Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

sulimo.dat infection (Trojan.Smitfraud Variant/AIS)[CLOSED]

Started by gilliganmn , Feb 14 2008 10:01 PM

  • This topic is locked This topic is locked

#16
RatHat
Posted 23 February 2008 - 10:45 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Start WinPFind35u. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> viewpointservice.exe -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe
YY -> viewmgr.exe -> %ProgramFiles%\Viewpoint\Viewpoint Manager\ViewMgr.exe
[Win32 Services - Non-Microsoft Only]
YY -> (Viewpoint Manager Service) Viewpoint Manager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Viewpoint\Common\ViewpointService.exe
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> WLCtrl32 -> %SystemRoot%\SYSTEM32\WLCtrl32.dll
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1027762101-4183517902-688117879-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1027762101-4183517902-688117879-1006\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {65E7DB1D-0101-4100-BD66-C5C78C917F93}[HKEY_LOCAL_MACHINE] -> http://install.wildtangent.com/bgn/partners/aolim/install.cab[WTDMMPVersion Class]
[Files/Folders - Created Within 90 days]
NY -> Pua84.sys -> %SystemRoot%\System32\drivers\Pua84.sys
YN -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YN -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
YN -> WLCtrl32.dl_ -> %SystemRoot%\System32\WLCtrl32.dl_
YN -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> e80277abfc8f7b65.wmv.mp4 -> %UserProfile%\Desktop\e80277abfc8f7b65.wmv.mp4
[Files/Folders - Modified Within 90 days]
YN -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
YN -> WLCtrl32.dl_ -> %SystemRoot%\System32\WLCtrl32.dl_
[Extra Files]
C:\WINDOWS\System32\lanmanwrk.exe
Purity
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Also run a new WinPFind35U scan, using the same options as before

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


When done with the above, please run Combofix again, and post me the log it creates also.

Regards,
RatHat
  • 0

Advertisements

#17
gilliganmn
Posted 24 February 2008 - 12:18 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

I pasted the text in winpfind35u and ran fix it. I've attached the new winpfind35u log that I ran after the fix.

I also ran combofix again but it is not producing a log for me to look at. The computer still has a bunch of iexplore.exe processes started as soon as the internet is turned on and the CPU is pegged at or near 100%.

Do you think uninstalling IE 7 would help at all? I rarely use it, I use Firefox.

Thanks,
Jay

Attached Files


  • 0

#18
RatHat
Posted 24 February 2008 - 07:09 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
I doubt that uninstalling IE will make any difference, though can try it.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
Ejn40


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\System32\pcdlib32.exe
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Run Icesword again.

Step 1 : Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

C:\WINDOWS\SYSTEM32\xycdd.bak1
C:\WINDOWS\System32\lanmanwrk.exe
C:\WINDOWS\SYSTEM32\WLCtrl32.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\pss\autorun.exeCommon Startup


Step 2 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them..

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LogCrypt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lanmanwrk.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start WinPFind35u. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> WLCtrl32 -> %SystemRoot%\SYSTEM32\WLCtrl32.dll
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
NY -> 1 domain(s) and sub-domain(s) not assigned to a zone. -> 
[Files/Folders - Created Within 90 days]
YN -> ComboFix(2) -> %SystemDrive%\ComboFix(2)
YN -> QooBox -> %SystemDrive%\QooBox
YN -> Sun -> %SystemDrive%\Sun
YN -> _OTMoveIt -> %SystemDrive%\_OTMoveIt
YN -> fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat
YN -> fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx
YN -> lanmandrv.sys -> %SystemRoot%\System32\lanmandrv.sys
YN -> qmopt.dll -> %SystemRoot%\System32\qmopt.dll
YN -> sed.exe -> %SystemRoot%\System32\sed.exe
YN -> SrchSTS.exe -> %SystemRoot%\System32\SrchSTS.exe
YN -> VACFix.exe -> %SystemRoot%\System32\VACFix.exe
YN -> VCCLSID.exe -> %SystemRoot%\System32\VCCLSID.exe
YN -> VFind.exe -> %SystemRoot%\System32\VFind.exe
YN -> vsconfig.xml -> %SystemRoot%\System32\vsconfig.xml
YN -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
YN -> WLCtrl32.dl_ -> %SystemRoot%\System32\WLCtrl32.dl_
YN -> PSEXESVC.EXE -> %SystemRoot%\PSEXESVC.EXE
[Extra Files]
C:\WINDOWS\SYSTEM32\xycdd.bak1
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35U scan.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now, I have deleted the Combofix folders from your machine with WinPFind, so could you delete any versions of Combfix that you have left over, then download a new version.

Download ComboFix from Here, Here or Here to your Desktop.


When asked to "Save As" save Combofix.exe as Combo-Fix.exe
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Then reboot your PC and run IceSword again. Save new logs from the "Processes", "Win32 Services", and "Startup" functions, taking note of any red entries from them and from the SSDT tab.

Post me the logs from all of the above when done.

Regards,
RatHat
  • 0

#19
gilliganmn
Posted 02 March 2008 - 11:08 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey Rathat,

Sorry for the delay; I followed all of the steps. Combofix reboots before I can get the log. The PC does is running somewhat better but still has periods where the CPU spikes for no good reason and extraneous IE processes are started - I still think it's infected.

Process:

System Idle Process
System
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Dell\EUSW\support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\ituneshelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\icesword\IceSword122en\IceSword.exe


Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:Apple Mobile Device Display Name:Apple Mobile Device
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
Service Name:avast! Web Scanner Display Name:avast! Web Scanner
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:Creative Service for CDROM Access Display Name:Creative Service for CDROM Access
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:iPod Service Display Name:iPod Service
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LexBceS Display Name:LexBce Server
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:NwSapAgent Display Name:SAP Agent
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:vsmon Display Name:TrueVector Internet Monitor
Service Name:w32time Display Name:Windows Time
Service Name:WANMiniportService Display Name:WAN Miniport (ATW) Service
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WMDM PMSP Service Display Name:WMDM PMSP Service
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdReg
C:\WINDOWS\UpdReg.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DwlClient
C:\Program Files\Common Files\Dell\EUSW\Support.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EarthLink Installer
" /C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark X74-X75
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ZoneAlarm Client
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AIM
C:\AIM95\aim.exe -cnetwait.odl

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Works Update Detection
C:\Program Files\Microsoft Works\WkDetect.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
googletalk
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update
"C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3\GoogleUpdate.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
DESKTOP.INI


C:\Documents and Settings\Dad\Start Menu\Programs\Startup
YouTube Uploader.lnk
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (Remark£º)


Red SSDT entries:

\SystemRoot\System32\vsdatant.sys

Thanks,
Jay
  • 0

#20
RatHat
Posted 03 March 2008 - 05:30 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you post me another WinPFind35 log please.

  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Check the radio button under Rootkit Search for Yes
  • Under Additional Scans check the following:
    • Reg - ActiveX StubPath
    • Reg - App Paths
    • Reg - BotCheck
    • Reg - ControlSets
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - Security Settings
    • Reg - Session Manager Settings
    • Reg - Shell Spawning
    • File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Regards,
RatHat
  • 0

#21
RatHat
Posted 07 March 2008 - 07:04 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Do you still require assistance with this log?

Regards,
RatHat
  • 0

#22
RatHat
Posted 10 March 2008 - 06:32 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact myself or another staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#23
RatHat
Posted 11 March 2008 - 07:48 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Topic re-opened at user request.
  • 0

#24
gilliganmn
Posted 14 March 2008 - 03:00 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Attached is the WinPFind35u log.

Thanks for the help.
Jay

Attached Files


  • 0

#25
RatHat
Posted 14 March 2008 - 05:35 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK Jay, lets have another go at this bugger!

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\drivers\afk73.sys
%systemroot%\system32\wlctrl32.dl_
%systemroot%\system32\wlctrl32.dll
%systemroot%\system32\ws2fix.exe
%systemroot%\system32\zip.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> WLCtrl32 -> %SystemRoot%\SYSTEM32\WLCtrl32.dll
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: SearchURL\\ -> [Reg Error: Value provider does not exist or could not be read.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1027762101-4183517902-688117879-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-1027762101-4183517902-688117879-1006\: SearchURL\\ -> [Reg Error: Value provider does not exist or could not be read.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {41F17733-B041-4099-A042-B518BB6A408C}[HKEY_LOCAL_MACHINE] -> http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[Reg Error: Key does not exist or could not be opened.]
YN -> {65E7DB1D-0101-4100-BD66-C5C78C917F93}[HKEY_LOCAL_MACHINE] -> http://install.wildtangent.com/bgn/partners/aolim/install.cab[Reg Error: Key does not exist or could not be opened.]
YN -> DirectAnimation Java Classes[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\dajava.cab[Reg Error: Key does not exist or could not be opened.]
YN -> Microsoft XML Parser for Java[HKEY_LOCAL_MACHINE] -> file://C:\WINDOWS\Java\classes\xmldso.cab[Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
*PendingFileRenameOperations* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations
YN -> "!\??\C:\WINDOWS\System32\WLCtrl32.dll [!\??\C:\WINDOWS\System32\WLCtrl32.dll] " -> []
YN -> "\??\C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3 [\??\C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3] " -> %UserProfile%\Local Settings\Application Data\Google\Update\1.0.1 [%UserProfile%\Local Settings\Application Data\Google\Update\1.0.1]
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
[Files/Folders - Created Within 90 days]
NY -> WLCtrl32.dll -> %SystemRoot%\System32\WLCtrl32.dll
NY -> WLCtrl32.dl_ -> %SystemRoot%\System32\WLCtrl32.dl_
NY -> WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe
NY -> zip.exe -> %SystemRoot%\System32\zip.exe
[Files/Folders - Modified Within 90 days]
NY -> Afk73.sys -> %SystemRoot%\System32\drivers\Afk73.sys
NY -> 8 C:\Documents and Settings\Dad\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Dad\Local Settings\temp\*.tmp
NY -> 8 C:\Documents and Settings\Dad\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Dad\Local Settings\temp\*.tmp
NY -> 8 C:\Documents and Settings\Dad\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Dad\Local Settings\temp\*.tmp
NY -> 9 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 9 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> 2 C:\Documents and Settings\Dad\My Documents\*.tmp files -> C:\Documents and Settings\Dad\My Documents\*.tmp
[CatchMe Rootkit Scan by GMER]
NY -> C:\WINDOWS\Temp\_avast4_\unp75687828.tmp -> 
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


Regards,
RatHat
  • 0

Advertisements

#26
RatHat
Posted 20 March 2008 - 06:57 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Jay?
  • 0

#27
gilliganmn
Posted 21 March 2008 - 08:48 AM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Sorry, been busy and the computer is difficult to work with. I did run the last two things you recommended and will post logs tonight. Unfortunately the virus appears to still be there.

Thanks,
Jay
  • 0

#28
gilliganmn
Posted 29 March 2008 - 12:31 PM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Sorry for the delay. Here are the logs:

OTScanIt:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL\\'' updated successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL\\provider not found.
Registry key HKEY_USERS\1-5-21-1027762101-4183517902-688117879-1006\SOFTWARE\Microsoft\Internet Explorer\SearchURL\ not found.
Registry key HKEY_USERS\1-5-21-1027762101-4183517902-688117879-1006\SOFTWARE\Microsoft\Internet Explorer\SearchURL\ not found.
Starting removal of ActiveX control {41F17733-B041-4099-A042-B518BB6A408C}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41F17733-B041-4099-A042-B518BB6A408C}\Contains\Files\ not found.
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41F17733-B041-4099-A042-B518BB6A408C}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41F17733-B041-4099-A042-B518BB6A408C}\ not found.
Starting removal of ActiveX control {65E7DB1D-0101-4100-BD66-C5C78C917F93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{65E7DB1D-0101-4100-BD66-C5C78C917F93}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\wtinst.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65E7DB1D-0101-4100-BD66-C5C78C917F93}\ not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\Contains\Files\ not found.
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\DirectAnimation Java Classes\ not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\Contains\Files\ not found.
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Microsoft XML Parser for Java\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Unable to delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations:"!\??\C:\WINDOWS\System32\WLCtrl32.dll .
Unable to delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations:"\??\C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.0.103.3 .
[Files/Folders - Created Within 90 days]
DllUnregisterServer procedure not found in C:\WINDOWS\System32\WLCtrl32.dll
C:\WINDOWS\System32\WLCtrl32.dll NOT unregistered.
C:\WINDOWS\System32\WLCtrl32.dll moved successfully.
C:\WINDOWS\System32\WLCtrl32.dl_ moved successfully.
File C:\WINDOWS\System32\WS2Fix.exe not found!
File C:\WINDOWS\System32\zip.exe not found!
[Files/Folders - Modified Within 90 days]
File move failed. C:\WINDOWS\System32\drivers\Afk73.sys scheduled to be moved on reboot.
C:\Documents and Settings\Dad\Local Settings\temp\GUM1D.tmp folder deleted successfully.
C:\Documents and Settings\Dad\Local Settings\temp\GUM8DC.tmp folder deleted successfully.
C:\Documents and Settings\Dad\Local Settings\temp\WZSE0.TMP folder deleted successfully.
File delete failed. C:\WINDOWS\Temp\ZLT0126c.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT035c8.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT0126c.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT035c8.TMP scheduled to be deleted on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Dad\Local Settings\temp\Temporary Internet Files\Content.IE5\Z8AX5ZTR\AIM_UAC[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dad\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dad\Local Settings\temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dad\Local Settings\temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dad\Local Settings\temp\Perflib_Perfdata_de0.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp170498278.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp55134203.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\unp62829487.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_72c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0126c.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT035c8.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.6.0 fix logfile created on 03202008_234645

Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\drivers\afk73.sys" deleted successfully.
File "C:\WINDOWS\system32\wlctrl32.dl_" deleted successfully.
File "C:\WINDOWS\system32\wlctrl32.dll" deleted successfully.
File "C:\WINDOWS\system32\ws2fix.exe" deleted successfully.
File "C:\WINDOWS\system32\zip.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

maint.txt:

Deckard's System Scanner v20071014.68
Run by Dad on 2008-03-29 13:21:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
40: 2008-03-29 18:21:37 UTC - RP40 - Deckard's System Scanner Restore Point
39: 2008-03-29 03:56:30 UTC - RP39 - System Checkpoint
38: 2008-03-28 03:40:58 UTC - RP38 - System Checkpoint
37: 2008-03-27 03:03:48 UTC - RP37 - System Checkpoint
36: 2008-03-26 02:59:02 UTC - RP36 - System Checkpoint


-- First Restore Point --
1: 2008-02-24 02:42:27 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dad.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:50 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Documents and Settings\Dad\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildt...lim/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185736413671
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleCSService - Unknown owner - C:\oracle\product\10.1.0\Db_1\bin\ocssd.exe
O23 - Service: OracleOraDb10g_home1SNMPPeerEncapsulator - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\ENCSVC.EXE
O23 - Service: OracleOraDb10g_home1SNMPPeerMasterAgent - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\AGNTSVC.EXE
O23 - Service: OracleOraDb10g_home1TNSListener - Unknown owner - C:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9898 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080220-225039-666 O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
backup-20080301-105113-229 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080301-105113-312 O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\System32\pcdlib32.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Afk73 - c:\windows\system32\drivers\afk73.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>

S0 ntcdrdrv - c:\windows\system32\drivers\ntcdrdrv.sys (file missing)
S0 OCDE (ZTekWare Original CD Emulator Service) - c:\windows\system32\drivers\ocde.sys (file missing)
S3 catchme - c:\docume~1\dad\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 MEMSWEEP2 - c:\windows\system32\5.tmp (file missing)
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 USB2_04 (USB2_04 driver) - c:\windows\system32\drivers\nkv2.sys (file missing)
S3 USBIO (USBIO Driver (usbio.sys)) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)
S3 MySQL - "c:\program files\mysql\mysql server 4.1\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 4.1\my.ini" mysql (file missing)
S3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
S3 OracleCSService - c:\oracle\product\10.1.0\db_1\bin\ocssd.exe service
S3 OracleOraDb10g_home1SNMPPeerEncapsulator - c:\oracle\product\10.1.0\db_1\bin\encsvc.exe
S3 OracleOraDb10g_home1SNMPPeerMasterAgent - c:\oracle\product\10.1.0\db_1\bin\agntsvc.exe
S3 OracleOraDb10g_home1TNSListener - c:\oracle\product\10.1.0\db_1\bin\tnslsnr (file missing)
S4 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
S4 OracleDBConsoleorcl - c:\oracle\product\10.1.0\db_1\bin\nmesrvc.exe <Not Verified; Oracle Corporation; >
S4 OracleJobSchedulerORCL - c:\oracle\product\10.1.0\db_1\bin\extjob.exe orcl
S4 OracleOraDb10g_home1iSQL*Plus - c:\oracle\product\10.1.0\db_1\bin\isqlplussvc.exe <Not Verified; Oracle; IPlusSvce>
S4 OracleServiceORCL - c:\oracle\product\10.1.0\db_1\bin\oracle.exe orcl <Not Verified; Oracle Corporation; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-28 22:22:41 3104 --a------ C:\questions
2008-03-28 11:22:09 0 d-------- C:\Documents and Settings\Dad\Application Data\Creative Memories Photo Center
2008-03-25 20:36:15 1192 --a------ C:\WINDOWS\system32\drivers\0ljc.exe
2008-03-25 20:17:50 0 d-------- C:\spoolerlogs
2008-03-24 21:51:11 0 d-------- C:\Program Files\iTunes
2008-03-24 21:48:09 0 d-------- C:\Program Files\Bonjour
2008-03-24 21:46:36 0 d-------- C:\Program Files\QuickTime
2008-03-21 23:03:55 0 d-------- C:\Program Files\Psicraft
2008-03-21 23:03:55 0 d-------- C:\Documents and Settings\Dad\Application Data\Psicraft
2008-03-21 00:14:39 11776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-20 23:47:22 1192 --a------ C:\WINDOWS\system32\drivers\296ljc.exe
2008-03-20 23:45:24 0 d-------- C:\OTScanIt
2008-03-20 23:36:21 26496 --a------ C:\WINDOWS\system32\drivers\Afk73.sys
2008-03-19 22:51:12 1192 --a------ C:\WINDOWS\system32\drivers\609ljc.exe
2008-03-15 11:36:34 0 d-------- C:\Documents and Settings\Dad\Application Data\TaxCut
2008-03-15 11:34:36 0 d-------- C:\Program Files\TaxCut07
2008-03-15 11:34:36 0 d-------- C:\Program Files\PDF995
2008-03-15 11:25:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-15 11:15:08 1192 --a------ C:\WINDOWS\system32\drivers\406ljc.exe
2008-03-14 14:02:18 0 d-------- C:\WinPFind35u
2008-03-10 08:18:16 0 d-------- C:\Documents and Settings\Dad\Application Data\ppStream
2008-03-09 13:38:22 0 d-------- C:\ppmaterecord
2008-03-09 13:36:49 0 d-------- C:\Documents and Settings\Dad\Application Data\PPMate
2008-03-09 13:36:42 0 d-------- C:\Program Files\Common Files\Synacast
2008-03-09 13:36:29 0 d-------- C:\Program Files\PPMate
2008-03-01 12:53:11 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-29 09:56:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Creative Memories
2008-02-29 09:56:29 0 d-------- C:\Documents and Settings\Dad\Application Data\Creative Memories
2008-02-29 09:53:05 0 d-------- C:\Program Files\Creative Memories


-- Find3M Report ---------------------------------------------------------------

2008-03-24 21:51:35 0 d-------- C:\Program Files\iPod
2008-03-15 11:37:46 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-03-15 11:37:46 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-03-09 13:36:42 0 d-------- C:\Program Files\Common Files
2008-02-23 22:32:40 0 d-------- C:\Program Files\winpfind35u
2008-02-21 22:09:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 22:06:45 0 d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-02-21 19:52:32 0 d-------- C:\Program Files\Sophos
2008-02-18 23:27:47 0 d-------- C:\Program Files\Panda Security
2008-02-17 18:30:44 0 d-------- C:\Program Files\Sun
2008-02-17 18:30:22 0 d-------- C:\Program Files\Java
2008-02-16 11:58:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 11:51:36 0 d-------- C:\Program Files\eMusic Download Manager
2008-02-15 21:52:48 0 d-------- C:\Program Files\America Online 7.0
2008-02-15 21:06:09 2508 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-15 20:55:57 0 d-------- C:\Program Files\Trend Micro
2008-02-14 10:06:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-13 21:13:57 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-13 21:13:55 0 d-------- C:\Program Files\ZoneAlarmSB
2008-02-13 04:23:53 0 d-------- C:\Program Files\Lexmark X74-X75
2008-02-10 14:54:31 0 d-------- C:\Documents and Settings\Dad\Application Data\OpenOffice.org2
2008-02-08 11:37:47 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-05 19:02:01 92968 --a------ C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
02/13/2008 09:13 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [02/13/2008 09:13 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 02:16 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [01/28/2008 07:12 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [01/28/2008 07:12 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"nwiz"="nwiz.exe" [10/06/2003 02:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"EarthLink Installer"=" /C" []
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [01/28/2008 07:12 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 05:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 04:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\AIM95\aim.exe" [01/28/2008 07:12 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/28/2008 07:12 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/28/2008 07:12 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Google Update"="C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" [03/12/2008 10:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
YouTube Uploader.lnk - C:\Documents and Settings\Dad\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [11/9/2007 2:33:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 03/25/2008 08:21 PM 11776 C:\WINDOWS\SYSTEM32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ejn40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbf72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VPN]
C:\Program Files\Linksys\Linksys VPN Client\VPNClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SBService"=2 (0x2)
"navapsvc"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"OracleServiceORCL"=3 (0x3)
"OracleDBConsoleorcl"=3 (0x3)
"OracleOraDb10g_home1iSQL*Plus"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-03-29 13:25:28 ------------



extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 511 MiB / 171.5 MiB
Pagefile Memory (total/avail): 1555.04 MiB / 1104.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.66 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 21.6 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 7.84 GiB total, 2.33 GiB free.
F: is Removable (No Media)
H: is Removable (FAT32)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE1 - Maxtor 90840D5 - 7.85 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 7.85 GiB - E:

\\.\PHYSICALDRIVE0 - ST380021A - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.5 GiB - C:

\\.\PHYSICALDRIVE3 - Apple iPod USB Device - 27.95 GiB - 1 partition
\PARTITION0 - Unknown - 27.87 GiB - H:

\\.\PHYSICALDRIVE2 - SanDisk SDDR33USB/SDMMC USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirewallOverride is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)
AV: avast! antivirus 4.7.1098 [VPS 080329-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dad\Application Data
classpath=.;C:\j2sdkee1.3.1\lib\j2ee.jar;c:\lj;c:\virtualplaza;c:\jdk1.3.1_06\jre\lib\rt.jar;c:\lj\jars\twz1jdbcForMysql.jar;c:\lj\jars\servlet.jar;c:\lj\jars\mail.jar;c:\lj\jars\activation.jar;c:\lj\jars\jive.jar;e:\mm.mysql.jdbc-1.2b\mm.mysql.jdbc-1.2b.zip;C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DBR4K321
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dad
LOGONSERVER=\\DBR4K321
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\oracle\product\10.1.0\Db_1\bin;C:\oracle\product\10.1.0\Db_1\jre\1.4.2\bin\client;C:\oracle\product\10.1.0\Db_1\jre\1.4.2\bin;C:\Program Files\Common Files\Adaptec Shared\System;c:\vslick\win;c:\jdk1.3.1_06\bin;c:\putty;C:\Program Files\Common Files\Autodesk Shared;C:\Program Files\Autodesk\backburner;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\PKWARE\pkzipc";;C:\PROGRA~1\DAZZLE~1\BIN;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERL5LIB=C:\oracle\product\10.1.0\Db_1\perl\lib\5.6.1\MSWin32-x86;C:\oracle\product\10.1.0\Db_1\perl\lib\5.6.1;C:\oracle\product\10.1.0\Db_1\perl\5.6.1\lib\MSWin32-x86;C:\oracle\product\10.1.0\Db_1\perl\site\5.6.1;C:\oracle\product\10.1.0\Db_1\perl\site\5.6.1\lib;C:\oracle\product\10.1.0\Db_1\sysman\admin\scripts
PKSFXDATA=C:\Program Files\Common Files\PKWARE\Pksfxs.dat
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dad\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=DBR4K321
USERNAME=Dad
USERPROFILE=C:\Documents and Settings\Dad
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dad (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
--> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
Action Replay Code Manager --> "C:\Program Files\Datel\Action Replay Code Manager\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
America Online --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20011028.1) --> C:\WINDOWS\AolCInUn.exe
AOL Instant Messenger --> C:\AIM95\uninstll.exe -LOG= C:\AIM95\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Backburner --> MsiExec.exe /I{3D347E6D-5A03-4342-B5BA-6A771885F379}
Basic Facts Worksheet Factory --> MsiExec.exe /I{1E85CABF-0984-482A-BF5D-E9AC4BF33694}
Beyond Compare Version 2.1.2 --> "C:\Program Files\Beyond Compare 2\unins000.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BUM --> MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
Canon PhotoRecord --> MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F0FC315A-7D1D-444F-BB96-A59B28179626}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Command & Conquer Tiberian Sun --> C:\Westwood\SUN\Uninstll.EXE
Creative Memories StoryBook Creator Plus --> MsiExec.exe /I{A3C7B70F-E60A-4429-B0EF-D5289EF89C5B}
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\windows\googletoolbar4.dll"
Google Video Uploader --> "C:\Program Files\Google Video\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hy-Tek's T&F TEAM MANAGER --> C:\WINDOWS\uninst.exe -fc:\hy-sport\TFWin-TM\DeIsL1.isu -cc:\hy-sport\TFWin-TM\_ISREG32.DLL
Hy-Tek's T&F TEAM MANAGER Lite --> C:\WINDOWS\uninst.exe -f"C:\Program Files\T&F TEAM MANAGER Lite\DeIsL1.isu" -c"C:\Program Files\T&F TEAM MANAGER Lite\_ISREG32.DLL"
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iPod Updater 2004-11-15 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KODAK EASYSHARE Gallery Easy Upload, v2.1 --> C:\Documents and Settings\Dad\Local Settings&
  • 0

#29
RatHat
Posted 29 March 2008 - 05:50 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You know Jay, I think this nasty little bugger has just raised it's ugly head! So lets see if we can lop it off!

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
Afk73
catchme
MEMSWEEP2

Files to delete:
C:\WINDOWS\system32\drivers\0ljc.exe
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\drivers\296ljc.exe
C:\WINDOWS\system32\drivers\Afk73.sys
C:\WINDOWS\system32\drivers\609ljc.exe
C:\WINDOWS\system32\drivers\406ljc.exe
C:\WINDOWS\system32\drivers\Ejn40.sys
C:\WINDOWS\system32\drivers\Vbf72.sys

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log, and let me know how your computer is doing now.

Regards,
RatHat
  • 0

#30
gilliganmn
Posted 31 March 2008 - 09:41 AM

gilliganmn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey RatHat,

Great! We're on vacation until Thursday (4/3) so I'll try this Thursday night. The computer is turned off at home.

Thanks,
Jay
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP