[liz_611]

Here's what I've done so far:
1. Norton - finally figured out a way to get this to run. Keeps finding perfcoo on reboot.
2. Windows updates won't install
3. Spybot won't run.
4. Can't install AVG
5. Ran CC Cleaner
6. Ran Ad Aware

mustafx, mustafx2 always show up in Start Up and when the machine reboots the following message pops up along with a DOS box: c:\winnt\system32\mustafx.exe. The NTVDM CPU has encountered an illegal situation CS: 0dc3 IP:0198 OP: ff df of 5c d3. Choose 'close' to terminate the application.

Also found kurva.dat

I've tried just about everything I can think of. Any help would be appreciated. Below is my Hijack This Log. (Had to rename this to get it to run!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:59 PM, on 1/26/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\CHKADMIN.EXE
C:\WINNT\system32\PwsTray.exe
C:\WINNT\System32\hphmon03.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [SystemTray] C:\WINNT\System32\SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Mustafx] mustafx.exe
O4 - HKLM\..\Run: [mustafx2] mustafx2.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalco...0.01/SS_POC.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...111/qboax10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O20 - AppInit_DLLs: kurva.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

--
End of file - 6777 bytes

[Advertisements]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Rorschach112]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[liz_611]

Thanks for the quick reply. I downloaded dss.exe but I can't get it to install. I saved it to my desktop. Tried saving it to c:. Tried renaming it. Nothing's working.

[Rorschach112]

Try this instead

Download WinPFind35U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Additional Scans check the box beside Reg - Disabled MS Config Items.
• Under Rootkit Search change that to Yes.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply.

[liz_611]

Got it installed and it ran. A good sign. You said 'copy/paste' and also attach so I wasn't quite sure which it was you wanted so I've copied the results below and attached.

[code=auto:0]WinPFind35 logfile created on: 1/26/2008 8:31:07 PM
WinPFind35U Version Beta38 Folder = C:\Documents and Settings\Administrator\Desktop\WinPFind35u
Windows 2000 Professional Edition Service Pack 3 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)

127.42 Mb Total Physical Memory | 6.26 Mb Available Physical Memory | 4.91% Memory free
301.87 Mb Paging File | 107.84 Mb Available in Paging File | 35.72% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 11.68 Gb Free Space | 62.67% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 10.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded

Computer Name: MMR-C2RSY9BPRRX
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users


[Processes - Non-Microsoft Only]
aclient.exe -> %SystemDrive%\COMPAQ\ACLIENT\AClient.exe -> Altiris, Inc. [Ver = 4.1.171 | Size = 679936 bytes | Modified Date = 4/4/2000 5:11:54 PM | Attr = ]
cpqalert.exe -> %System32%\cpqalert.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 190464 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
cpqdfwag.exe -> %SystemRoot%\Cpqdiag\Cpqdfwag.exe -> Compaq Computer Corporation [Ver = 1.50 | Size = 233472 bytes | Modified Date = 3/31/2000 1:05:00 AM | Attr = ]
webdmi.exe -> %ProgramFiles%\Compaq\CpqWebDMI\webdmi.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 12288 bytes | Modified Date = 3/31/2000 11:39:40 AM | Attr = ]
lcrms.exe -> %ProgramFiles%\Compaq\LCRMS\LCRMS.exe -> Compaq Computer Corporation [Ver = 1.50.0.0 | Size = 376881 bytes | Modified Date = 5/23/2000 4:07:10 PM | Attr = ]
win32sl.exe -> %SystemDrive%\dmi\win32\bin\Win32sl.exe -> Intel [Ver = 2, 0, 0, 54 | Size = 215552 bytes | Modified Date = 12/7/1997 8:19:56 PM | Attr = ]
cpqdmi.exe -> %System32%\cpqdmi.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 11776 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
promon.exe -> %System32%\promon.exe -> Intel Corporation [Ver = 1.11 | Size = 29184 bytes | Modified Date = 4/13/2000 8:34:18 PM | Attr = R ]
mmkeybd.exe -> %ProgramFiles%\Compaq\Easy Access Keyboard\MMKeybd.exe -> Netropa Corp. [Ver = 1.51 | Size = 684032 bytes | Modified Date = 5/13/2000 5:08:16 PM | Attr = ]
chkadmin.exe -> %System32%\chkadmin.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 8192 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
hphmon03.exe -> %System32%\hphmon03.exe -> Hewlett-Packard [Ver = 3,4,13 | Size = 311296 bytes | Modified Date = 10/25/2001 2:55:00 PM | Attr = ]
hpztsb05.exe -> %System32%\SPOOL\DRIVERS\W32X86\3\hpztsb05.exe -> HP [Ver = 2,126,0,0 | Size = 188416 bytes | Modified Date = 4/4/2002 3:03:00 PM | Attr = ]
hphmon04.exe -> %System32%\hphmon04.exe -> Hewlett-Packard [Ver = 4,0,34 | Size = 335872 bytes | Modified Date = 4/4/2002 3:01:42 PM | Attr = ]
hpgs2wnd.exe -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe -> Hewlett-Packard [Ver = 2,3,0,0\ 161 | Size = 69632 bytes | Modified Date = 4/11/2002 4:19:34 AM | Attr = ]
mmusbkb2.exe -> %ProgramFiles%\Compaq\Easy Access Keyboard\Mmusbkb2.exe -> Netropa Corporation [Ver = 1.6 | Size = 49152 bytes | Modified Date = 1/7/2000 1:49:42 PM | Attr = ]
hpgs2wnf.exe -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe -> [Ver = 2, 6, 0, 161 | Size = 77824 bytes | Modified Date = 4/11/2002 4:19:36 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.11: 2007112718 | Size = 7650416 bytes | Modified Date = 11/28/2007 2:11:50 PM | Attr = ]
winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 307712 bytes | Modified Date = 1/26/2008 1:34:08 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AClient) Altiris Client Service [Win32_Own | Auto | Running] -> %SystemDrive%\COMPAQ\ACLIENT\AClient.exe -> Altiris, Inc. [Ver = 4.1.171 | Size = 679936 bytes | Modified Date = 4/4/2000 5:11:54 PM | Attr = ]
(CPQALERT) Compaq Local Alerter [Win32_Own | Auto | Running] -> %System32%\cpqalert.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 190464 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
(CpqDfwWebAgent) Compaq Remote Diagnostics Enabling Agent [Win32_Own | Auto | Running] -> %SystemRoot%\Cpqdiag\Cpqdfwag.exe -> Compaq Computer Corporation [Ver = 1.50 | Size = 233472 bytes | Modified Date = 3/31/2000 1:05:00 AM | Attr = ]
(CPQDMI) CPQDMI [Win32_Own | Auto | Running] -> %System32%\cpqdmi.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 11776 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
(CpqWebDmi) Compaq DMI Web Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Compaq\CpqWebDMI\webdmi.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 12288 bytes | Modified Date = 3/31/2000 11:39:40 AM | Attr = ]
(DefWatch) DefWatch [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Navnt\defwatch.exe -> Symantec Corporation [Ver = 7.01.00.743 | Size = 28672 bytes | Modified Date = 2/1/2000 6:01:00 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> VERITAS Software Corp. [Ver = 2195.4877.297.3 | Size = 147728 bytes | Modified Date = 7/22/2002 2:05:04 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 11/18/2007 9:03:21 PM | Attr = ]
(LCRMS) Insight Manager LC Remote Management [Win32_Own | Auto | Running] -> %ProgramFiles%\Compaq\LCRMS\LCRMS.exe -> Compaq Computer Corporation [Ver = 1.50.0.0 | Size = 376881 bytes | Modified Date = 5/23/2000 4:07:10 PM | Attr = ]
(Norton AntiVirus Server) Norton AntiVirus Client [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Navnt\rtvscan.exe -> Symantec Corporation [Ver = 7.01.00.743 | Size = 385024 bytes | Modified Date = 2/1/2000 6:01:00 AM | Attr = ]
(Pml Driver) Pml Driver [Win32_Own | On_Demand | Stopped] -> %System32%\hphipm09.exe -> HP [Ver = 4, 5, 0, 770 | Size = 77824 bytes | Modified Date = 10/25/2001 2:54:58 PM | Attr = ]
(Pml Driver HPH11) Pml Driver HPH11 [Win32_Own | On_Demand | Stopped] -> %System32%\hphipm11.exe -> HP [Ver = 4, 5, 0, 770 | Size = 77824 bytes | Modified Date = 4/4/2002 3:02:58 PM | Attr = ]
(PSEXESVC) PSEXESVC [Win32_Own | On_Demand | Stopped] -> %System32%\PSEXESVC.EXE -> Sysinternals [Ver = 1.23 | Size = 61440 bytes | Modified Date = 1/18/2003 12:17:42 AM | Attr = ]
(Win32sl) Win32sl [Win32_Own | Auto | Running] -> %SystemDrive%\dmi\win32\bin\Win32sl.exe -> Intel [Ver = 2, 0, 0, 54 | Size = 215552 bytes | Modified Date = 12/7/1997 8:19:56 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
CHKADMIN -> %System32%\chkadmin.exe -> Compaq Computer Corporation [Ver = 4.37 | Size = 8192 bytes | Modified Date = 3/31/2000 4:37:00 AM | Attr = ]
Easy Access Keyboard -> %ProgramFiles%\Compaq\Easy Access Keyboard\MMKeybd.exe -> Netropa Corp. [Ver = 1.51 | Size = 684032 bytes | Modified Date = 5/13/2000 5:08:16 PM | Attr = ]
EM_EXEC -> %ProgramFiles%\MouseWare\system\EM_EXEC.EXE -> Logitech Inc. [Ver = 9.01.78 | Size = 33792 bytes | Modified Date = 2/4/2000 9:01:00 AM | Attr = ]
HPDJ Taskbar Utility -> %System32%\SPOOL\DRIVERS\W32X86\3\hpztsb05.exe -> HP [Ver = 2,126,0,0 | Size = 188416 bytes | Modified Date = 4/4/2002 3:03:00 PM | Attr = ]
HPHmon03 -> %System32%\hphmon03.exe -> Hewlett-Packard [Ver = 3,4,13 | Size = 311296 bytes | Modified Date = 10/25/2001 2:55:00 PM | Attr = ]
HPHmon04 -> %System32%\hphmon04.exe -> Hewlett-Packard [Ver = 4,0,34 | Size = 335872 bytes | Modified Date = 4/4/2002 3:01:42 PM | Attr = ]
HPHUPD04 -> %ProgramFiles%\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe -> Hewlett-Packard [Ver = 4,0,34 | Size = 49152 bytes | Modified Date = 4/4/2002 3:04:08 PM | Attr = ]
Mustafx -> %SystemRoot%\mustafx.exe -> [Ver = | Size = 4608 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
mustafx2 -> mustafx2.exetafx.exe -> File not found
Promon.exe -> %System32%\promon.exe -> Intel Corporation [Ver = 1.11 | Size = 29184 bytes | Modified Date = 4/13/2000 8:34:18 PM | Attr = R ]
RFX_auto_upgrade -> -> File not found
Share-to-Web Namespace Daemon -> %ProgramFiles%\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe -> Hewlett-Packard [Ver = 2,3,0,0\ 161 | Size = 69632 bytes | Modified Date = 4/11/2002 4:19:34 AM | Attr = ]
vptray -> %ProgramFiles%\Navnt\vptray.exe -> Symantec Corporation [Ver = 7.01.00.743 | Size = 49152 bytes | Modified Date = 2/1/2000 6:01:00 AM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
kurva.datnts and S -> kurva.dat -> File not found
*MultiFile Done* -> ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 12:55:48 PM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 2/27/2007 11:39:26 AM | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0 ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (735 bytes) -> C:\WINNT\System32\drivers\etc\Hosts ->
-> ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINNT\SYSTEM32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yahoo.com/ ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: ProxyEnable -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\: Main\\Local Page -> C:\WINNT\SYSTEM32\blank.htm ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\: Main\\Start Page -> http://www.yahoo.com/ ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 11/24/2007 5:48:34 PM | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [@shdoclc.dll,-866] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{4B30061A-5B39-11D3-80F8-0090276F843F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [@shdoclc.dll,-866] -> File not found
CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{4B30061A-5B39-11D3-80F8-0090276F843F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [@shdoclc.dll,-866] -> File not found
CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1DC1F116-023E-4AED-BE63-1971B619956D} -> (Intel(R) 82559 Fast Ethernet LOM with Alert on LAN*) ->
{F631AF9A-7236-4639-BDF7-5441B94382A6} -> (Intel(R) PRO/100 VM Network Connection) ->
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKEY_USERS\.DEFAULT\] - Select to Repair > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] - Select to Repair > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx[AsyncPProt Class] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}[HKEY_LOCAL_MACHINE] -> http://www.apple.com/qtactivex/qtplugin.cab[QuickTime Object] ->
{166B1BCA-3F9C-11CF-8075-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] ->
{597C45C2-2D39-11D5-8D53-0050048383FE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/productupdates/content/opuc.cab[OPUCatalog Class] ->
{715A3997-ADE8-4399-AD92-353958D75076}[HKEY_LOCAL_MACHINE] -> http://www.bluefalcon.com/software/streamer/1.5.00.01/SS_POC.cab[XUpdater Control] ->
{843EE768-3A97-455C-9076-741BA3AD7B62}[HKEY_LOCAL_MACHINE] -> https://accounting.quickbooks.com/c12/v19.111/qboax10.cab[QuickBooks Online Edition Utilities Class v10] ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class] ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F}[HKEY_LOCAL_MACHINE] -> http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37804.8588888889[Reg Error: Key does not exist or could not be opened.] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
{DF6A0F17-0B1E-11D4-829D-00C04F6843FE}[HKEY_LOCAL_MACHINE] -> http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab[Microsoft Office Tools on the Web Control] ->
{E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD}[HKEY_LOCAL_MACHINE] -> http://download.abacast.com/download/files/abasetup.cab[Reg Error: Key does not exist or could not be opened.] ->
DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.] ->
Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINNT\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.] ->


[Registry - Additional Scans - Non-Microsoft Only]


[Files/Folders - Created Within 30 days]
BOOT.BAK -> %SystemDrive%\BOOT.BAK -> [Ver = | Size = 192 bytes | Created Date = 1/13/2008 5:10:06 PM | Attr = HS]
cmdcons -> %SystemDrive%\cmdcons -> [Folder | Created Date = 1/13/2008 5:09:50 PM | Attr = RHS]
cmldr -> %SystemDrive%\cmldr -> [Ver = | Size = 229264 bytes | Created Date = 1/13/2008 5:10:04 PM | Attr = RHS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 133611520 bytes | Created Date = 1/26/2008 6:44:52 PM | Attr = HS]
MGlogs.zip -> %SystemDrive%\MGlogs.zip -> [Ver = | Size = 30399 bytes | Created Date = 1/13/2008 3:27:48 PM | Attr = ]
MGtools -> %SystemDrive%\MGtools -> [Folder | Created Date = 1/13/2008 3:27:46 PM | Attr = ]
MGtools.exe -> %SystemDrive%\MGtools.exe -> [Ver = | Size = 1238689 bytes | Created Date = 1/13/2008 2:36:28 PM | Attr = R ]
SDTHOOK.SYS -> %System32%\drivers\SDTHOOK.SYS -> Panda Software [Ver = 1.6.0.0 | Size = 44928 bytes | Created Date = 1/13/2008 3:57:32 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Created Date = 1/26/2008 5:55:03 PM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 1/13/2008 3:38:39 PM | Attr = ]
2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp ->
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 1/13/2008 3:39:18 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 1/13/2008 3:38:44 PM | Attr = ]
locate.com -> %System32%\locate.com -> [Ver = | Size = 11254 bytes | Created Date = 1/13/2008 3:28:47 PM | Attr = ]
murka.dat -> %System32%\murka.dat -> [Ver = | Size = 6144 bytes | Created Date = 1/13/2008 7:56:42 PM | Attr = ]
mustafx.exe -> %System32%\mustafx.exe -> [Ver = | Size = 4608 bytes | Created Date = 1/13/2008 1:38:53 PM | Attr = ]
mustafx2.exe -> %System32%\mustafx2.exe -> [Ver = | Size = 8704 bytes | Created Date = 1/13/2008 1:38:53 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 1/13/2008 3:38:42 PM | Attr = ]
Perflib_Perfdata_32c.dat -> %System32%\Perflib_Perfdata_32c.dat -> [Ver = | Size = 16384 bytes | Created Date = 1/4/2008 9:51:34 AM | Attr = ]
Perflib_Perfdata_330.dat -> %System32%\Perflib_Perfdata_330.dat -> [Ver = | Size = 16384 bytes | Created Date = 1/7/2008 4:15:45 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 1/13/2008 3:38:44 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 1/13/2008 3:39:18 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1158 bytes | Created Date = 1/13/2008 3:36:13 PM | Attr = ]
murka.dat -> %SystemRoot%\murka.dat -> [Ver = | Size = 6144 bytes | Created Date = 1/26/2008 5:59:59 PM | Attr = ]
mustafx.exe -> %SystemRoot%\mustafx.exe -> [Ver = | Size = 4608 bytes | Created Date = 1/13/2008 1:38:53 PM | Attr = ]
mustafx2.exe -> %SystemRoot%\mustafx2.exe -> [Ver = | Size = 8704 bytes | Created Date = 1/13/2008 1:38:53 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Created Date = 1/13/2008 3:34:19 PM | Attr = ]
setup.pss -> %SystemRoot%\setup.pss -> [Folder | Created Date = 1/13/2008 5:02:03 PM | Attr = ]
2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp ->
setupupd -> %SystemRoot%\setupupd -> [Folder | Created Date = 1/13/2008 5:01:44 PM | Attr = ]
ShellIconCache -> %SystemRoot%\ShellIconCache -> [Ver = | Size = 742334 bytes | Created Date = 1/15/2008 2:05:57 PM | Attr = H ]
VPMECTMP -> %SystemRoot%\VPMECTMP -> [Folder | Created Date = 1/13/2008 6:27:08 PM | Attr = ]
? -> %SystemRoot%\ -> [Ver = | Size = 0 bytes | Modified Date = 4/9/2001 8:09:31 PM | Attr = ]
? -> %SystemRoot%\ -> [Ver = | Size = 14 bytes | Modified Date = 11/16/2007 6:55:02 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
AClient.cfg -> %SystemDrive%\AClient.cfg -> [Ver = | Size = 0 bytes | Modified Date = 1/26/2008 6:59:46 PM | Attr = ]
BandC File Cabinet -> %SystemDrive%\BandC File Cabinet -> [Folder | Modified Date = 1/4/2008 4:09:57 PM | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 268 bytes | Modified Date = 1/13/2008 5:10:06 PM | Attr = RHS]
cmdcons -> %SystemDrive%\cmdcons -> [Folder | Modified Date = 1/13/2008 5:10:06 PM | Attr = RHS]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 1/26/2008 6:53:24 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 133611520 bytes | Modified Date = 1/26/2008 6:59:33 PM | Attr = HS]
I386 -> %SystemDrive%\I386 -> [Folder | Modified Date = 1/10/2008 9:50:45 AM | Attr = R ]
MGlogs.zip -> %SystemDrive%\MGlogs.zip -> [Ver = | Size = 30399 bytes | Modified Date = 1/26/2008 6:29:11 PM | Attr = ]
MGtools -> %SystemDrive%\MGtools -> [Folder | Modified Date = 1/26/2008 7:58:57 PM | Attr = ]
MGtools.exe -> %SystemDrive%\MGtools.exe -> [Ver = | Size = 1238689 bytes | Modified Date = 1/12/2008 6:02:50 PM | Attr = R ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 1/26/2008 7:46:11 PM | Attr = R ]
WINNT -> %SystemRoot% -> [Folder | Modified Date = 1/26/2008 7:03:17 PM | Attr = ]
BEEP.SYS -> %System32%\drivers\BEEP.SYS -> [Ver = | Size = 38912 bytes | Modified Date = 1/10/2008 9:10:31 AM | Attr = ]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 1/26/2008 6:19:28 PM | Attr = ]
hosts -> %System32%\drivers\ETC\hosts -> [Ver = | Size = 735 bytes | Modified Date = 1/26/2008 6:19:28 PM | Attr = ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Modified Date = 1/26/2008 5:55:02 PM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 1/13/2008 4:48:06 PM | Attr = ]
2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp ->
DLLCACHE -> %System32%\DLLCACHE -> [Folder | Modified Date = 1/26/2008 3:40:40 PM | Attr = ]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 1/26/2008 7:04:25 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 302032 bytes | Modified Date = 1/15/2008 12:04:59 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 1/13/2008 3:38:44 PM | Attr = ]
INETSRV -> %System32%\INETSRV -> [Folder | Modified Date = 1/26/2008 7:04:04 PM | Attr = ]
murka.dat -> %System32%\murka.dat -> [Ver = | Size = 6144 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
mustafx.exe -> %System32%\mustafx.exe -> [Ver = | Size = 4608 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
mustafx2.exe -> %System32%\mustafx2.exe -> [Ver = | Size = 8704 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
NtmsData -> %System32%\NtmsData -> [Folder | Modified Date = 1/26/2008 3:31:56 PM | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 1/13/2008 3:38:44 PM | Attr = ]
Perflib_Perfdata_32c.dat -> %System32%\Perflib_Perfdata_32c.dat -> [Ver = | Size = 16384 bytes | Modified Date = 1/4/2008 9:51:36 AM | Attr = ]
Perflib_Perfdata_330.dat -> %System32%\Perflib_Perfdata_330.dat -> [Ver = | Size = 16384 bytes | Modified Date = 1/7/2008 4:15:45 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 1/13/2008 3:38:45 PM | Attr = ]
WBEM -> %System32%\WBEM -> [Folder | Modified Date = 1/13/2008 4:53:24 PM | Attr = ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 1/13/2008 4:42:42 PM | Attr = ]
2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp ->
Cpqdiag -> %SystemRoot%\Cpqdiag -> [Folder | Modified Date = 1/13/2008 4:42:44 PM | Attr = ]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 1/15/2008 2:52:23 PM | Attr = HS]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 1/14/2008 9:43:40 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 1/26/2008 4:52:30 PM | Attr = S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 1/13/2008 6:24:23 PM | Attr = ]
IME -> %SystemRoot%\IME -> [Folder | Modified Date = 1/13/2008 4:45:00 PM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 1/26/2008 3:33:55 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 1/15/2008 2:18:25 PM | Attr = HS]
MMKeybd.ini -> %SystemRoot%\MMKeybd.ini -> [Ver = | Size = 377 bytes | Modified Date = 1/26/2008 7:02:00 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1158 bytes | Modified Date = 1/13/2008 3:36:16 PM | Attr = ]
murka.dat -> %SystemRoot%\murka.dat -> [Ver = | Size = 6144 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
mustafx.exe -> %SystemRoot%\mustafx.exe -> [Ver = | Size = 4608 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
mustafx2.exe -> %SystemRoot%\mustafx2.exe -> [Ver = | Size = 8704 bytes | Modified Date = 1/26/2008 6:59:27 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Modified Date = 1/13/2008 3:34:19 PM | Attr = ]
setup.pss -> %SystemRoot%\setup.pss -> [Folder | Modified Date = 1/13/2008 5:02:03 PM | Attr = ]
setupupd -> %SystemRoot%\setupupd -> [Folder | Modified Date = 1/13/2008 5:02:27 PM | Attr = ]
ShellIconCache -> %SystemRoot%\ShellIconCache -> [Ver = | Size = 742334 bytes | Modified Date = 1/26/2008 6:57:48 PM | Attr = H ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 1/13/2008 4:47:55 PM | Attr = ]
SYSTEM -> %SystemRoot%\SYSTEM -> [Folder | Modified Date = 1/26/2008 7:03:17 PM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 1/26/2008 7:44:23 PM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 1/26/2008 3:45:56 PM | Attr = ]
VPMECTMP -> %SystemRoot%\VPMECTMP -> [Folder | Modified Date = 1/13/2008 6:27:08 PM | Attr = ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 748 bytes | Modified Date = 1/26/2008 5:55:00 PM | Attr = ]
winzip32.ini -> %SystemRoot%\winzip32.ini -> [Ver = | Size = 1702 bytes | Modified Date = 1/26/2008 5:55:00 PM | Attr = ]
? -> %SystemRoot%\ -> [Ver = | Size = 0 bytes | Modified Date = 4/9/2001 8:09:31 PM | Attr = ]
? -> %SystemRoot%\ -> [Ver = | Size = 14 bytes | Modified Date = 11/16/2007 6:55:02 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 1/26/2008 6:59:55 PM | Attr = H ]
WebReg 20071217173755.job -> %SystemRoot%\tasks\WebReg 20071217173755.job -> [Ver = | Size = 364 bytes | Modified Date = 1/26/2008 6:59:54 PM | Attr = ]

[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
C:\Documents and Settings\bandc63\My Documents\My Pictures\Sample.jpg:Q30lsldxJoudresxAaaqpcawXc 4592 bytes
C:\Documents and Settings\bandc63\My Documents\My Pictures\Sample.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\MerchantAcctInfo.tif:Q30lsldxJoudresxAaaqpcawXc 8588 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\MerchantAcctInfo.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010020.JPG:Q30lsldxJoudresxAaaqpcawXc 4952 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010020.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010001.JPG:Q30lsldxJoudresxAaaqpcawXc 7772 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010001.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010002.JPG:Q30lsldxJoudresxAaaqpcawXc 8828 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010002.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010003.JPG:Q30lsldxJoudresxAaaqpcawXc 7988 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010003.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010004.JPG:Q30lsldxJoudresxAaaqpcawXc 8508 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010004.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010005.JPG:Q30lsldxJoudresxAaaqpcawXc 9292 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010005.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010008.JPG:Q30lsldxJoudresxAaaqpcawXc 8872 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010008.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010009.JPG:Q30lsldxJoudresxAaaqpcawXc 8984 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010009.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010010.JPG:Q30lsldxJoudresxAaaqpcawXc 8428 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010010.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010011.JPG:Q30lsldxJoudresxAaaqpcawXc 8480 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010011.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010012.JPG:Q30lsldxJoudresxAaaqpcawXc 9504 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010012.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010013.JPG:Q30lsldxJoudresxAaaqpcawXc 10748 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010013.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010014.JPG:Q30lsldxJoudresxAaaqpcawXc 9696 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010014.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010015.JPG:Q30lsldxJoudresxAaaqpcawXc 7472 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010015.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010016.JPG:Q30lsldxJoudresxAaaqpcawXc 10284 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010016.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010017.JPG:Q30lsldxJoudresxAaaqpcawXc 4964 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010017.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010018.JPG:Q30lsldxJoudresxAaaqpcawXc 4276 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010018.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010019.JPG:Q30lsldxJoudresxAaaqpcawXc 5476 bytes
C:\Documents and Settings\Elizabeth Naldrett\Desktop\New Folder (2)\P1010019.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01a.JPG:Q30lsldxJoudresxAaaqpcawXc 5048 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01a.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01b.JPG:Q30lsldxJoudresxAaaqpcawXc 5136 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01b.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01c.JPG:Q30lsldxJoudresxAaaqpcawXc 5152 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\2002-02-17\sp01c.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\crstr021219.gif:Q30lsldxJoudresxAaaqpcawXc 16520 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\crstr021219.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\IdiotUser.gif:Q30lsldxJoudresxAaaqpcawXc 5620 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\IdiotUser.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\InternetPacket.gif:Q30lsldxJoudresxAaaqpcawXc 6224 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures\InternetPacket.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes
C:\Documents and Settings\Elizabeth Naldrett\My Documents\My Pictures�

Attached Files

•  WinPFind35.Txt   95.14KB   85 downloads

[Rorschach112]

Hello

Start WinPFind35U. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Mustafx -> %SystemRoot%\mustafx.exe
YN -> mustafx2 -> mustafx2.exetafx.exe
YN -> RFX_auto_upgrade ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> kurva.datnts and S -> kurva.dat
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [@shdoclc.dll,-866]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4B30061A-5B39-11D3-80F8-0090276F843F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [@shdoclc.dll,-866]
YN -> CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\] > -> HKEY_USERS\S-1-5-21-1749362141-780231336-1445493455-500\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{4B30061A-5B39-11D3-80F8-0090276F843F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [@shdoclc.dll,-866]
YN -> CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.]
[Files/Folders - Created Within 30 days]
YN -> 2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
YY -> murka.dat -> %System32%\murka.dat
YY -> mustafx.exe -> %System32%\mustafx.exe
YY -> mustafx2.exe -> %System32%\mustafx2.exe
YY -> murka.dat -> %SystemRoot%\murka.dat
YY -> mustafx.exe -> %SystemRoot%\mustafx.exe
YY -> mustafx2.exe -> %SystemRoot%\mustafx2.exe
YN -> 2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
YY -> ? -> %SystemRoot%\
YY -> ? -> %SystemRoot%\
[Files/Folders - Modified Within 30 days]
YN -> 2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
YY -> murka.dat -> %System32%\murka.dat
YY -> mustafx.exe -> %System32%\mustafx.exe
YY -> mustafx2.exe -> %System32%\mustafx2.exe
YN -> 2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
YY -> murka.dat -> %SystemRoot%\murka.dat
YY -> mustafx.exe -> %SystemRoot%\mustafx.exe
YY -> mustafx2.exe -> %SystemRoot%\mustafx2.exe
YY -> ? -> %SystemRoot%\
YY -> ? -> %SystemRoot%\
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan(attach the WinPFind3 scan report).

I will review the information when it comes back in.


Also post a new HijackThis log

[liz_611]

Ran the fix as you instructed but at the end it asked if I wanted to reboot. I did and the same mustafx DOS command boxes popped up. So, I ran the first scan as you instructed and then ran the fix again without rebooting. Attached is the results of the scan. Below is HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:24 PM, on 1/26/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\MGtools\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dothesear...er/sidetemp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [SystemTray] C:\WINNT\System32\SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...MetaStream3.cab
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalco...0.01/SS_POC.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...111/qboax10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usa.ccu.clearchannel.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usa.ccu.clearchannel.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usa.ccu.clearchannel.com
O18 - Protocol: ImageX - {C311A9DC-21E5-405A-AE7C-19D9C1144E89} - (no file)
O20 - AppInit_DLLs: kurva.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

--
End of file - 6601 bytes

Attached Files

•  WinPFind35.Txt   77.78KB   174 downloads

[Rorschach112]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - (no file)
O18 - Protocol: ImageX - {C311A9DC-21E5-405A-AE7C-19D9C1144E89} - (no file)
O20 - AppInit_DLLs: kurva.dat

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log

[liz_611]

Ok. When running SDFix, I got this message: Cannot import assosfix.reg Error opening the file. I clicked ok and the program kept running. Attached is the report from that.

When the machine rebooted, none of the item you wanted me to delete in HijackThis were there and the mustafx DOS boxes did not pop up.

Below is the HijackThis report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:56 PM, on 1/27/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\WINNT\System32\cpqalert.exe
C:\WINNT\CPQDIAG\CPQDFWAG.EXE
C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\CHKADMIN.EXE
C:\WINNT\system32\PwsTray.exe
C:\WINNT\System32\hphmon03.exe
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Compaq\Easy Access Keyboard\MMUSBKB2.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Navnt\vpexrt.exe
C:\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Easy Access Keyboard] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CHKADMIN] CHKADMIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {715A3997-ADE8-4399-AD92-353958D75076} (XUpdater Control) - http://www.bluefalco...0.01/SS_POC.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.q...111/qboax10.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\WINNT\System32\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\CPQDIAG\CPQDFWAG.EXE
O23 - Service: CPQDMI - Compaq Computer Corporation - C:\WINNT\System32\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (CpqWebDmi) - Compaq Computer Corporation - C:\Program Files\COMPAQ\CpqWebDMI\webdmi.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
O23 - Service: Pml Driver - HP - C:\WINNT\System32\HPHipm09.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Win32sl - Intel - c:\dmi\win32\bin\Win32sl.exe

--
End of file - 6468 bytes

Attached Files

•  Report.txt   2.85KB   111 downloads

[Rorschach112]

Looking good

Can you post a new DSS log and do this

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

[liz_611]

Here's the log:

SUPERAntiSpyware Scan Log
Generated 01/27/2008 at 08:13 PM

Application Version : 3.6.1000

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 01:47:37

Memory items scanned : 451
Memory threats detected : 0
Registry items scanned : 4910
Registry threats detected : 0
File items scanned : 44069
File threats detected : 1

Trojan.Downloader-Gen/VX2
C:\WINNT\VX2.DLL

[Rorschach112]

Your logs look good ! We need to do a few things

You can delete the tools that we used


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[liz_611]

I don't have a restore folder. This machine that I'm working on is my Dad's. It's running Win 2000. I think my login says that I'm running Win XP. If that makes any difference.

[Rorschach112]

You can continue on with the rest of the steps then

[liz_611]

Thank you so much for all of your help!