Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Horse bitsprx.dll HELP! [RESOLVED]

Started by billco669 , Feb 09 2008 07:09 PM

  • This topic is locked This topic is locked

#1
billco669
Posted 09 February 2008 - 07:09 PM

billco669

    Member

  • Member
  • PipPip
  • 10 posts
Can anyone help me remove a very aggrevating Trojan Horse with file name bitsprx.dll that currently resides in my system32 folder. Any help would be greatly appreciated.

BILLCO
  • 0

Advertisements

#2
Rorschach112
Posted 09 February 2008 - 07:51 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
billco669
Posted 09 February 2008 - 08:21 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you for the quick response.

Deckard's System Scanner v20071014.68
Run by bill2 on 2008-02-09 21:05:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-02-10 02:06:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.31 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-09 21:10:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\bill2\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://home.microsof...search.asp?p=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SXG Advisor - {76F30661-76C7-48CD-B18E-64F388AE030B} - C:\WINDOWS\dwrmntsdnq.dll
O2 - BHO: (no name) - {F122A1C5-4FE6-47D0-9F1A-888F808D439A} - C:\WINDOWS\SYSTEM32\bitsprx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: edfqvrw - {D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8} - C:\WINDOWS\edfqvrw.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [UpdateMedia] C:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab () - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.micros...386/wmv9dmo.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupd...7845.6172453704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O21 - SSODL: bfrgnos - {A59AAE17-392A-44C0-B588-DD522ED098B6} - C:\WINDOWS\bfrgnos.dll (file missing)
O21 - SSODL: afxlspw - {D67735EF-D0C4-4713-954A-38E0153DA0D4} - C:\WINDOWS\afxlspw.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 10694 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 imgrhjlk - c:\windows\system32\drivers\yejodvwt.dat
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 W8335XP (NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335)) - c:\windows\system32\drivers\wg311v3xp.sys <Not Verified; Marvell Semiconductor, Inc; Device driver for Marvell 802.11 NIC>

S3 bfastfao - c:\docume~1\bill2\locals~1\temp\bfastfao.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 TRMUSB5K (Trimble USB GPS Driver) - c:\windows\system32\drivers\trmusb5k.sys <Not Verified; e-TEK Labs; General Purpose USB Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: GVC-REALTEK Ethernet 10/100 PCI Adapter
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_000113E0&REV_10\4&19FD8D60&0&38F0
Manufacturer: GVC
Name: GVC-REALTEK Ethernet 10/100 PCI Adapter
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_000113E0&REV_10\4&19FD8D60&0&38F0
Service: rtl8139


-- Scheduled Tasks -------------------------------------------------------------

2008-01-21 18:30:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2002-07-19 12:09:15 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-01-09 and 2008-02-09 -----------------------------

2008-02-09 14:12:31 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-02-07 09:20:47 94208 --a------ C:\WINDOWS\frplprg.exe
2008-02-07 09:20:47 294912 --a------ C:\WINDOWS\dwrmntsdnq.dll
2008-02-07 09:20:47 266240 --a------ C:\WINDOWS\afxlspw.dll <Not Verified; ; afxlspw>
2008-02-01 09:13:14 0 d-------- C:\Documents and Settings\bill2\Application Data\pdf995
2008-01-24 03:44:22 0 d-------- C:\Program Files\DeductionPro 2007
2008-01-24 03:41:42 0 d-------- C:\Documents and Settings\bill2\Application Data\TaxCut
2008-01-24 03:40:34 0 d-------- C:\Program Files\PDF995
2008-01-24 03:38:35 0 d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-24 03:36:49 0 d-------- C:\Program Files\TaxCut07
2008-01-21 21:07:51 0 d-------- C:\Program Files\iTunes
2008-01-21 21:04:59 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-02-09 09:18:26 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-06 07:58:38 0 d-------- C:\Documents and Settings\bill2\Application Data\AdobeUM
2008-01-24 03:52:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-24 03:42:39 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-24 03:42:39 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-21 21:08:12 0 d-------- C:\Program Files\iPod
2008-01-09 10:40:42 0 d-------- C:\Program Files\Microsoft Works
2008-01-09 10:18:56 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F30661-76C7-48CD-B18E-64F388AE030B}]
02/05/2008 02:53 PM 294912 --a------ C:\WINDOWS\dwrmntsdnq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F122A1C5-4FE6-47D0-9F1A-888F808D439A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 10:41 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 02:16 PM]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [03/15/2005 07:58 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [04/10/2002 04:44 PM]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [09/05/2001 01:28 PM]
"Dell|Alert"="C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [04/03/2002 06:06 PM]
"UpdateMedia"="C:\Program Files\MediaUpdate\UpdateMedia.exe" [04/09/2003 10:04 PM]
"SQInstaller"="SQInstaller.exe" []
"windows auto update"="msblast.exe" []
"MSConfig45"="MSConfig45.exe" []
"nwiz"="nwiz.exe" [10/06/2003 02:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [03/15/2005 07:58 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/30/2005 11:31 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/07/2006 12:02 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [03/17/2006 05:34 AM]
"BarbieGirlsTray"="C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [03/14/2007 09:59 PM]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"Y!TunnelPro"="C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSConfig45"=MSConfig45.exe

C:\Documents and Settings\bill2\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/14/2002 5:40:20 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Camio Viewer.lnk - C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe [3/28/2002 10:24:38 AM]
DESKTOP.INI [11/15/2001 7:31:16 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [8/7/2001 5:06:54 PM]
NETGEAR WG311v3 Wireless Assistant.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [7/1/2007 9:28:42 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bfrgnos"= {A59AAE17-392A-44C0-B588-DD522ED098B6} - C:\WINDOWS\bfrgnos.dll [ ]
"afxlspw"= {D67735EF-D0C4-4713-954A-38E0153DA0D4} - C:\WINDOWS\afxlspw.dll [02/05/2008 02:53 PM 266240]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4f2e93e-b917-11dc-ad17-000fb5f59244}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/...654267094626904




-- End of Deckard's System Scanner: finished at 2008-02-09 21:12:26 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 767.01 MiB / 294.69 MiB
Pagefile Memory (total/avail): 1110.32 MiB / 715.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.03 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 1.31 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 37.26 GiB total, 28.41 GiB free.

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD400BB-00FRA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: Symantec AntiVirus Corporate Edition v10.1.0.394 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE:*:Enabled:Microsoft Excel"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\bill2\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BILLS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\bill2
LOGONSERVER=\\BILLS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\Autodesk Shared\;C:\PROGRA~1\COMMON~1\AUTODE~1\GIS\IMPORT~1\1.0;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\bill2\LOCALS~1\Temp
TMP=C:\DOCUME~1\bill2\LOCALS~1\Temp
USERDOMAIN=BILLS
USERNAME=bill2
USERPROFILE=C:\Documents and Settings\bill2
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

bill2 (admin)
Melissa (admin)
Meghan
cody
cody.BILLS
Cody.BILLS.000
cody.BILLS.001 (new local)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0\Uninst.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Photoshop v4.0 --> C:\WINDOWS\uninst.exe -fC:\Adobe\Photoshop\DeIsL1.isu
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ALShow --> "C:\Program Files\ESTsoft\ALShow\unins000.exe"
AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E142615E-5ED8-4511-9BF0-0284BFA25766}\Setup.exe" -l0x9 -uninst
ArcSoft VideoImpression 1.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED10343F-D30A-4200-9B00-665FC45F52B4}\Setup.exe" -l0x9 -uninst
AutoCAD R14.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\AutoCAD R14\DeIsL1.isu"
Autodesk Design Review 2008 --> MsiExec.exe /I{FACF203E-0F4D-489A-B80C-D185253C8FCB}
Autodesk Land Desktop 3 --> MsiExec.exe /I{5783F2D7-0138-0409-0000-0060B0CE6BBA}
Barbie Girls --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{16B18999-56D7-4E8F-A40C-385E68A6D0CD}
BarSim 1.5.8 --> "C:\Program Files\BarSim\unins000.exe"
Blue's Room --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE3391FB-FAC9-404A-B530-2A27F9697DAE}\Setup.exe" -l0x9
Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0
DeductionPro 2007 --> "C:\Program Files\InstallShield Installation Information\{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}\setup.exe" -runfromtemp -l0x0009 -removeonly
Dell | Support --> MsiExec.exe /X{91E8A85F-2960-40ED-BA84-7F4567BB00C0}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Picture Studio - Dell Image Expert --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A9915D9A-D08A-4CDB-87FD-FC60CF15A11E}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Easy Chef's Million Recipes --> C:\CB45\UNWISE.EXE C:\CB45\INSTALL.LOG
ESPN BottomLine --> "C:\Program Files\ESPN\BottomLine\setup.exe" -u
Ghost Recon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\Setup.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GPS Configurator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D84DBC4E-D804-4E8D-A008-3266E2B21F79}\Setup.exe" -l0x9
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HOTLLAMA Media Player - Update --> C:\PROGRA~1\HOTLLA~1\Player\UNWISE.EXE C:\PROGRA~1\HOTLLA~1\Player\INSTALL.LOG
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPod for Windows 2005-06-26 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FE7A3FE1-AF76-44FD-BC70-09868A51887A} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod Updater 2004-08-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D43E1D3F-CC1F-4E41-80F5-9C1D28187DE9}
iPod Updater 2004-11-15 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Jane’s Combat Simulations USAF --> C:\Program Files\Jane's Combat Simulations\USAF\Externals\Setup.exe
JumpStart Kindergarten 98 v2.5 --> C:\WINDOWS\IsUninst.exe -fC:\KA\KG98\DeIsL1.isu
JumpStart Parent Resource Center v1.0 --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRC\DeIsL1.isu
Kazaa Media Desktop 2.1 --> RunDll32 C:\WINDOWS\System32\cd_clint.dll,ServiceRunDll u_291 "{726C99D0-50C5-404F-9EFD-7B2834DFED50}"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Shockwave Player --> MsiExec.exe /X{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Streets and Trips 2002 --> MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6-9 Converter --> MsiExec.exe /X{172423F9-522A-483A-AD65-03600CE4CA4F}
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
Movie-Viewer 2.0 --> C:\WINDOWS\System32\Uninstall.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 6.2 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600205}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
NETGEAR WG311v3 802.11g Wireless PCI Adapter --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{70014586-7BBA-4A92-A610-CDC896C48F8F}
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NHL 2001 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBA471C0-5EF2-11D4-0091-A500A0245DC0}\setup.exe" -l0x9 Uninstall
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Problem Generator --> C:\WINDOWS\uninst.exe -f"C:\Program Files\CG Consulting\Problem Generator\DeIsL1.isu" -c"C:\Program Files\CG Consulting\Problem Generator\_ISREG32.DLL"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Railroad Tycoon II - Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BED27751-CD2A-4C2F-9813-00B9B60C76FE}\setup.exe"
RCT3 Soaked --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\Setup.exe" -l0x9
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek RTL8139 Diagnostics Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7FC2AF73-10ED-404E-84A8-636B452404FD}\setup.exe"
Roll --> C:\WINDOWS\UniFish3.exe C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\RollerCoaster Tycoon.log
RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
RollerCoaster Tycoon® 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\Setup.exe" -l0x9
SafeSurfing --> C:\WINDOWS\System32\SSUninstall.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBot --> MsiExec.exe /X{CBD6B0B0-4FF2-4DFC-868D-EBD1FF479EB8}
Symantec AntiVirus --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
TaxCut North Carolina 2007 --> MsiExec.exe /X{1AC0D592-7F2C-4BBF-B823-EEECD74F097B}
TaxCut Premium + State + Efile 2007 --> MsiExec.exe /X{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}
TaxCut Premium 2006 --> C:\PROGRA~1\TaxCut06\Program\removetc.exe
The Go Ronald Games --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{0319B53F-FAE5-4811-B0B3-19CC1F8E674E} /l1033
TP Preview Exclusive Treasure Racer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2156D499-7EBF-11D6-B2FB-0002A5E32BEF}\setup.exe" TP Preview Exclusive Treasure Racer
Treasure Planet: Battle at Procyon - Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71C1D30A-98DE-4C9D-8690-5F76D5056C1B}\setup.exe" -l0x9 Uninstall
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax Premier 2005 --> C:\Program Files\TurboTax\Premier 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2005\Uninstall.log" -NoGui
ubi.com --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}\Setup.exe" UNINSTALL-L0x9 -uninst
VGA USB Camera (2120) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85BA1253-1D64-468B-8ADA-EFDFD31AD4E2}\Setup.exe" -l0x9
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Volo View Express --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Volo View Express\DeIsL1.isu"
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WingMan Software --> MsiExec.exe /X{435673AB-6821-416D-806A-E477DFA60A42}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME) --> "C:\Program Files\XviD\UninstXviD.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Messenger Explorer Bar --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui


-- Application Event Log -------------------------------------------------------

Event Record #/Type19678 / Error
Event Submitted/Written: 02/09/2008 09:03:53 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan Horse in File: C:\WINDOWS\SYSTEM32\bitsprx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: Risk was partially removed.

Event Record #/Type19677 / Error
Event Submitted/Written: 02/09/2008 09:03:53 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Risk Found!Risk: Trojan Horse in File: c:\WINDOWS\SYSTEM32\bitsprx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Event Record #/Type19676 / Error
Event Submitted/Written: 02/09/2008 09:03:52 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Risk Found!Risk: Trojan Horse in File: C:\WINDOWS\SYSTEM32\bitsprx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged.

Event Record #/Type19675 / Error
Event Submitted/Written: 02/09/2008 09:03:52 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan Horse in File: C:\WINDOWS\SYSTEM32\bitsprx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Event Record #/Type19674 / Error
Event Submitted/Written: 02/09/2008 09:00:24 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Risk: Trojan Horse in File: C:\WINDOWS\SYSTEM32\bitsprx.dll by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: Risk was partially removed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type47132 / Error
Event Submitted/Written: 02/09/2008 10:12:58 AM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Event Record #/Type47127 / Error
Event Submitted/Written: 02/09/2008 09:21:45 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.2 for the Network Card with network address 000FB5F59244 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type47105 / Error
Event Submitted/Written: 02/09/2008 09:16:38 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type47104 / Error
Event Submitted/Written: 02/09/2008 00:26:54 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
eeCtrl
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
SAVRT
SAVRTPEL
SPBBCDrv
SYMTDI
Tcpip

Event Record #/Type47103 / Error
Event Submitted/Written: 02/09/2008 00:26:54 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-02-09 21:12:26 ------------
  • 0

#4
Rorschach112
Posted 10 February 2008 - 07:17 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall




* I notice that you have no firewall on your PC, this is extremely dangerous and leaves your PC open to vulnerabilities, so please download and install one of the following programs : ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.
  • 0

#5
billco669
Posted 10 February 2008 - 11:32 AM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I have finished the given intructions and it appears to have removed the Trojan. Symantec does not detect it anymore. It does however still show the Risck Spyware.Safesurfing file named ssurf022.dll I am guessing this is different kind of fix. below are the three logs you requested. My System Restore point option is turned off should I turn it back on at this point?

Thank you for your help I was about to go crazy

SmitFraudFix v2.286

Scan done at 11:02:50.73, Sun 02/10/2008
Run from C:\Documents and Settings\bill2\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\dwrmntsdnq.dll deleted.
C:\WINDOWS\afxlspw.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\frplprg.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\bill2\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\bill2\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\bill2\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\bill2\FAVORI~1\Online Security Test.url Deleted
C:\DOCUME~1\bill2\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\bill2\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\bill2\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{29318458-9D4E-421A-A6A5-E42C975A14F6}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E83949C2-2345-4D84-A871-B770A32CE4E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E83949C2-2345-4D84-A871-B770A32CE4E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{29318458-9D4E-421A-A6A5-E42C975A14F6}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E83949C2-2345-4D84-A871-B770A32CE4E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{29318458-9D4E-421A-A6A5-E42C975A14F6}: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E83949C2-2345-4D84-A871-B770A32CE4E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.148 24.25.5.147


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


ComboFix 08-02.05.3 - bill2 2008-02-10 11:37:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.360 [GMT -5:00]
Running from: C:\Documents and Settings\bill2\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\spooldr.exe
C:\WINDOWS\spooldr.exe . . . . failed to delete
C:\WINDOWS\system32\bitsprx.dll
C:\WINDOWS\system32\drivers\yejodvwt.dat
C:\WINDOWS\system32\k.exe
C:\WINDOWS\system32\uninstall.exe

----- BITS: Possible infected sites -----

hxxp://onsafepro.com
hxxp://58.65.234.25
hxxp://softworldnetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IMGRHJLK
-------\imgrhjlk


((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 11:03 . 2008-02-10 11:03 3,486 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-02-09 21:05 . 2008-02-09 21:05 <DIR> d-------- C:\Deckard
2008-02-01 09:13 . 2008-02-01 09:13 <DIR> d-------- C:\Documents and Settings\bill2\Application Data\pdf995
2008-02-01 09:13 . 2008-02-01 09:13 28 --a------ C:\WINDOWS\pdf995.ini
2008-01-24 03:44 . 2008-01-24 03:52 <DIR> d-------- C:\Program Files\DeductionPro 2007
2008-01-24 03:42 . 2007-08-24 10:13 142 --a------ C:\WINDOWS\wpd99.drv
2008-01-24 03:41 . 2008-02-01 09:13 <DIR> d-------- C:\Documents and Settings\bill2\Application Data\TaxCut
2008-01-24 03:40 . 2008-01-24 03:42 <DIR> d-------- C:\Program Files\PDF995
2008-01-24 03:38 . 2008-01-24 03:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-24 03:36 . 2008-01-24 03:41 <DIR> d-------- C:\Program Files\TaxCut07
2008-01-21 21:07 . 2008-01-21 21:08 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 21:04 . 2008-01-21 21:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 16:50 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-09 04:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 12:58 --------- d-----w C:\Documents and Settings\bill2\Application Data\AdobeUM
2008-02-04 05:00 --------- d-----w C:\Documents and Settings\Melissa\Application Data\WeatherBug
2008-02-01 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-24 08:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 02:08 --------- d-----w C:\Program Files\iPod
2008-01-09 15:40 --------- d-----w C:\Program Files\Microsoft Works
2007-09-04 14:17 91,264 ----a-w C:\Documents and Settings\bill2\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F30661-76C7-48CD-B18E-64F388AE030B}]
C:\WINDOWS\dwrmntsdnq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}

[HKEY_CLASSES_ROOT\clsid\{d573edd4-5dea-4df1-9d5a-329d6861edc8}]
[HKEY_CLASSES_ROOT\edfqvrw.1]
[HKEY_CLASSES_ROOT\TypeLib\{8C1ADEEE-C337-4F42-B3AE-B2745AA21389}]
[HKEY_CLASSES_ROOT\edfqvrw]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"Y!TunnelPro"="C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-15 07:58 135168]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 16:44 679936]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 13:28 163840]
"Dell|Alert"="C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [2002-04-03 18:06 282624]
"UpdateMedia"="C:\Program Files\MediaUpdate\UpdateMedia.exe" [2003-04-09 22:04 24576]
"SQInstaller"="SQInstaller.exe" []
"windows auto update"="msblast.exe" []
"MSConfig45"="MSConfig45.exe" []
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 07:58 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-30 11:31 180269]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 12:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 05:34 124656]
"BarbieGirlsTray"="C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 21:59 24576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSConfig45"="MSConfig45.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-14 17:40:20 108544]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Camio Viewer.lnk - C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe [2002-03-28 10:24:38 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 17:06:54 24633]
NETGEAR WG311v3 Wireless Assistant.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2007-07-01 21:28:42 2238]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bfrgnos"= {A59AAE17-392A-44C0-B588-DD522ED098B6} - C:\WINDOWS\bfrgnos.dll [ ]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 bfastfao;bfastfao;C:\DOCUME~1\bill2\LOCALS~1\Temp\bfastfao.sys []
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys [2003-06-12 04:56]
S3 TRMUSB5K;Trimble USB GPS Driver;C:\WINDOWS\system32\drivers\TRMUSB5K.sys [2000-06-20 05:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4f2e93e-b917-11dc-ad17-000fb5f59244}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL iexplore http://www.mgae.com/...654267094626904

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 23:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-07-19 17:09:15 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 11:51:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSConfig45 = MSConfig45.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-10 11:59:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 16:59:18
.
2007-10-26 03:46:52 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:40 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SXG Advisor - {76F30661-76C7-48CD-B18E-64F388AE030B} - C:\WINDOWS\dwrmntsdnq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: edfqvrw - {D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8} - C:\WINDOWS\edfqvrw.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [UpdateMedia] C:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O21 - SSODL: bfrgnos - {A59AAE17-392A-44C0-B588-DD522ED098B6} - C:\WINDOWS\bfrgnos.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9162 bytes
  • 0

#6
Rorschach112
Posted 10 February 2008 - 12:12 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: SXG Advisor - {76F30661-76C7-48CD-B18E-64F388AE030B} - C:\WINDOWS\dwrmntsdnq.dll (file missing)
O3 - Toolbar: edfqvrw - {D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8} - C:\WINDOWS\edfqvrw.dll (file missing)
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYUS
O21 - SSODL: bfrgnos - {A59AAE17-392A-44C0-B588-DD522ED098B6} - C:\WINDOWS\bfrgnos.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4f2e93e-b917-11dc-ad17-000fb5f59244}]

Driver::
bfastfao


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
  • 0

#7
billco669
Posted 10 February 2008 - 02:33 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok, I followed your last instructions. below are the combofix log and the HijackThis Log. Not sure if I did it right though. I got and error message at the end of combofix process at the point where it wanted to reboot. I tried screen capture but it did not work. I do not rember what the message said. I Then rebooted and combofix produced log.txt

ComboFix 08-02.05.3 - bill2 2008-02-10 14:53:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.345 [GMT -5:00]
Running from: C:\Documents and Settings\bill2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bill2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 12:05 . 2008-02-10 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 11:03 . 2008-02-10 11:03 3,486 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-02-09 21:05 . 2008-02-09 21:05 <DIR> d-------- C:\Deckard
2008-02-01 09:13 . 2008-02-01 09:13 <DIR> d-------- C:\Documents and Settings\bill2\Application Data\pdf995
2008-02-01 09:13 . 2008-02-01 09:13 28 --a------ C:\WINDOWS\pdf995.ini
2008-01-24 03:44 . 2008-01-24 03:52 <DIR> d-------- C:\Program Files\DeductionPro 2007
2008-01-24 03:42 . 2007-08-24 10:13 142 --a------ C:\WINDOWS\wpd99.drv
2008-01-24 03:41 . 2008-02-01 09:13 <DIR> d-------- C:\Documents and Settings\bill2\Application Data\TaxCut
2008-01-24 03:40 . 2008-01-24 03:42 <DIR> d-------- C:\Program Files\PDF995
2008-01-24 03:38 . 2008-01-24 03:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-01-24 03:36 . 2008-01-24 03:41 <DIR> d-------- C:\Program Files\TaxCut07
2008-01-21 21:07 . 2008-01-21 21:08 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 21:04 . 2008-01-21 21:05 <DIR> d-------- C:\Program Files\QuickTime
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 20:07 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-09 04:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 12:58 --------- d-----w C:\Documents and Settings\bill2\Application Data\AdobeUM
2008-02-04 05:00 --------- d-----w C:\Documents and Settings\Melissa\Application Data\WeatherBug
2008-02-01 14:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-24 08:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 02:08 --------- d-----w C:\Program Files\iPod
2008-01-09 15:40 --------- d-----w C:\Program Files\Microsoft Works
2007-09-04 14:17 91,264 ----a-w C:\Documents and Settings\bill2\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"Y!TunnelPro"="C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-15 07:58 135168]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 16:44 679936]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 13:28 163840]
"Dell|Alert"="C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [2002-04-03 18:06 282624]
"UpdateMedia"="C:\Program Files\MediaUpdate\UpdateMedia.exe" [2003-04-09 22:04 24576]
"SQInstaller"="SQInstaller.exe" []
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2005-03-15 07:58 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-30 11:31 180269]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 12:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 05:34 124656]
"BarbieGirlsTray"="C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [2007-03-14 21:59 24576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-14 17:40:20 108544]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Camio Viewer.lnk - C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe [2002-03-28 10:24:38 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 17:06:54 24633]
NETGEAR WG311v3 Wireless Assistant.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2007-07-01 21:28:42 2238]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys [2003-06-12 04:56]
S3 TRMUSB5K;Trimble USB GPS Driver;C:\WINDOWS\system32\drivers\TRMUSB5K.sys [2000-06-20 05:33]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 23:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-07-19 17:09:15 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 15:08:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 15:17:16
ComboFix-quarantined-files.txt 2008-02-10 20:17:12
ComboFix2.txt 2008-02-10 16:59:22
.
2007-10-26 03:46:52 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:49 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [UpdateMedia] C:\Program Files\MediaUpdate\UpdateMedia.exe
O4 - HKLM\..\Run: [SQInstaller] SQInstaller.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Y!TunnelPro V1.3 Build 230\YTunnelPro.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8612 bytes

Thanks again for your help.
  • 0

#8
Rorschach112
Posted 10 February 2008 - 02:36 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also tell me how your PC is running
  • 0

#9
billco669
Posted 10 February 2008 - 08:50 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
You were right about the patience. It took over 4 hrs to do scan. Below is the log created. The computer appears to be running faster and more efficient. Symantec is still detecting Spyware.Safesurfing file name ssurf022.dll is this a problem? also when do I turn System Restore points back on if at all. I downloaded one of the Firewall programs recommended when should I install? Thanks again for all your help


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/10/2008 at 08:39 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 04:18:26

Memory items scanned : 462
Memory threats detected : 0
Registry items scanned : 7165
Registry threats detected : 10
File items scanned : 144190
File threats detected : 221

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\InprocServer32
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\InprocServer32#ThreadingModel
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\ProgID
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\Programmable
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\TypeLib
HKCR\CLSID\{D573EDD4-5DEA-4DF1-9D5A-329D6861EDC8}\VersionIndependentProgID
C:\WINDOWS\EDFQVRW.DLL

Adware.MyWay
HKU\S-1-5-21-808743801-135449575-3207847200-1010\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{014DA6C9-189F-421A-88CD-07CFE51CFF10}

Adware.Tracking Cookie
C:\Documents and Settings\bill2\Cookies\bill2@casalemedia[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@atdmt[2].txt
C:\Documents and Settings\bill2\Cookies\[email protected][2].txt
C:\Documents and Settings\bill2\Cookies\bill2@zedo[1].txt
C:\Documents and Settings\bill2\Cookies\bill2@fastclick[3].txt
C:\Documents and Settings\bill2\Cookies\bill2@realmedia[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@partner2profit[1].txt
C:\Documents and Settings\bill2\Cookies\bill2@burstnet[2].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\[email protected][2].txt
C:\Documents and Settings\bill2\Cookies\bill2@overture[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@adrevolver[1].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\bill2@doubleclick[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@bluestreak[1].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\bill2@questionmarket[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@tribalfusion[1].txt
C:\Documents and Settings\bill2\Cookies\[email protected][2].txt
C:\Documents and Settings\bill2\Cookies\bill2@specificclick[1].txt
C:\Documents and Settings\bill2\Cookies\bill2@advertising[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@tacoda[2].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\bill2@atwola[1].txt
C:\Documents and Settings\bill2\Cookies\bill2@adbrite[2].txt
C:\Documents and Settings\bill2\Cookies\bill2@adserver[1].txt
C:\Documents and Settings\bill2\Cookies\bill2@revsci[2].txt
C:\Documents and Settings\bill2\Cookies\[email protected][1].txt
C:\Deckard\System Scanner\backup\DOCUME~1\bill2\LOCALS~1\Temp\Cookies\bill2@atdmt[1].txt
C:\Deckard\System Scanner\backup\WINDOWS\temp\Cookies\bill2@doubleclick[1].txt
C:\Deckard\System Scanner\backup\WINDOWS\temp\Cookies\[email protected][1].txt
C:\Documents and Settings\bill2\Cookies\bill2@fastclick[2].txt
C:\Documents and Settings\cody\Cookies\cody@247realmedia[2].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\[email protected][3].txt
C:\Documents and Settings\cody\Cookies\cody@adbrite[1].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\cody@adrevolver[1].txt
C:\Documents and Settings\cody\Cookies\cody@adrevolver[2].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\[email protected][2].txt
C:\Documents and Settings\cody\Cookies\cody@advertising[1].txt
C:\Documents and Settings\cody\Cookies\cody@atdmt[2].txt
C:\Documents and Settings\cody\Cookies\cody@bluestreak[1].txt
C:\Documents and Settings\cody\Cookies\cody@casalemedia[2].txt
C:\Documents and Settings\cody\Cookies\[email protected][2].txt
C:\Documents and Settings\cody\Cookies\[email protected][2].txt
C:\Documents and Settings\cody\Cookies\cody@doubleclick[1].txt
C:\Documents and Settings\cody\Cookies\cody@fastclick[2].txt
C:\Documents and Settings\cody\Cookies\cody@media303[2].txt
C:\Documents and Settings\cody\Cookies\cody@mediaplex[2].txt
C:\Documents and Settings\cody\Cookies\cody@overture[1].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody\Cookies\cody@questionmarket[2].txt
C:\Documents and Settings\cody\Cookies\cody@realmedia[1].txt
C:\Documents and Settings\cody\Cookies\cody@revsci[2].txt
C:\Documents and Settings\cody\Cookies\cody@sextracker[2].txt
C:\Documents and Settings\cody\Cookies\cody@teensexgirls[2].txt
C:\Documents and Settings\cody\Cookies\cody@trafficmp[2].txt
C:\Documents and Settings\cody\Cookies\cody@tribalfusion[2].txt
C:\Documents and Settings\cody\Cookies\[email protected][2].txt
C:\Documents and Settings\cody\Cookies\[email protected][1].txt
C:\Documents and Settings\cody.BILLS\Cookies\cody@adbrite[1].txt
C:\Documents and Settings\cody.BILLS\Cookies\[email protected][2].txt
C:\Documents and Settings\cody.BILLS\Cookies\cody@sexlist[2].txt
C:\Documents and Settings\cody.BILLS\Cookies\[email protected][1].txt
C:\Documents and Settings\cody.BILLS\Cookies\cody@xxxcounter[1].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\[email protected][2].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\cody@adbrite[2].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\[email protected][1].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\cody@atdmt[1].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\cody@fastclick[2].txt
C:\Documents and Settings\Cody.BILLS.000\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@247realmedia[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@2o7[2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@advertising[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@apmebf[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@atdmt[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@atwola[2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@bluestreak[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@burstnet[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@casalemedia[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@fastclick[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@hitbox[2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@linkstattrack[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@mediaplex[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@mywebsearch[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@nextag[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@optimost[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@overture[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@popularscreensavers[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@pro-market[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@qnsr[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@questionmarket[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@realmedia[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@revenue[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@revsci[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@serving-sys[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@statcounter[2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@tacoda[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@tracking[1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@tradedoubler[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@trafficmp[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@tribalfusion[2].txt
C:\Documents and Settings\Meghan\Cookies\meghan@valueclick[1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][2].txt
C:\Documents and Settings\Meghan\Cookies\[email protected][1].txt
C:\Documents and Settings\Meghan\Cookies\meghan@zedo[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@247realmedia[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@2o7[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@adinterax[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@adknowledge[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@adrevolver[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@adrevolver[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@advertising[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@apmebf[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@atdmt[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@atwola[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@azjmp[1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@bannerspace[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@belnk[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@bluestreak[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@burstnet[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@casalemedia[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@clickagents[1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@doubleclick[1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@fastclick[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@hitbox[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@maxserving[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@mediaplex[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@mywebsearch[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@nextag[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@partner2profit[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@pro-market[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@qksrv[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@qnsr[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@questionmarket[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@realmedia[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@roiservice[1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@serving-sys[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@statcounter[1].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@tacoda[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@targetnet[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@toplist[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@trafficmp[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@tribalfusion[2].txt
C:\Documents and Settings\Melissa\Cookies\melissa@valueclick[1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@valueclick[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliqjdpsdpwydj6x9ny-1seq-2-2.stats.esomniture[2].txt
C:\Documents and Settings\Melissa\Cookies\[email protected][1].txt
C:\Documents and Settings\Melissa\Cookies\melissa@zedo[1].txt

Adware.SXGAdvisor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000057.DLL
  • 0

#10
Rorschach112
Posted 11 February 2008 - 08:29 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the file path of ssurf022.dll
  • 0

Advertisements

#11
billco669
Posted 11 February 2008 - 07:29 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ssurf022.dll path is C:\windows\system32\ Symantec quick scan keeps finding it
  • 0

#12
Rorschach112
Posted 11 February 2008 - 07:31 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\windows\system32\ssurf022.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and tell me how your PC is running and if Symantec is still detecting it
  • 0

#13
billco669
Posted 11 February 2008 - 09:28 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Below were the results


LoadLibrary failed for C:\windows\system32\ssurf022.dll
C:\windows\system32\ssurf022.dll NOT unregistered.
File move failed. C:\windows\system32\ssurf022.dll scheduled to be moved on reboot.
[Custom Input]
< purity >

OTMoveIt2 v1.0.19 log created on 02112008_222716
  • 0

#14
billco669
Posted 11 February 2008 - 09:58 PM

billco669

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Symantec is still detecting ssurf022.dll after running OTMoveIt2 Routine as instructed last.
  • 0

#15
Rorschach112
Posted 12 February 2008 - 06:53 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try this

please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, delete the file C:\windows\system32\ssurf022.dll


Reboot and tell me if the file is present
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP