Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I've been TratBHO'd! Please help [RESOLVED]


  • This topic is locked This topic is locked

#1
cris99301

cris99301

    Member

  • Member
  • PipPip
  • 10 posts
No amount of scanning I've done with to tools recommended in the guides of this section of the forum have been able to fully remove this pesky trojan. Everytime I run my Avast, it always pops up saying a .ddl file/trojan was created in my WINDOWS/SYS32 file folder by the trojan TratBHO. I'm hoping you can help me resolve this. Please let me know what I can do help you identify my problems. Or is there a better guide I can look at to get rid of TratBHO. THANK YOU! THANK YOU!


Here is this last scan using HJT after running the Panda Active Scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:49 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Wide Orbit\WOTraffic.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O17 - HKLM\Software\..\Telephony: DomainName = Corp.FSCI.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KBOX Management Service (KBOXManagementService) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXManagementService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9501 bytes

Edited by cris99301, 30 January 2008 - 10:54 AM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here you go! Thanks for getting me on the way to clear this out! :)

Deckard's System Scanner v20071014.68
Run by cheadley on 2008-01-31 10:43:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-31 18:43:04 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-31 10:44:38
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cheadley\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\KUsrInit.exe,
O1 - Hosts: 192.168.82.29 kima400
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {26b19339-79f8-61ba-4714-c550ce38d141} - {141d83ec-055c-4174-ab16-8f9793391b62} - C:\WINDOWS\system32\xwdfyyvd.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: (no name) - {4FF33FC1-24DD-410E-8261-B367B2A4A212} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A05E92F4-070A-4F3C-94B2-684141F396B1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {DBAC1417-9C19-46A5-A260-7F15B394943E} - (no file)
O2 - BHO: (no name) - {E24E8E5A-F57A-4B47-8609-FA21318DF724} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [25dfcc56] rundll32.exe "C:\WINDOWS\system32\hxvtmfle.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.micr.../OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.micros...ntent/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = Corp.FSCI.com
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\system32\
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\system32\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\BRSVC01A.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\cwbrxd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KBOX Management Service (KBOXManagementService) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXManagementService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 11270 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S1 ztx86 - c:\windows\system32\ztx86.sys (file missing)
S4 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S4 WINIO - pý (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 KBOXManagementService (KBOX Management Service) - c:\program files\kace\kbox\kboxmanagementservice.exe <Not Verified; KACE Networks, Inc.; KBOX Client>
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S2 winvnc (VNC Server) -
S3 Cwbrxd (Client Access Express Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM® AS/400® Client Access Express for Windows®>
S3 NMIndexingService -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&61AAA01&0
Manufacturer: Logitech
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&61AAA01&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Keyboard
Device ID: ACPI\PNP0303\3&61AAA01&0
Manufacturer: Logitech
Name: PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\3&61AAA01&0
Service: i8042prt

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: hp LaserJet 2430
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: Hewlett-Packard
Name: hp LaserJet 2430
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: hp LaserJet 4250
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: Hewlett-Packard
Name: hp LaserJet 4250
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro K5400
Device ID: ROOT\MULTIFUNCTION\0002
Manufacturer: HP
Name: Officejet Pro K5400
PNP Device ID: ROOT\MULTIFUNCTION\0002
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet 4100 Series
Device ID: ROOT\MULTIFUNCTION\0003
Manufacturer: Hewlett-Packard
Name: HP LaserJet 4100 Series
PNP Device ID: ROOT\MULTIFUNCTION\0003
Service:

Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}
Description: Officejet Pro K5400
Device ID: ROOT\PRINTER\0000
Manufacturer: HP
Name: Officejet Pro K5400
PNP Device ID: ROOT\PRINTER\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-01-31 10:40:00 428 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{4F512D9F-9772-404B-8C75-A5F57A962893}.job
2008-01-30 13:15:06 346 --a------ C:\WINDOWS\Tasks\local disk c.job


-- Files created between 2007-12-31 and 2008-01-31 -----------------------------

2008-01-31 10:42:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-01-31 10:09:39 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-31 10:07:41 90688 --a------ C:\WINDOWS\system32\hxvtmfle.dll
2008-01-31 09:59:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-31 09:57:45 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-01-31 09:57:39 0 d-------- C:\WINDOWS\ccr
2008-01-31 09:57:06 0 d-------- C:\Program Files\HP
2008-01-31 09:55:10 1756 -----n--- C:\WINDOWS\hpwmdl06.dat
2008-01-31 09:55:10 141053 --a------ C:\WINDOWS\hpwins06.dat
2008-01-31 09:39:04 95296 --a------ C:\WINDOWS\system32\xwdfyyvd.dll
2008-01-30 13:42:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-30 13:42:51 0 d-------- C:\Documents and Settings\bgayken\Application Data\PrevxCSI
2008-01-30 13:41:02 0 d-------- C:\Program Files\ToniArts
2008-01-30 12:50:27 0 d-------- C:\Documents and Settings\bgayken\Application Data\Adobe
2008-01-29 12:22:39 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-29 12:22:09 8576 --a------ C:\WINDOWS\system32\drivers\ipjakfbjcnfe.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-29 12:05:22 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 11:13:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 11:12:25 371896 --ahs---- C:\WINDOWS\system32\vycdd.ini2
2008-01-29 11:12:22 332288 -----n--- C:\WINDOWS\system32\ddcyv.dll
2008-01-29 10:01:45 0 d-------- C:\VundoFix Backups
2008-01-28 11:24:09 320600 --ahs---- C:\WINDOWS\system32\hgjlm.ini2
2008-01-28 09:29:36 322701 --ahs---- C:\WINDOWS\system32\ijjlm.ini2
2008-01-25 17:12:53 0 d-------- C:\Program Files\Google
2008-01-25 12:38:00 0 d-------- C:\Program Files\1st Registry Repair
2008-01-25 10:15:44 6805 --ahs---- C:\WINDOWS\system32\fgjlm.ini2
2008-01-25 08:29:48 6772 --ahs---- C:\WINDOWS\system32\wycdd.ini2
2008-01-24 09:08:29 0 d-------- C:\Program Files\Alwil Software
2008-01-23 14:54:44 0 d-------- C:\WINDOWS\pss
2008-01-23 11:56:40 0 d-------- C:\Program Files\Trend Micro
2008-01-23 09:14:45 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-23 09:09:50 0 d-------- C:\Documents and Settings\bgayken\Application Data\HotSync
2008-01-23 09:09:14 0 d--h----- C:\Documents and Settings\bgayken\Templates
2008-01-23 09:09:14 0 dr------- C:\Documents and Settings\bgayken\Start Menu
2008-01-23 09:09:14 0 dr-h----- C:\Documents and Settings\bgayken\SendTo
2008-01-23 09:09:14 0 dr-h----- C:\Documents and Settings\bgayken\Recent
2008-01-23 09:09:14 0 d--h----- C:\Documents and Settings\bgayken\PrintHood
2008-01-23 09:09:14 0 d--h----- C:\Documents and Settings\bgayken\NetHood
2008-01-23 09:09:14 0 dr------- C:\Documents and Settings\bgayken\My Documents
2008-01-23 09:09:14 0 d--h----- C:\Documents and Settings\bgayken\Local Settings
2008-01-23 09:09:14 0 dr------- C:\Documents and Settings\bgayken\Favorites
2008-01-23 09:09:14 0 d-------- C:\Documents and Settings\bgayken\Desktop
2008-01-23 09:09:14 0 d--hs---- C:\Documents and Settings\bgayken\Cookies
2008-01-23 09:09:14 0 dr-h----- C:\Documents and Settings\bgayken\Application Data
2008-01-23 09:09:14 0 d-------- C:\Documents and Settings\bgayken\Application Data\Symantec
2008-01-23 09:09:14 0 d---s---- C:\Documents and Settings\bgayken\Application Data\Microsoft
2008-01-23 09:09:14 0 d-------- C:\Documents and Settings\bgayken\Application Data\Identities
2008-01-23 09:09:14 0 d-------- C:\Documents and Settings\bgayken\Application Data\Google
2008-01-23 09:09:13 1310720 --ah----- C:\Documents and Settings\bgayken\NTUSER.DAT
2008-01-22 13:43:13 6921 --ahs---- C:\WINDOWS\system32\mpqss.ini2
2008-01-22 13:22:06 0 dr-h----- C:\Documents and Settings\cheadley\Recent
2008-01-22 12:17:24 2 --a------ C:\635423993
2008-01-10 09:49:40 0 d-------- C:\Program Files\DESI
2008-01-09 12:47:05 151552 --a------ C:\WINDOWS\system32\DVZAddin.dll <Not Verified; DataViz, Inc.; Documents To Go>
2008-01-09 12:45:52 0 d-------- C:\Program Files\Common Files\DataViz
2008-01-09 12:45:52 0 d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-01-09 11:59:41 0 d-------- C:\Program Files\Documents To Go
2008-01-09 10:14:59 0 d-------- C:\Program Files\Palm Inc
2008-01-03 14:45:40 13359 --a------ C:\WINDOWS\system32\drivers\SYDEXFDD.SYS <Not Verified; Windows ® 2000 DDK provider; Sydex Floppy Driver for Windows 2000>
2008-01-03 14:45:40 0 d-------- C:\ESWin


-- Find3M Report ---------------------------------------------------------------

2008-01-30 15:42:41 0 d-------- C:\Program Files\Zilla Data Nuker
2008-01-30 13:41:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-30 13:36:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-30 13:36:26 0 d-------- C:\Program Files\Symantec
2008-01-30 13:29:06 0 d-------- C:\Program Files\Hewlett-Packard
2008-01-29 13:31:27 0 d-------- C:\Program Files\palmOne
2008-01-29 13:15:34 0 d-------- C:\Program Files\Bonjour
2008-01-29 13:15:32 0 d-------- C:\Program Files\Billeo
2008-01-29 11:59:16 0 d-------- C:\Program Files\Common Files
2008-01-28 10:10:11 9216 --a------ C:\Program Files\DUP509A.tmp
2008-01-25 11:37:30 9216 --a------ C:\Program Files\DUPAD67.tmp
2008-01-23 09:09:27 0 d-------- C:\Program Files\Web Publish
2008-01-23 08:59:39 0 d-------- C:\Program Files\Eraser
2008-01-22 13:43:29 0 d-------- C:\Program Files\Mgboss
2008-01-22 13:43:22 0 d-------- C:\Program Files\UltraVNC
2008-01-21 15:22:25 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-21 09:27:47 0 d-------- C:\Documents and Settings\cheadley\Application Data\Adobe
2007-12-27 09:17:06 0 d-------- C:\Program Files\Brownie
2007-12-26 17:22:26 88 -r-hs---- C:\WINDOWS\system32\10E61E4450.sys
2007-12-24 11:28:29 56 -r-hs---- C:\WINDOWS\system32\3982066E18.sys
2007-12-24 11:27:58 364544 --a------ C:\WINDOWS\system32\MPIWIN32.DLL <Not Verified; MARX CryptoTech LP; Local + Network MPI>
2007-12-24 11:27:58 43520 --a------ C:\WINDOWS\system32\CBNDLL.DLL
2007-12-14 13:49:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-12 09:28:41 0 d-------- C:\Program Files\BIN
2007-12-11 14:50:18 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver>
2007-12-11 14:50:18 383 --a------ C:\WINDOWS\system32\haspdos.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{141d83ec-055c-4174-ab16-8f9793391b62}]
01/31/2008 09:39 AM 95296 --a------ C:\WINDOWS\system32\xwdfyyvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FF33FC1-24DD-410E-8261-B367B2A4A212}]
01/29/2008 11:12 AM 332288 --------- C:\WINDOWS\system32\ddcyv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A05E92F4-070A-4F3C-94B2-684141F396B1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBAC1417-9C19-46A5-A260-7F15B394943E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E24E8E5A-F57A-4B47-8609-FA21318DF724}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/2006 12:03 PM C:\WINDOWS\KHALMNPR.Exe]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]
"@"="" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/07/2006 01:02 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/17/2006 06:34 AM]
"25dfcc56"="C:\WINDOWS\system32\hxvtmfle.dll" [01/31/2008 10:07 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/25/2008 05:14 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
billeo.lnk - C:\Program Files\Billeo\billeo.exe [8/28/2007 4:24:50 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [6/9/2004 2:27:34 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\Media\fuwarxyus.dll 01/22/2008 12:17 PM 53760 C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyv
"Notification Packages"= scecli [RANDOM CHARACTERS].dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
HPService HPSLPSVC
hpdevmgmt hpqcxs08 hpqddsvc

*Newly Created Service* - HPQCXS08
*Newly Created Service* - HPQDDSVC



-- Hosts -----------------------------------------------------------------------

192.168.82.29 kima400
127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD

61 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-31 10:45:27 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 958.48 MiB / 391.61 MiB
Pagefile Memory (total/avail): 2317.25 MiB / 1886.72 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.35 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 60.43 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3808110AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.1.0.394 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\\system32\\msiexec.exe:*:Enabled:Windows® installer"
"C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe"="C:\\Program Files\\Hewlett-Packard\\hp business inkjet 1200 series\\Toolbox\\HPWNTBX.exe:*:Enabled:Toolbox for HP Printing System for Windows"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"="C:\\Program Files\\Magentic\\bin\\MgImp.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"="C:\\Program Files\\Magentic\\bin\\Magentic.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"="C:\\Program Files\\Magentic\\bin\\MgApp.exe:*:Enabled:Magentic"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:bittorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\cheadley\\Desktop\\incredimail_install.exe"="C:\\Documents and Settings\\cheadley\\Desktop\\incredimail_install.exe:*:Enabled:IncrediMail Installer"
"D:\\setup\\HPZNUI01.EXE"="D:\\setup\\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"="C:\\Program Files\\Magentic\\bin\\Magentic.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"="C:\\Program Files\\Magentic\\bin\\MgApp.exe:*:Enabled:Magentic"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\DOCUME~1\\cheadley\\LOCALS~1\\Temp\\win33D.exe"="C:\\DOCUME~1\\cheadley\\LOCALS~1\\Temp\\win33D.exe:*:Enabled:win33D"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cheadley\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=W105251
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\cheadley
LOGONSERVER=\\S400007
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cheadley\LOCALS~1\Temp
TMP=C:\DOCUME~1\cheadley\LOCALS~1\Temp
USERDNSDOMAIN=CORP.FSCI.COM
USERDOMAIN=CORP
USERNAME=cheadley
USERPROFILE=C:\Documents and Settings\cheadley
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

woguest
Administrator.KEPR (admin)
Administrator (admin)
bgayken (admin)
cheadley (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\AFPViewr\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL14.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL15.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL16.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Acrobat 8.1.0 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Billeo --> C:\Program Files\Billeo\uninstall.exe
Broadcom Management Programs --> MsiExec.exe /I{058B32E2-6310-4359-B2D4-1988390C3B83}
Brother HL-5170DN --> "C:\Program Files\Brother\BRHL5170\IsUninst.exe" -f"C:\Program Files\Brother\BRHL5170\DeIsL1.isu" -cbruninst.dll
Calendar Creator 10 --> MsiExec.exe /I{C8CE30F9-CBD0-43B1-BFD3-B18F55A48827}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DESI Labeling System --> C:\PROGRA~1\DESI\UNWISE.EXE C:\PROGRA~1\DESI\INSTALL.LOG
Documents To Go --> MsiExec.exe /X{5DFEA208-13FB-422B-A024-81F588764A3B}
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9
Google Toolbar for Internet Explorer --> MsiExec.exe /X{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\SETUP.EXE" -l0x9
hp LaserJet 4250/4350/4240 --> C:\Program Files\Hewlett-Packard\hp LaserJet 4250 4350 4240\Installer\hpsetup.exe /x
hp LaserJet 4250/4350/4240 --> msiexec /x{E063B3E2-6641-4375-9F09-ADA9E589EB90}
HP Officejet Pro K5300/5400 Series --> C:\Program Files\HP\Digital Imaging\{4EA00463-0FD4-4378-A148-6544CD5868D0}\setup\hpzscr01.exe -datfile hpwscr06.dat
HP Printer Access Tool --> MsiExec.exe /X{D8DBCF67-C44C-4768-8112-9CADBAC390E6}
HP Safety and Comfort Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAC4426A-42CD-4B4E-8057-9738C96F2C8F}\SETUP.EXE" -l0x9
IBM AS/400 Client Access Express for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 12 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
KBOX --> C:\Program Files\KACE\KBOX\kinstaller.exe -uninstall
KhalSetup --> MsiExec.exe /I{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Media Sales Manager --> C:\WinMSM\UNWISE.EXE C:\WinMSM\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7279647E-8661-48DF-998E-E7DCC3E6955D}
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Palm Outlook Conduits Updater --> MsiExec.exe /I{616A66CD-D36D-4E24-8B67-33AFDFF48061}
palmOne --> MsiExec.exe /X{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Software Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Software Setup\Uninst.isu" -c"C:\Program Files\COMPAQ\Software Setup\CPQUNST.DLL"
Symantec AntiVirus --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
UltraVNC v1.0.2 --> "C:\Program Files\UltraVNC\unins000.exe"
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Zilla Data Nuker 2.0.0.0 --> "C:\Program Files\Zilla Data Nuker\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type10763 / Error
Event Submitted/Written: 01/31/2008 10:41:57 AM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Downloader in File: C:\Documents and Settings\cheadley\Local Settings\Temporary Internet Files\Content.IE5\FXZUFBWD\index[2].htm by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: Risk was partially removed.

Event Record #/Type10762 / Error
Event Submitted/Written: 01/31/2008 10:41:57 AM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Risk Found!Risk: Downloader in File: C:\Documents and Settings\cheadley\Local Settings\Temporary Internet Files\Content.IE5\FXZUFBWD\index[2].htm by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged.

Event Record #/Type10761 / Error
Event Submitted/Written: 01/31/2008 10:41:56 AM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Downloader in File: C:\Documents and Settings\cheadley\Local Settings\Temporary Internet Files\Content.IE5\FXZUFBWD\index[2].htm by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Event Record #/Type10759 / Warning
Event Submitted/Written: 01/31/2008 10:13:48 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{D2AEF79D-1890-4989-BF2D-7D446F09F4EE}'

Event Record #/Type10758 / Warning
Event Submitted/Written: 01/31/2008 10:13:48 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles', component '{19D39DFE-675D-4FF8-80BD-092CF5894B84}' failed. The resource 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42042206-2D85-11D3-8CFF-005004838597}' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12028 / Error
Event Submitted/Written: 01/31/2008 10:44:58 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type11996 / Error
Event Submitted/Written: 01/31/2008 10:07:15 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147500053

Event Record #/Type11995 / Error
Event Submitted/Written: 01/31/2008 10:07:15 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The VNC Server service failed to start due to the following error:
%%3

Event Record #/Type11983 / Error
Event Submitted/Written: 01/31/2008 10:02:18 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147500053

Event Record #/Type11980 / Warning
Event Submitted/Written: 01/31/2008 09:59:52 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP Officejet Pro K5400 Series for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, hpwk5403.GPD, UNIDRV.HLP, hpwhk540.cfg, hpwk540a.ini, hpzst4v2.dll, hpz3c4v2.dll, hpzur4v2.dll, hpwk5403.xml, hpzsc4v2.dtd, hpzui4v2.dll, hpz3r4v6.dll, hpzpr4v2.dll, hpcdmc32.dll, hpbcfgre.dll, hpzsm4v2.gpd, hpz3m4v2.gpd, hpzev4v2.dll, hpzhl4v2.cab, STDNAMES.GPD, hpfie4v2.dll, hpfig4v2.dll, hpfrs4v2.dll, UNIRES.DLL.



-- End of Deckard's System Scanner: finished at 2008-01-31 10:45:27 ------------
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I ran ComboFix. The log is below along with the one produced by HiJackThis. One thing though, my computer time is now on military time. Is there any way to not make it appear in military time? It's causing confusion when I log into my network. :)

Thanks!

ComboFix 08-02.01.1 - cheadley 2008-01-31 14:46:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT -8:00]
Running from: C:\Documents and Settings\cheadley\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\cheadley\g2mdlhlpx.exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\Media\fuwarxyus.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\elfmtvxh.ini
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fjnfvddv.ini
C:\WINDOWS\system32\gkrtloya.ini
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini2
C:\WINDOWS\system32\hxvtmfle.dll
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\jwekbfxj.ini
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\sfdnqopf.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\xwdfyyvd.dll
C:\WINDOWS\system32\yanwgdkv.ini

----- BITS: Possible infected sites -----

hxxp://gpdl.google.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 10:42 . 2008-01-31 10:42 <DIR> d-------- C:\Deckard
2008-01-31 10:09 . 2008-01-31 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-31 09:59 . 2008-01-31 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-31 09:59 . 2007-01-13 00:31 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-01-31 09:59 . 2007-01-31 16:16 118,272 --a------ C:\WINDOWS\system32\hpz3l4v6.dll
2008-01-31 09:57 . 2008-01-31 09:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-31 09:57 . 2008-01-31 09:57 <DIR> d-------- C:\WINDOWS\ccr
2008-01-31 09:57 . 2008-01-31 09:57 <DIR> d-------- C:\Program Files\HP
2008-01-31 09:57 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-31 09:57 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-31 09:56 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-31 09:56 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-31 09:55 . 2008-01-31 10:08 141,053 --a------ C:\WINDOWS\hpwins06.dat
2008-01-31 09:55 . 2007-05-29 03:15 1,756 --------- C:\WINDOWS\hpwmdl06.dat
2008-01-30 13:42 . 2008-01-30 14:05 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\PrevxCSI
2008-01-30 13:42 . 2008-01-30 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-30 13:41 . 2008-01-30 13:41 <DIR> d-------- C:\Program Files\ToniArts
2008-01-30 13:35 . 2006-01-31 13:29 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-30 13:35 . 2006-01-31 13:29 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-30 12:53 . 2006-12-20 11:26 251,172 --a------ C:\WINDOWS\hpbj1200.hi1
2008-01-30 12:53 . 2006-12-20 11:26 19,559 --a------ C:\WINDOWS\hpbj1200.bu1
2008-01-29 12:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-29 12:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ipjakfbjcnfe.sys
2008-01-29 12:05 . 2008-01-29 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 12:05 . 2008-01-29 12:05 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-29 12:05 . 2008-01-29 12:05 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-29 12:05 . 2008-01-29 12:05 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-29 11:13 . 2008-01-29 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 10:01 . 2008-01-29 11:04 <DIR> d-------- C:\VundoFix Backups
2008-01-29 04:07 . 2008-01-29 04:07 16,600 --a------ C:\WINDOWS\BM26ecffca.xml
2008-01-29 04:07 . 2008-01-29 13:58 22 --a------ C:\WINDOWS\pskt.ini
2008-01-25 17:12 . 2008-01-29 13:25 <DIR> d-------- C:\Program Files\Google
2008-01-25 12:38 . 2008-01-28 09:27 <DIR> d-------- C:\Program Files\1st Registry Repair
2008-01-24 09:08 . 2008-01-24 09:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 11:56 . 2008-01-23 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 09:14 . 2008-01-31 14:53 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-01-23 09:09 . 2006-09-21 11:29 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\Symantec
2008-01-23 09:09 . 2008-01-23 09:09 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\HotSync
2008-01-22 13:44 . 2004-08-04 05:00 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-22 13:44 . 2004-08-04 05:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-22 12:18 . 2004-08-04 05:00 5,632 --a------ C:\WINDOWS\system32\winver.exe
2008-01-22 12:18 . 2004-08-04 05:00 5,632 --a------ C:\WINDOWS\system32\dllcache\winver.exe
2008-01-22 12:17 . 2008-01-22 12:17 2 --a------ C:\635423993
2008-01-10 09:50 . 2008-01-10 10:56 307 --a------ C:\WINDOWS\DESI.INI
2008-01-10 09:49 . 2008-01-10 09:50 <DIR> d-------- C:\Program Files\DESI
2008-01-09 12:47 . 2004-03-11 20:37 151,552 --a------ C:\WINDOWS\system32\DVZAddin.dll
2008-01-09 12:45 . 2008-01-29 13:22 <DIR> d-------- C:\Program Files\Common Files\DataViz
2008-01-09 12:45 . 2008-01-09 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-01-09 11:59 . 2008-01-09 12:47 <DIR> d-------- C:\Program Files\Documents To Go
2008-01-09 10:49 . 2008-01-09 10:55 16,694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-01-09 10:14 . 2008-01-09 10:14 <DIR> d-------- C:\Program Files\Palm Inc
2008-01-04 09:15 . 2008-01-04 09:15 0 --a------ C:\WINDOWS\Wilsch.INI
2008-01-03 14:45 . 2008-01-15 14:14 <DIR> d-------- C:\ESWin
2008-01-03 14:45 . 2003-08-01 14:00 13,359 --a------ C:\WINDOWS\system32\drivers\SYDEXFDD.SYS
2007-12-24 11:27 . 2007-12-24 11:27 <DIR> d-------- C:\WINDOWS\system32\Temp
2007-12-24 11:27 . 2007-12-24 11:27 364,544 --a------ C:\WINDOWS\system32\MPIWIN32.DLL
2007-12-24 11:27 . 2007-12-24 11:27 45,056 --a------ C:\WINDOWS\system32\drivers\CBUSB.SYS
2007-12-24 11:27 . 2007-12-24 11:27 43,520 --a------ C:\WINDOWS\system32\CBNDLL.DLL
2007-12-24 11:24 . 2007-12-24 11:28 56 -r-hs---- C:\WINDOWS\system32\3982066E18.sys
2007-12-14 13:51 . 2007-12-26 17:22 88 -r-hs---- C:\WINDOWS\system32\10E61E4450.sys
2007-12-14 13:49 . 2007-12-14 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-12 10:33 . 2007-12-12 12:52 117 --a------ C:\WINDOWS\wincmd.ini
2007-12-12 09:45 . 1994-04-19 12:00 120 --a------ C:\WINDOWS\WINRESAZ.INI
2007-12-11 14:50 . 2007-12-11 14:50 461,824 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-12-11 14:50 . 2007-12-11 14:50 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-12-11 14:50 . 2007-12-11 14:50 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-12-11 14:50 . 2008-01-03 14:46 2,628 --a------ C:\WINDOWS\system32\config.hsp
2007-12-11 14:50 . 2007-12-11 14:50 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-12-11 14:49 . 2007-12-12 09:28 <DIR> d-------- C:\Program Files\BIN
2007-12-11 13:37 . 2007-12-11 13:37 0 --a------ C:\WINDOWS\vpc32.INI
2007-12-11 10:07 . 2008-01-30 13:36 <DIR> d-------- C:\Program Files\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 23:42 --------- d-----w C:\Program Files\Zilla Data Nuker
2008-01-30 21:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 21:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-30 21:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-30 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-29 21:31 --------- d-----w C:\Program Files\palmOne
2008-01-29 21:15 --------- d-----w C:\Program Files\Bonjour
2008-01-29 21:15 --------- d-----w C:\Program Files\Billeo
2008-01-28 18:10 9,216 ----a-w C:\Program Files\DUP509A.tmp
2008-01-25 19:37 9,216 ----a-w C:\Program Files\DUPAD67.tmp
2008-01-23 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 17:09 --------- d-----w C:\Program Files\Web Publish
2008-01-23 16:59 --------- d-----w C:\Program Files\Eraser
2008-01-22 21:43 --------- d-----w C:\Program Files\UltraVNC
2008-01-22 21:43 --------- d-----w C:\Program Files\Mgboss
2008-01-18 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 00:15 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 17:17 --------- d-----w C:\Program Files\Brownie
2007-12-14 21:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-29 21:09 --------- d-----w C:\Program Files\Lavasoft
2007-08-28 21:15 88 --sh--r C:\WINDOWS\system32\186E068239.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-25 17:14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-08-28 16:24:50 1033480]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli [RANDOM CHARACTERS].dll

R2 HPSLPSVC;HP Network Devices Support;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:00]
R2 KBOXManagementService;KBOX Management Service;C:\Program Files\KACE\KBOX\KBOXManagementService.exe [2007-04-03 12:21]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
S1 ztx86;ztx86;C:\WINDOWS\system32\ztx86.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 21:15:06 C:\WINDOWS\Tasks\local disk c.job"
- C:\Program Files\Zilla Data Nuker\Shredder.exe&
"2008-01-31 22:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4F512D9F-9772-404B-8C75-A5F57A962893}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 14:54:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-01-31 14:57:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 22:57:40
.
2007-10-10 10:02:02 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02, on 2008-01-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O17 - HKLM\Software\..\Telephony: DomainName = Corp.FSCI.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KBOX Management Service (KBOXManagementService) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXManagementService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 9359 bytes
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\pskt.ini
C:\Program Files\DUP509A.tmp
C:\Program Files\DUPAD67.tmp
C:\WINDOWS\Media\fuwarxyus.dll

Dirlook::
C:\635423993

Driver::
ztx86


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
  • 0

#7
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
There is no picture.... just a photobucket placeholder. Do you have a different picture or reference? Thanks!
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No I don't have one.

Just drag the CFScript into ComboFix.exe

Then post the resulting log
  • 0

#9
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I completed all the steps you outlined in the above posts. I've also pasted my ComboFix log as asked. I hope it looks good!

-Cris


ComboFix 08-02.01.1 - cheadley 2008-02-01 9:14:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -8:00]
Running from: C:\Documents and Settings\cheadley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\cheadley\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\DUP509A.tmp
C:\Program Files\DUPAD67.tmp
C:\WINDOWS\Media\fuwarxyus.dll
C:\WINDOWS\pskt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\DUP509A.tmp
C:\Program Files\DUPAD67.tmp
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ztx86


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-31 10:42 . 2008-01-31 10:42 <DIR> d-------- C:\Deckard
2008-01-31 10:09 . 2008-01-31 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-31 09:59 . 2008-01-31 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-31 09:59 . 2007-01-13 00:31 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-01-31 09:59 . 2007-01-31 16:16 118,272 --a------ C:\WINDOWS\system32\hpz3l4v6.dll
2008-01-31 09:57 . 2008-01-31 09:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-31 09:57 . 2008-01-31 09:57 <DIR> d-------- C:\WINDOWS\ccr
2008-01-31 09:57 . 2008-01-31 09:57 <DIR> d-------- C:\Program Files\HP
2008-01-31 09:57 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-31 09:57 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-31 09:56 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-31 09:56 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-31 09:55 . 2008-01-31 10:08 141,053 --a------ C:\WINDOWS\hpwins06.dat
2008-01-31 09:55 . 2007-05-29 03:15 1,756 --------- C:\WINDOWS\hpwmdl06.dat
2008-01-30 13:42 . 2008-01-30 14:05 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\PrevxCSI
2008-01-30 13:42 . 2008-01-30 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-30 13:41 . 2008-01-30 13:41 <DIR> d-------- C:\Program Files\ToniArts
2008-01-30 13:35 . 2006-01-31 13:29 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-30 13:35 . 2006-01-31 13:29 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-30 12:53 . 2006-12-20 11:26 251,172 --a------ C:\WINDOWS\hpbj1200.hi1
2008-01-30 12:53 . 2006-12-20 11:26 19,559 --a------ C:\WINDOWS\hpbj1200.bu1
2008-01-29 12:22 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-29 12:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ipjakfbjcnfe.sys
2008-01-29 12:05 . 2008-01-29 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-29 12:05 . 2008-01-29 12:05 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-29 12:05 . 2008-01-29 12:05 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-29 12:05 . 2008-01-29 12:05 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-29 11:13 . 2008-01-29 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 10:01 . 2008-01-29 11:04 <DIR> d-------- C:\VundoFix Backups
2008-01-29 04:07 . 2008-01-29 04:07 16,600 --a------ C:\WINDOWS\BM26ecffca.xml
2008-01-25 17:12 . 2008-01-29 13:25 <DIR> d-------- C:\Program Files\Google
2008-01-25 12:38 . 2008-01-28 09:27 <DIR> d-------- C:\Program Files\1st Registry Repair
2008-01-24 09:08 . 2008-01-24 09:08 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 11:56 . 2008-01-23 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 09:14 . 2008-02-01 09:18 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-01-23 09:09 . 2006-09-21 11:29 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\Symantec
2008-01-23 09:09 . 2008-01-23 09:09 <DIR> d-------- C:\Documents and Settings\bgayken\Application Data\HotSync
2008-01-22 13:44 . 2004-08-04 05:00 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-22 13:44 . 2004-08-04 05:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-22 12:18 . 2004-08-04 05:00 5,632 --a------ C:\WINDOWS\system32\winver.exe
2008-01-22 12:18 . 2004-08-04 05:00 5,632 --a------ C:\WINDOWS\system32\dllcache\winver.exe
2008-01-22 12:17 . 2008-01-22 12:17 2 --a------ C:\635423993
2008-01-10 09:50 . 2008-01-10 10:56 307 --a------ C:\WINDOWS\DESI.INI
2008-01-10 09:49 . 2008-01-10 09:50 <DIR> d-------- C:\Program Files\DESI
2008-01-09 12:47 . 2004-03-11 20:37 151,552 --a------ C:\WINDOWS\system32\DVZAddin.dll
2008-01-09 12:45 . 2008-01-29 13:22 <DIR> d-------- C:\Program Files\Common Files\DataViz
2008-01-09 12:45 . 2008-01-09 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-01-09 11:59 . 2008-01-09 12:47 <DIR> d-------- C:\Program Files\Documents To Go
2008-01-09 10:49 . 2008-01-09 10:55 16,694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-01-09 10:14 . 2008-01-09 10:14 <DIR> d-------- C:\Program Files\Palm Inc
2008-01-04 09:15 . 2008-01-04 09:15 0 --a------ C:\WINDOWS\Wilsch.INI
2008-01-03 14:45 . 2008-01-15 14:14 <DIR> d-------- C:\ESWin
2008-01-03 14:45 . 2003-08-01 14:00 13,359 --a------ C:\WINDOWS\system32\drivers\SYDEXFDD.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 11:00 --------- d-----w C:\Program Files\Billeo
2008-01-30 23:42 --------- d-----w C:\Program Files\Zilla Data Nuker
2008-01-30 21:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 21:36 --------- d-----w C:\Program Files\Symantec
2008-01-30 21:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-30 21:29 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-30 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-29 21:31 --------- d-----w C:\Program Files\palmOne
2008-01-29 21:15 --------- d-----w C:\Program Files\Bonjour
2008-01-23 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 17:09 --------- d-----w C:\Program Files\Web Publish
2008-01-23 16:59 --------- d-----w C:\Program Files\Eraser
2008-01-22 21:43 --------- d-----w C:\Program Files\UltraVNC
2008-01-22 21:43 --------- d-----w C:\Program Files\Mgboss
2008-01-18 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-28 00:15 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 17:17 --------- d-----w C:\Program Files\Brownie
2007-12-24 19:27 45,056 ----a-w C:\WINDOWS\system32\drivers\CBUSB.SYS
2007-12-14 21:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-14 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-12 17:28 --------- d-----w C:\Program Files\BIN
2007-12-11 22:50 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-12-11 22:50 461,824 ----a-w C:\WINDOWS\system32\drivers\hardlock.sys
2007-08-28 21:15 88 --sh--r C:\WINDOWS\system32\186E068239.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\635423993 ----

C:\635423993\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-25 17:14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
billeo.lnk - C:\Program Files\Billeo\billeo.exe [2007-08-28 16:24:50 1041672]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\Media\fuwarxyus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli [RANDOM CHARACTERS].dll

R2 HPSLPSVC;HP Network Devices Support;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:00]
R2 KBOXManagementService;KBOX Management Service;C:\Program Files\KACE\KBOX\KBOXManagementService.exe [2007-04-03 12:21]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 21:15:06 C:\WINDOWS\Tasks\local disk c.job"
- C:\Program Files\Zilla Data Nuker\Shredder.exe&
"2008-02-01 17:20:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4F512D9F-9772-404B-8C75-A5F57A962893}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 09:18:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-02-01 9:21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 17:21:38
ComboFix2.txt 2008-01-31 22:57:43
.
2007-10-10 10:02:02 --- E O F ---
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also post a new HijackThis log and tell me how your PC is running
  • 0

Advertisements


#11
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Roschach112,

I intalled and ran SUPERAntiSpyware. Here is the resulting log as well as the HijackThis log. As for how my computer is running now, I can't give you a good idea unitl I work on a bit more this afternoon. Hopefully I can give you a better picture at the end of my work day. I'll try to post before I go home for the day.

Thanks much,
Cris


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/01/2008 at 12:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3393
Trace Rules Database Version: 1385

Scan type : Complete Scan
Total Scan Time : 00:29:24

Memory items scanned : 473
Memory threats detected : 0
Registry items scanned : 6004
Registry threats detected : 0
File items scanned : 25908
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\cheadley\Cookies\[email protected][1].txt
C:\Documents and Settings\cheadley\Cookies\[email protected][2].txt
C:\Documents and Settings\cheadley\Cookies\[email protected][1].txt
C:\Documents and Settings\cheadley\Cookies\[email protected][2].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][1].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][1].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][1].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][1].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][1].txt
C:\Documents and Settings\bgayken\Cookies\[email protected][2].txt

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP3\A0000080.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP3\A0000081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP3\A0000082.DLL

Trojan.Unclassifed/AffiliateBundle
C:\VUNDOFIX BACKUPS\MLJGFGF.DLL.BAD



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:32, on 2008-02-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\KACE\KBOX\KBOXManagementService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - C:\Program Files\Billeo\billeo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - C:\Program Files\Billeo\billeo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - C:\Program Files\Billeo\billeo.dll (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O17 - HKLM\Software\..\Telephony: DomainName = Corp.FSCI.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Corp.FSCI.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KBOX Management Service (KBOXManagementService) - KACE Networks, Inc. - C:\Program Files\KACE\KBOX\KBOXManagementService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9466 bytes
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

You can delete the tools that we used


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Roschach112,

I forgot to mention, my clock is still displaying in military time. I'm not very good at remembering military time sequences and would like to change it back to it's regular am/pm type display. Is there any way you can help me to fix this or point me in the right direction of where to get help with fixing this?

Thanks again!
Cris
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Oh yeah forgot about that

Post in the Windows XP forum about that, they can fix your problem.

Tell them I sent you over. Make sure you do the rest of the steps here as well.
  • 0

#15
cris99301

cris99301

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Rorschack112,

Thought I'd give you an update on my computer. Everything on my computer seems to be working normally, especiall with IE. Thank goodness! You totally are a life saver! Thank you soooooooooo much! :) I wish I was so smart!

I'm also following your recommendations. #1 thing was switching to firefox - I had to do that even before the fix! Thanks again :) !

Cris
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP