File not found
{9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Display All Images with Full Quality -> -> File not found
Display Image with Full Quality -> -> File not found
Download ALL with IDA -> Reg Data - Value does not exist -> File not found
Download with IDA -> Reg Data - Value does not exist -> File not found
Easy-WebPrint Add To Print List -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_AddToList.htm -> File not found
Easy-WebPrint High Speed Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_HSPrint.htm -> File not found
Easy-WebPrint Preview -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Preview.htm -> File not found
Easy-WebPrint Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Print.htm -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{17E4B705-43A2-4D8E-8AE4-F78E1384CC6D} -> (VIA Rhine II Fast Ethernet Adapter) ->
{4B81F4DE-0B7B-4FE5-BE09-17E8B9630991} -> () ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> Apple Computer, Inc. [Ver = 1,0,2,9 | Size = 94208 bytes | Modified Date = 11/28/2005 12:11:28 PM | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab ->
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.micr...922/wmv9VCM.CAB ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.micros...b?1124491344102 ->
{78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} -> AcDcToday Control - CodeBase = file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{AE563720-B4F5-11D4-A415-00108302FDFD} -> NOXLATE-BANR - CodeBase = file://C:\Program Files\AutoCAD 2002\InstBanr.ocx ->
{C6637286-300D-11D4-AE0A-0010830243BD} -> InstaFred - CodeBase = file://C:\Program Files\AutoCAD 2002\InstFred.ocx ->
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/...indows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload2.m...ash/swflash.cab ->
{F281A59C-7B65-11D3-8617-0010830243BD} -> AcPreview Control - CodeBase = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 11/3/2007 7:09:49 PM | Attr = ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 11/1/2007 11:12:19 PM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 11/3/2007 7:10:52 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 11/2/2007 12:54:31 PM | Attr = ]
txlog.xml -> %SystemDrive%\txlog.xml -> [Ver = | Size = 21 bytes | Created Date = 10/30/2007 9:15:22 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 11/4/2007 9:34:08 AM | Attr = ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/10/2007 3:03:26 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/10/2007 3:01:02 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 11/1/2007 11:32:42 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 11/2/2007 12:59:50 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 10/22/2007 2:50:46 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 10/22/2007 2:50:46 PM | Attr = H ]
appmgmt -> %System32%\appmgmt -> [Folder | Created Date = 10/30/2007 10:47:33 PM | Attr = ]
d3d9caps.dat -> %System32%\d3d9caps.dat -> [Ver = | Size = 664 bytes | Created Date = 10/30/2007 6:58:47 AM | Attr = ]
IntelVideo.dll.bak -> %System32%\IntelVideo.dll.bak -> [Ver = | Size = 245760 bytes | Created Date = 10/30/2007 12:51:04 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 11/1/2007 11:45:42 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2792 bytes | Created Date = 11/1/2007 10:44:08 PM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 11/3/2007 7:10:03 PM | Attr = ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 11/4/2007 10:05:31 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 11/3/2007 7:16:36 PM | Attr = ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Modified Date = 11/1/2007 11:12:20 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/4/2007 10:07:56 AM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 11/3/2007 7:15:46 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 11/2/2007 1:11:50 PM | Attr = ]
txlog.xml -> %SystemDrive%\txlog.xml -> [Ver = | Size = 21 bytes | Modified Date = 10/30/2007 9:15:34 AM | Attr = ]
VSTASCAN -> %SystemDrive%\VSTASCAN -> [Folder | Modified Date = 11/3/2007 11:56:12 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 11/4/2007 9:34:10 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 11/4/2007 9:34:10 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/10/2007 3:03:24 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/10/2007 3:03:28 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/10/2007 3:01:04 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 11/4/2007 10:07:36 AM | Attr = S]
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\bootstat.dat:ppvmqi ->
Cache -> %SystemRoot%\Cache -> [Folder | Modified Date = 10/30/2007 7:51:28 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 10/29/2007 6:56:20 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/1/2007 11:45:44 PM | Attr = S]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Modified Date = 11/3/2007 7:15:12 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 11/2/2007 1:00:06 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 10/27/2007 11:38:26 PM | Attr = ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 10/10/2007 3:01:24 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 3:01:46 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 11/1/2007 11:45:44 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/3/2007 9:59:36 AM | Attr = HS]
IP4000,3000 -> %SystemRoot%\IP4000,3000 -> [Folder | Modified Date = 10/30/2007 7:51:28 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 10/17/2007 11:11:04 PM | Attr = ]
oplimit.ini -> %SystemRoot%\oplimit.ini -> [Ver = | Size = 732 bytes | Modified Date = 11/4/2007 10:06:06 AM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\oplimit.ini:rhuhij ->
outlook.pst -> %SystemRoot%\outlook.pst -> [Ver = | Size = 1343488 bytes | Modified Date = 10/12/2007 3:45:46 PM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\outlook.pst:mtujkw ->
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 11/4/2007 2:56:08 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 11/1/2007 11:25:16 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 11/4/2007 10:08:08 AM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 11/1/2007 11:24:22 PM | Attr = ]
scan05a.ini -> %SystemRoot%\scan05a.ini -> [Ver = | Size = 10438 bytes | Modified Date = 11/4/2007 2:52:08 PM | Attr = ]
StartHtmico -> %SystemRoot%\StartHtmico -> [Folder | Modified Date = 10/30/2007 7:51:40 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 11/3/2007 7:14:40 PM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 11/4/2007 1:23:06 PM | Attr = ]
umaxuapi.ini -> %SystemRoot%\umaxuapi.ini -> [Ver = | Size = 6952 bytes | Modified Date = 11/3/2007 11:56:00 AM | Attr = ]
vista32.ini -> %SystemRoot%\vista32.ini -> [Ver = | Size = 6701 bytes | Modified Date = 11/4/2007 10:11:28 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1324 bytes | Modified Date = 10/12/2007 2:57:46 PM | Attr = ]
Norton AntiVirus - Scan my computer - Michael Bloom.job -> %SystemRoot%\tasks\Norton AntiVirus - Scan my computer - Michael Bloom.job -> [Ver = | Size = 564 bytes | Modified Date = 11/3/2007 9:02:34 AM | Attr = ]
Norton SystemWorks One Button Checkup.job -> %SystemRoot%\tasks\Norton SystemWorks One Button Checkup.job -> [Ver = | Size = 308 bytes | Modified Date = 10/29/2007 12:29:54 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/4/2007 10:07:48 AM | Attr = H ]
Symantec Drmc.job -> %SystemRoot%\tasks\Symantec Drmc.job -> [Ver = | Size = 324 bytes | Modified Date = 11/4/2007 12:00:02 AM | Attr = ]
appmgmt -> %System32%\appmgmt -> [Folder | Modified Date = 10/30/2007 10:47:34 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 11/3/2007 1:18:40 PM | Attr = ]
d3d9caps.dat -> %System32%\d3d9caps.dat -> [Ver = | Size = 664 bytes | Modified Date = 11/2/2007 10:15:50 AM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/10/2007 3:03:30 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 11/4/2007 10:05:32 AM | Attr = ]
IntelVideo.dll.bak -> %System32%\IntelVideo.dll.bak -> [Ver = | Size = 245760 bytes | Modified Date = 10/30/2007 12:51:06 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 11/1/2007 11:45:44 PM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 87959 bytes | Modified Date = 11/4/2007 10:08:14 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 59472 bytes | Modified Date = 10/30/2007 10:04:34 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 393968 bytes | Modified Date = 10/30/2007 10:04:34 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 460590 bytes | Modified Date = 10/30/2007 10:04:34 AM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2792 bytes | Modified Date = 11/1/2007 11:05:18 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13050 bytes | Modified Date = 11/4/2007 10:07:48 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 11/2/2007 1:01:44 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemDrive%\all.exe -> [Ver = | Size = 17520 bytes | Modified Date = 8/14/2005 2:35:14 PM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\cpm.exe:Zone.Identifier ->
UPX! , UPX0 , -> %SystemDrive%\FixIefts.exe -> Symantec Corporation [Ver = 1.0.1 | Size = 156296 bytes | Modified Date = 10/5/2005 7:24:32 PM | Attr = ]
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\bootstat.dat:ppvmqi ->
WSUD , -> %SystemRoot%\btjsb.log -> [Ver = | Size = 3567 bytes | Modified Date = 8/20/2005 5:38:26 PM | Attr = ]
WSUD , -> %SystemRoot%\bwxfv.dat -> [Ver = | Size = 13581 bytes | Modified Date = 10/5/2005 1:32:48 AM | Attr = ]
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\clock.avi:aifrvu ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\comsetup.log:bbhqnl ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\control.ini:dhcpwn ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\dekve.dat:dopnew ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\dpcrp.txt:psnucy ->
WSUD , -> %SystemRoot%\dpcrp.txt -> [Ver = | Size = 3567 bytes | Modified Date = 10/2/2005 11:04:40 AM | Attr = ]
WSUD , -> %SystemRoot%\eglzx.dat -> [Ver = | Size = 13581 bytes | Modified Date = 9/9/2005 11:06:32 AM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\eqkcg.log:hkyekx ->
WSUD , -> %SystemRoot%\eqkcg.log -> [Ver = | Size = 13581 bytes | Modified Date = 10/1/2005 7:56:14 PM | Attr = ]
WSUD , -> %SystemRoot%\evqhw.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/10/2005 9:14:16 AM | Attr = ]
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\explorer.scf:zkjjei ->
WSUD , -> %SystemRoot%\funqg.dat -> [Ver = | Size = 13581 bytes | Modified Date = 8/30/2005 7:37:14 PM | Attr = ]
WSUD , -> %SystemRoot%\gbagc.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/21/2005 12:13:44 AM | Attr = ]
WSUD , -> %SystemRoot%\ggqvl.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/6/2005 6:51:06 PM | Attr = ]
WSUD , -> %SystemRoot%\hdmko.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/1/2005 3:41:42 AM | Attr = ]
WSUD , -> %SystemRoot%\iurku.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/3/2005 2:17:46 AM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\KB834707-IE6-20040929.115007.log:fmjkoj ->
WSUD , -> %SystemRoot%\lhdgt.log -> [Ver = | Size = 3567 bytes | Modified Date = 9/3/2005 8:51:52 PM | Attr = ]
WSUD , -> %SystemRoot%\lrokq.log -> [Ver = | Size = 3567 bytes | Modified Date = 8/26/2005 1:12:14 AM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\Michael Bloom.acl:nuowex ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\MSILog.txt:abxwkt ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\mwhii.log:jlyfrg ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\mxmmv.txt:pkbxwm ->
WSUD , -> %SystemRoot%\mxmmv.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/17/2005 1:55:00 PM | Attr = ]
WSUD , -> %SystemRoot%\nqgmt.log -> [Ver = | Size = 3567 bytes | Modified Date = 8/24/2005 5:42:30 PM | Attr = ]
WSUD , -> %SystemRoot%\nwzmc.dat -> [Ver = | Size = 13581 bytes | Modified Date = 10/3/2005 8:55:42 AM | Attr = ]
WSUD , -> %SystemRoot%\oipub.log -> [Ver = | Size = 13581 bytes | Modified Date = 8/18/2005 7:45:12 PM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\oplimit.ini:rhuhij ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\outlook.pst:mtujkw ->
WSUD , -> %SystemRoot%\pbjde.txt -> [Ver = | Size = 13581 bytes | Modified Date = 10/1/2005 5:08:04 AM | Attr = ]
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\Prairie Wind.bmp:twdcyx ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q323255.log:gzkcsn ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\Q323255.log:vvixsa ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q329170.log:ahkgmm ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q329390.log:ovbkul ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\Q810577.log:kwcjbg ->
WSUD , -> %SystemRoot%\rfxhz.txt -> [Ver = | Size = 3567 bytes | Modified Date = 9/18/2005 1:40:28 PM | Attr = ]
WSUD , -> %SystemRoot%\ridih.dat -> [Ver = | Size = 13581 bytes | Modified Date = 8/13/2005 10:21:44 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\SchedLgU.Txt:orljgf ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\setupapi.log.0.old:pbeyfq ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\Soap Bubbles.bmp:ozisrs ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\Soap Bubbles.bmp:xkxkxf ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\svcpack.log:ktvmmo ->
WSUD , -> %SystemRoot%\sxtvu.txt -> [Ver = | Size = 13581 bytes | Modified Date = 9/2/2005 10:56:46 PM | Attr = ]
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\tgyuu.log:dtnzpr ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\Upmagic.ini:cexgrv ->
WSUD , -> %SystemRoot%\uqqqb.log -> [Ver = | Size = 13581 bytes | Modified Date = 8/15/2005 11:29:54 AM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\vb.ini:camovw ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\vbaddin.ini:oxwtvq ->
WSUD , -> %SystemRoot%\vtqyx.txt -> [Ver = | Size = 3567 bytes | Modified Date = 9/1/2005 6:26:08 PM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\Windows Update.log:tcfujk ->
@Alternate Data Stream - 11758 bytes -> %SystemRoot%\WindowsUpdate.log:cjcxbh ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\wininit.ini:hyvnrc ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\wininit.ini:iefwrg ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\WS40.CHW:azwdgj ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\WS40.CHW:ryhava ->
WSUD , -> %SystemRoot%\xhpdu.log -> [Ver = | Size = 13581 bytes | Modified Date = 8/18/2005 7:32:08 AM | Attr = ]
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\xjhwa.dat:ztcmrx ->
WSUD , -> %SystemRoot%\xjhwa.dat -> [Ver = | Size = 13581 bytes | Modified Date = 9/2/2005 10:56:46 PM | Attr = ]
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\xpsp1hfm.log:krafql ->
WSUD , -> %SystemRoot%\yueyn.txt -> [Ver = | Size = 13581 bytes | Modified Date = 9/2/2005 10:56:46 PM | Attr = ]
WSUD , -> %SystemRoot%\yvtxm.txt -> [Ver = | Size = 3567 bytes | Modified Date = 9/20/2005 5:22:46 PM | Attr = ]
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\Zapotec.bmp:ndqafc ->
WSUD , -> %SystemRoot%\zcbia.txt -> [Ver = | Size = 13581 bytes | Modified Date = 9/29/2005 12:55:10 AM | Attr = ]
WSUD , -> %SystemRoot%\zkdkg.log -> [Ver = | Size = 3567 bytes | Modified Date = 9/16/2005 8:16:46 PM | Attr = ]
WSUD , -> %SystemRoot%\zrast.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/22/2005 4:10:40 PM | Attr = ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:bsmsjb ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:bsspcu ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:cdvetb ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:cjotde ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:cslrec ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cssssv ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cubxyf ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cwsqig ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:dpayks ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:eglzxx ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:egorui ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:flojax ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:ftaaxg ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:ggjcib ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:gpxnlc ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:gxrond ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:hsgzwi ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:hsvwip ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:iszkik ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:ivwynd ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:jmsfhq ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:jrtlca ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\_default.pif:jtjjwu ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:jvhlgw ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:lpptph ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:meeufw ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:mseeym ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:ndrmay ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:ngxrdd ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:oomirs ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:orljgf ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:qmacxk ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:qrgxga ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:raqecs ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:rqigip ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:rxjtif ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:sumrlz ->
@Alternate Data Stream - 197755 bytes -> %SystemRoot%\_default.pif:udmocm ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:udojve ->
@Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:vfgrmg ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:vkggfo ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:vnudpi ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:wqsdmc ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:wrchan ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:xhhewt ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:xhixyg ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:xmhpvz ->
@Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:xusgri ->
@Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:zhcpkd ->
@Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:zpqbof ->
WSUD , -> %System32%\apjed.dat -> [Ver = | Size = 13581 bytes | Modified Date = 8/27/2005 6:57:04 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
PEC2 , -> %System32%\Dwapilib.tlb -> [Ver = | Size = 197171 bytes | Modified Date = 2/14/1997 11:24:14 PM | Attr = ]
WSUD , -> %System32%\furlb.dat -> [Ver = | Size = 13581 bytes | Modified Date = 8/6/2005 11:22:38 PM | Attr = ]
WSUD , -> %System32%\fvmxv.txt -> [Ver = | Size = 3567 bytes | Modified Date = 8/23/2005 2:32:06 PM | Attr = ]
WSUD , -> %System32%\gbsln.dat -> [Ver = | Size = 13581 bytes | Modified Date = 8/1/2005 10:27:38 PM | Attr = ]
UPX! , UPX0 , -> %System32%\IntelVideo.dll.bak -> [Ver = | Size = 245760 bytes | Modified Date = 10/30/2007 12:51:06 AM | Attr = ]
WSUD , -> %System32%\ivafm.txt -> [Ver = | Size = 3567 bytes | Modified Date = 8/30/2005 2:46:36 PM | Attr = ]
WSUD , -> %System32%\iygsm.txt -> [Ver = | Size = 3567 bytes | Modified Date = 8/22/2005 5:41:26 AM | Attr = ]
WSUD , -> %System32%\jebxb.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/22/2005 1:42:12 AM | Attr = ]
WSUD , -> %System32%\lywok.txt -> [Ver = | Size = 3567 bytes | Modified Date = 9/6/2005 6:51:38 AM | Attr = ]
WSUD , -> %System32%\mcbzz.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/24/2005 11:03:48 PM | Attr = ]
Thawte Consulting , -> %System32%\mfimgvwr.ocx -> MyFamily.com, Inc. [Ver = 2.0.0.1 | Size = 189976 bytes | Modified Date = 10/18/2006 2:52:24 PM | Attr = ]
WSUD , -> %System32%\nelni.txt -> [Ver = | Size = 13581 bytes | Modified Date = 9/1/2005 10:12:32 AM | Attr = ]
WSUD , -> %System32%\ozswp.log -> [Ver = | Size = 3567 bytes | Modified Date = 7/29/2005 10:44:20 PM | Attr = ]
WSUD , -> %System32%\qwfod.txt -> [Ver = | Size = 3567 bytes | Modified Date = 8/18/2005 8:54:00 AM | Attr = ]
Thawte Consulting , -> %System32%\SmartUI2.ocx -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 2.00.0202 | Size = 874248 bytes | Modified Date = 6/14/2004 4:04:34 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
WSUD , -> %System32%\truei.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/17/2005 10:22:20 PM | Attr = ]
WSUD , -> %System32%\ugpob.log -> [Ver = | Size = 13581 bytes | Modified Date = 9/4/2005 2:37:48 PM | Attr = ]
WSUD , -> %System32%\vlsrl.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/13/2005 5:10:42 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , -> %System32%\wmjmt.log -> [Ver = | Size = 3567 bytes | Modified Date = 8/21/2005 12:56:28 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedCry.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 1.1.107.0 | Size = 512688 bytes | Modified Date = 11/19/2003 3:59:36 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedZip.dll -> Xceed Software Inc (450) 442-2626 [email protected] www.xceedsoft.com [Ver = 5.0.117.0 | Size = 427864 bytes | Modified Date = 6/14/2004 3:56:26 PM | Attr = ]
WSUD , -> %System32%\xoczn.txt -> [Ver = | Size = 13581 bytes | Modified Date = 9/11/2005 6:20:20 PM | Attr = ]
WSUD , -> %System32%\zjjer.txt -> [Ver = | Size = 13581 bytes | Modified Date = 8/14/2005 8:27:14 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 10:41:38 PM | Attr = ]

< End of report >

Attached Files


Edited by Chemical05, 04 November 2007 - 10:59 PM.

  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there it looks like I was right to err on the side of caution for a keylogger as you have a lot of ADS and log/txt/dat files. So please work on the basis that you have had one. You are correct about AVG they are Protected Norton files

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Win32 Services - Non-Microsoft Only]
YY -> ( 11Fßä#·ºÄÖ`I) Network Security Service [Win32_Shared | Disabled | Stopped] -> %System32%\appdl32.exe
[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} [HKLM] -> %SystemRoot%\CouponBarIE.dll [CouponBar]
[Files/Folders - Created Within 30 days]
NY -> IntelVideo.dll.bak -> %System32%\IntelVideo.dll.bak
[Files/Folders - Modified Within 30 days]
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\bootstat.dat:ppvmqi
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\oplimit.ini:rhuhij
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\outlook.pst:mtujkw
[File String Scan - Non-Microsoft Only]
NY -> @Alternate Data Stream - 26 bytes -> %SystemDrive%\cpm.exe:Zone.Identifier
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\bootstat.dat:ppvmqi
NY -> WSUD , -> %SystemRoot%\btjsb.log
NY -> WSUD , -> %SystemRoot%\bwxfv.dat
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\clock.avi:aifrvu
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\comsetup.log:bbhqnl
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\control.ini:dhcpwn
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\dekve.dat:dopnew
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\dpcrp.txt:psnucy
NY -> WSUD , -> %SystemRoot%\dpcrp.txt
NY -> WSUD , -> %SystemRoot%\eglzx.dat
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\eqkcg.log:hkyekx
NY -> WSUD , -> %SystemRoot%\eqkcg.log
NY -> WSUD , -> %SystemRoot%\evqhw.txt
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\explorer.scf:zkjjei
NY -> WSUD , -> %SystemRoot%\funqg.dat
NY -> WSUD , -> %SystemRoot%\gbagc.log
NY -> WSUD , -> %SystemRoot%\ggqvl.log
NY -> WSUD , -> %SystemRoot%\hdmko.log
NY -> WSUD , -> %SystemRoot%\iurku.log
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\KB834707-IE6-20040929.115007.log:fmjkoj
NY -> WSUD , -> %SystemRoot%\lhdgt.log
NY -> WSUD , -> %SystemRoot%\lrokq.log
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\Michael Bloom.acl:nuowex
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\MSILog.txt:abxwkt
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\mwhii.log:jlyfrg
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\mxmmv.txt:pkbxwm
NY -> WSUD , -> %SystemRoot%\mxmmv.txt
NY -> WSUD , -> %SystemRoot%\nqgmt.log
NY -> WSUD , -> %SystemRoot%\nwzmc.dat
NY -> WSUD , -> %SystemRoot%\oipub.log
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\oplimit.ini:rhuhij
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\outlook.pst:mtujkw
NY -> WSUD , -> %SystemRoot%\pbjde.txt
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\Prairie Wind.bmp:twdcyx
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q323255.log:gzkcsn
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\Q323255.log:vvixsa
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q329170.log:ahkgmm
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\Q329390.log:ovbkul
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\Q810577.log:kwcjbg
NY -> WSUD , -> %SystemRoot%\rfxhz.txt
NY -> WSUD , -> %SystemRoot%\ridih.dat
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\SchedLgU.Txt:orljgf
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\setupapi.log.0.old:pbeyfq
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\Soap Bubbles.bmp:ozisrs
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\Soap Bubbles.bmp:xkxkxf
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\svcpack.log:ktvmmo
NY -> WSUD , -> %SystemRoot%\sxtvu.txt
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\tgyuu.log:dtnzpr
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\Upmagic.ini:cexgrv
NY -> WSUD , -> %SystemRoot%\uqqqb.log
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\vb.ini:camovw
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\vbaddin.ini:oxwtvq
NY -> WSUD , -> %SystemRoot%\vtqyx.txt
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\Windows Update.log:tcfujk
NY -> @Alternate Data Stream - 11758 bytes -> %SystemRoot%\WindowsUpdate.log:cjcxbh
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\wininit.ini:hyvnrc
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\wininit.ini:iefwrg
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\WS40.CHW:azwdgj
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\WS40.CHW:ryhava
NY -> WSUD , -> %SystemRoot%\xhpdu.log
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\xjhwa.dat:ztcmrx
NY -> WSUD , -> %SystemRoot%\xjhwa.dat
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\xpsp1hfm.log:krafql
NY -> WSUD , -> %SystemRoot%\yueyn.txt
NY -> WSUD , -> %SystemRoot%\yvtxm.txt
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\Zapotec.bmp:ndqafc
NY -> WSUD , -> %SystemRoot%\zcbia.txt
NY -> WSUD , -> %SystemRoot%\zkdkg.log
NY -> WSUD , -> %SystemRoot%\zrast.log
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:bsmsjb
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:bsspcu
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:cdvetb
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:cjotde
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:cslrec
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cssssv
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cubxyf
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:cwsqig
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:dpayks
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:eglzxx
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:egorui
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:flojax
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:ftaaxg
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:ggjcib
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:gpxnlc
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:gxrond
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:hsgzwi
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:hsvwip
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:iszkik
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:ivwynd
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:jmsfhq
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:jrtlca
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\_default.pif:jtjjwu
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:jvhlgw
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:lpptph
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:meeufw
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:mseeym
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:ndrmay
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:ngxrdd
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:oomirs
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:orljgf
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:qmacxk
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:qrgxga
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:raqecs
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:rqigip
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:rxjtif
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:sumrlz
NY -> @Alternate Data Stream - 197755 bytes -> %SystemRoot%\_default.pif:udmocm
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:udojve
NY -> @Alternate Data Stream - 13581 bytes -> %SystemRoot%\_default.pif:vfgrmg
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:vkggfo
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:vnudpi
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:wqsdmc
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:wrchan
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:xhhewt
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:xhixyg
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:xmhpvz
NY -> @Alternate Data Stream - 197756 bytes -> %SystemRoot%\_default.pif:xusgri
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\_default.pif:zhcpkd
NY -> @Alternate Data Stream - 0 bytes -> %SystemRoot%\_default.pif:zpqbof
NY -> WSUD , -> %System32%\apjed.dat
NY -> WSUD , -> %System32%\furlb.dat
NY -> WSUD , -> %System32%\fvmxv.txt
NY -> WSUD , -> %System32%\gbsln.dat
NY -> UPX! , UPX0 , -> %System32%\IntelVideo.dll.bak
NY -> WSUD , -> %System32%\ivafm.txt
NY -> WSUD , -> %System32%\iygsm.txt
NY -> WSUD , -> %System32%\jebxb.txt
NY -> WSUD , -> %System32%\lywok.txt
NY -> WSUD , -> %System32%\mcbzz.txt
NY -> WSUD , -> %System32%\nelni.txt
NY -> WSUD , -> %System32%\ozswp.log
NY -> WSUD , -> %System32%\qwfod.txt
NY -> WSUD , -> %System32%\truei.txt
NY -> WSUD , -> %System32%\ugpob.log
NY -> WSUD , -> %System32%\vlsrl.txt
NY -> WSUD , -> %System32%\wmjmt.log
NY -> WSUD , -> %System32%\xoczn.txt
NY -> WSUD , -> %System32%\zjjer.txt


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP