[takk]

Hi all,

I posted an intro earlier today. The reason I am here is...

My lap-top began running very slowly last Tuesday evening, I was using FireFox but IE windows kept popping up and my FireFox windows would all mysteriously disapper; I also noticed that when I booted my computer, at various points while it was loading the windows settings, these black “...\system32\command.com” boxes would flash on the screen and disappear (this is not normal for my computer when I boot up at home – it IS normal when I boot up while connected to the server at the university I work at, but then the boxes stay on the screen long enough for me to read the commands as they appear and are executed).

Various viruses have been identified by the different anti-virus program scans I’ve run over the past few days, but the one that keeps re-appearing (sometimes disappearing from a scan, only to re-appear on the next scan with the same program) is a Virtumonde (Vundo) variant of some sort. Other viruses/spyware have come up as well, but the anti-virus program “fixes” appear to have worked on those.

I left my lap-top with my university's computer centre for all of Thursday afternoon, but as far as I could tell, all they did was run SUPERAntiSpyware - they told me it had picked up a few viruses, but they had given it a "deep clean" (haha!) and everything would now be okay. I took it home, ran SUPERAntiSpyware again and, as you might expect, Vundo was still there. I called the computer centre to tell them and they said I'd have to reformat my HD and re-install everything. I said that would be my very last resort, went searching for solutions, and ended up here!

I followed the instructions in the “Important, read this first” post and ran all the recommended antivirus/spyware programs as well as the specific software fixes for Vundo. The end result is that today, none of my scans are turning up any signs of infection. However, SpyBot Teatimer (which I just installed a few days ago, after the virus problems started) keeps alerting me to some black-listed program trying to make changes to my registry settings, the black “command.com” screens continue to pop up and disappear immediately (~150 ms I would guess) during boot up when windows is “loading your personal settings” (I think that's when it happens), and everything is still running more slowly than usual. I don’t think Vundo is gone – is it possible that it is hiding from the virus scanners somewhere?

Here are the log files for the various virus scans. I will put the combofix and HijackThis log files at the end (so you can find them easily if you'd like to see those first).

I ran Vundofix yesterday when I still had Vundo on my computer (according to at least one AV program), but it didn’t find any Vundo.

LOGS

Log of SpyBot Search & Destroy Scan (Fix log is below)

--- Report generated: 2008-02-14 22:57 ---

Virtumonde: [SBI $FDAA1FF2] Library (File, nothing done)
C:\WINDOWS\system32\ddcca.dll

Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\aldd

Virtumonde: [SBI $E7C36CB1] Executable (File, nothing done)
C:\Documents and Settings\me\Local Settings\Temp\removalfile.bat

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2006-10-19 unins000.exe (51.41.0.0)
2008-02-14 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll


Log of SpyBot Search & Destroy Fixes:

--- Report generated: 2008-02-14 23:01 ---

Virtumonde: [SBI $FDAA1FF2] Library (File, fixed)
C:\WINDOWS\system32\ddcca.dll

Virtumonde: [SBI $42352499] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-82194667-1315141139-1877560073-1779\Software\Microsoft\aldd

Virtumonde: [SBI $E7C36CB1] Executable (File, fixed)
C:\Documents and Settings\me\Local Settings\Temp\removalfile.bat


Note that SpyBot continued to find virtumonde even after the fixes it logged above (for some reason, there doesn't appear to be a log file of my other SpyBot scans, but I wrote down the one it continued to find):


Virtumonde: [SBI $47E741CD] Settings (Registry key)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws


After several scans and fixes, it is now coming up clean.


After I installed SpyBot TeaTimer which gives alerts when a program is trying to make changes to the registry, each time I restarted the computer, it alerted me that a "blacklisted program" was trying to make changes and did I want to allow it or not – I wasn’t sure what to do, but on various reboots I tried allowing them and not allowing them. Here’s the log of that process (each bunch of entries is one reboot):

SpyBot TeaTimer log

2/14/2008 11:00:23 PM Allowed (based on user decision) value "SpybotDeletingB5324" (new data: "command /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup user entry!
2/14/2008 11:00:32 PM Allowed (based on user decision) value "SpybotDeletingD7247" (new data: "cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup user entry!
2/14/2008 11:00:46 PM Allowed (based on user decision) value "SpybotDeletingA5021" (new data: "command /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup global entry!
2/14/2008 11:00:56 PM Allowed (based on user decision) value "SpybotDeletingC7838" (new data: "cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"") added in System Startup global entry!
2/14/2008 11:16:20 PM Denied (based on user decision) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/14/2008 11:16:34 PM Denied (based on user decision) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/14/2008 11:16:39 PM Denied (based on user decision) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/14/2008 11:16:42 PM Denied (based on user decision) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/14/2008 11:19:17 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/14/2008 11:19:17 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/15/2008 1:27:18 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/15/2008 1:27:19 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/15/2008 2:14:43 PM Allowed (based on user decision) value "{64236E7F-EBCC-48BD-AF50-9AB92686F49F}" (new data: "") deleted in Browser Helper Object!
2/15/2008 2:43:44 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/15/2008 2:43:45 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 5:21:27 AM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 8:49:15 AM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 8:49:17 AM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 3:39:20 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 4:28:45 PM Allowed (based on user decision) value "!AVG Anti-Spyware" (new data: ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized") added in System Startup global entry!
2/16/2008 6:59:52 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 6:59:54 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 6:59:54 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 6:59:55 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/16/2008 11:18:07 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/16/2008 11:18:08 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry! (my note: the same ones come up every time I reboot)
2/17/2008 1:21:40 AM Allowed (based on user decision) value "{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}" (new data: "") added in ActiveX Distribution Unit! (my note: Panda controle)
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2/17/2008 1:08:38 PM Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry! (my note: spybot is no longer detecting Vundo, but still get these blocked registsry changes on boot-up).
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingB5324" (new data: "") deleted in System Startup user entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingD7247" (new data: "") deleted in System Startup user entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingA5021" (new data: "") deleted in System Startup global entry!
2008-02-17 16:36:46 Denied (based on user blacklist) value "SpybotDeletingC7838" (new data: "") deleted in System Startup global entry!


TrendMicro OfficeScan log:

Log Type: Manual Scan
Date & Time: 2008-02-13 00 - Wednesday (Tues night)
File Name: C:\Documents and Settings\me\LocalSettings\Temporary Internet
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk but could not clean or quarantine the file.
*****
Log Type: Manual Scan - Wednesday (Tues night)
Date & Time: 2008-02-13 00
File Name: C:\DOCUME~1\me\LOCALS~\Temp\jnnimmxh.dll
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk. The file was quarantined.
*****
Log Type: Manual Scan
Date & Time: 2008-02-13 15 - Wednesday
File Name: C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\P2P\TrustyFiles Folders\EvID4226.EXE
Malware Name: HKTL_EVID.AF
Action: OfficeScan detected a security risk but could not clean the file. The file was quarantined.
*****
Log Type: Manual Scan
Date & Time: 2008-02-13 16 - Wednesday
File Name: C:\System Volume Information\_restore{659E39E4-B470-43C9-8AB0-4735A20D0FE1}\RP288\A0055231.EXE
Malware Name: HKTL_EVID.AF
Action: OfficeScan detected a security risk but could not clean the file. The file was quarantined.
*****
Log Type: Real-time Scan
Date & Time: 2008-02-14 00 - Thursday
File Name: C:\Documents and Settings\me\LocalSettings\Temporary Internet Files\Content.IE5\2CZPHDDZ\tr[1]
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk but could not clean or quarantine the file.
*****
Log Type: Real-time Scan
Date & Time: 2008-02-14 00 - Thursday
File Name: C:\DOCUME~1\me\LOCALS~\Temp\ysdnbwqo.dll
Malware Name: TROJ_VUNDO.YEK
Action: OfficeScan detected a security risk. The file was quarantined.
*****

All subsequent scans found nothing (“no security threats were found”).


Note: That “TrustyFiles” folder belongs to an old P2P program that I downloaded and paid for (bought a legit license) a few years ago. I only used it for downloading mp3s and I haven’t used it or looked in that folder in over a year. So why would a virus suddenly end up in there?

I also ran TrendMicro online “housecall” scans a couple of times. The first time I tried running it using FireFox (my preferred browser), Internet Explorer windows kept opening up with a page title “crush-counter” and my FireFox browser would shut down. I remembered reading somewhere on the TrendMicro site that I should first disable System Restore and %Windows%\explorer.exe (using Task Manager). After that, the IE pages stopped popping up and my FireFox browser was able to run the housecall online scan. I don’t have a log for that scan, but I wrote down that it found the following:

ADWARE_ADDELETE
SPYWARE_KEYL_ASTLOG
HACKINGTOOLS_MAILPASSVIEW
ADWARE_MEMWATCHER

I selected clean/fix then did another online housecall scan to make sure they were really gone (the keylogger one in particular had me more than a little worried – I have “KeyScrambler” installed so maybe I’m okay?). No threats were detected.


Panda online antivirus scan log (these are all old email messages from a few years ago that I need to keep – not sure how they got infected – does this mean the attached Word documents could be infected?):

Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[~0000195.~][ABSTRACT.WPD]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[proposal.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[dexter-peck.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[consent-partI.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[consent-partII.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL023FF.PMM[Kiefl.doc]
Virus:W97M/Pri.B Disinfected C:\Documents and Settings\me\My Documents\southpark\PMAIL\MAIL\FOL02542.PMM[~0000529.~][intro3.doc]


SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 02/15/2008 at 02:13 PM

Application Version : 3.9.1008

Core Rules Database Version : 3403
Trace Rules Database Version: 1395

Scan type : Complete Scan
Total Scan Time : 00:40:02

Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 6471
Registry threats detected : 5
File items scanned : 34742
File threats detected : 5

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}\InprocServer32
HKCR\CLSID\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64236E7F-EBCC-48BD-AF50-9AB92686F49F}

Adware.Tracking Cookie
C:\Documents and Settings\me\Cookies\me@atdmt[1].txt

Adware.eXact Advertising
C:\PROGRAM FILES\MAIL.COM\MCALERT.EXE
C:\DOCUMENTS AND SETTINGS\me\START MENU\PROGRAMS\MAIL.COM\MAIL.COM ALERT.LNK

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\ACCDD.INI



Note: after this, no more threats detected, although SpyBot continued to report a Virtumonde registry key infection/problem (until the last couple of scans where SpyBot is saying the computer is clean).

I ran AVG Antispyware as well with the computer in safe mode and it didn’t find anything.

Here’s the ComboFix log file. Note that this was run today AFTER all the other scans were coming up clean (but, as I said above, I’m not convinced that the computer is clean).


ComboFix 08-02-17.2 - me 2008-02-17 13:51:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.528 [GMT -4:00]
Running from: C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\computer cleaners\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\9F812CCDB4.dll
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\lwfvryej.ini
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 03:34 . 2008-02-17 03:34 <DIR> d-------- C:\Documents and Settings\me.me-NB5\Application Data\SUPERAntiSpyware.com
2008-02-17 00:33 . 2008-02-17 02:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 00:33 . 2008-02-17 01:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 00:33 . 2008-02-17 01:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-17 00:33 . 2008-02-17 01:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 16:50 . 2008-02-16 16:50 <DIR> d-------- C:\Documents and Settings\me.me-NB5\Application Data\Grisoft
2008-02-16 16:28 . 2008-02-16 16:28 <DIR> d-------- C:\Documents and Settings\me\Application Data\Grisoft
2008-02-16 16:28 . 2008-02-16 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 16:28 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 15:46 . 2008-02-16 15:46 <DIR> d-------- C:\VundoFix Backups
2008-02-16 08:22 . 2008-02-16 08:31 <DIR> d-------- C:\Hijackthis
2008-02-15 13:27 . 2008-02-15 13:27 <DIR> d-------- C:\Documents and Settings\me\Application Data\SUPERAntiSpyware.com
2008-02-14 23:26 . 2008-02-15 12:44 <DIR> d-------- C:\Documents and Settings\me\.housecall6.6
2008-02-14 22:14 . 2008-02-14 22:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 22:14 . 2008-02-14 22:14 3,450 --a------ C:\WINDOWS\unins000.dat
2008-02-14 15:58 . 2008-02-14 21:39 0 --a------ C:\23990098.$$$
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-02-14 14:17 . 2008-02-14 14:17 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-02-14 14:14 . 2008-02-14 14:16 5,937,408 --a------ C:\WINDOWS\REGBK00.ZIP
2008-02-14 14:13 . 2008-02-14 14:13 26 --a------ C:\WINDOWS\Lic.xxx
2008-02-14 14:12 . 2004-08-03 23:56 146,432 --a------ C:\WINDOWS\R.COM
2008-02-14 14:12 . 2004-08-03 23:56 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-02-14 13:47 . 2008-02-14 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 13:46 . 2008-02-17 03:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 13:46 . 2008-02-14 13:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 13:43 . 2008-02-14 21:18 <DIR> d-------- C:\mwav
2008-02-14 01:07 . 2008-02-14 06:46 <DIR> d-------- C:\Documents and Settings\me\Application Data\HouseCall 6.6
2008-02-14 00:36 . 2008-02-14 13:40 2,191,700 --ahs---- C:\WINDOWS\system32\chfbedqr.ini
2008-02-13 21:53 . 2008-02-13 21:53 <DIR> d-------- C:\Documents and Settings\me\Application Data\Nero
2008-02-13 13:37 . 2008-02-13 23:40 1,024 --a------ C:\.rnd
2008-02-13 13:17 . 2008-02-13 23:47 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-02-13 13:17 . 2008-02-13 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-12 23:04 . 2008-02-12 23:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 23:04 . 2008-02-12 23:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 11:46 . 2008-02-05 11:46 <DIR> d-------- C:\Program Files\MSECache
2008-01-28 15:34 . 2008-01-28 15:34 <DIR> d-------- C:\Program Files\uTorrent
2008-01-28 15:34 . 2008-02-13 19:49 <DIR> d-------- C:\Documents and Settings\me\Application Data\uTorrent
2008-01-28 13:40 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-28 13:38 . 2008-01-28 13:40 <DIR> d-------- C:\WINDOWS\msdownld.tmp
2008-01-28 13:20 . 2008-01-28 13:36 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-22 12:05 . 2008-01-22 12:05 <DIR> d-------- C:\Documents and Settings\me\Application Data\vlc
2008-01-22 12:05 . 2008-01-22 12:05 <DIR> d-------- C:\Documents and Settings\me\Application Data\dvdcss
2008-01-22 12:03 . 2008-01-22 12:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-21 21:32 . 2008-01-21 21:32 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-21 21:32 . 2008-02-17 02:21 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-01-21 13:56 . 2008-01-21 13:56 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-01-21 13:56 . 2008-01-21 13:56 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-21 13:56 . 2008-01-21 13:56 1,024 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-21 13:56 . 2008-01-21 13:56 1,024 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-21 13:56 . 2008-01-21 13:57 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-01-21 13:56 . 2008-01-21 14:02 16 ---h----- C:\WINDOWS\system32\servdat.slm
2008-01-21 13:56 . 2008-01-21 13:57 14 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-01-21 13:56 . 2008-01-21 13:56 0 --a------ C:\WINDOWS\system32\nsprs.tgz
2008-01-21 13:43 . 2008-02-13 17:31 <DIR> d-------- C:\NALCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 06:28 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 06:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-17 06:20 --------- d-----w C:\Program Files\Rainlendar
2008-02-17 06:15 --------- d-----w C:\Program Files\KeyScrambler
2008-02-17 06:10 --------- d-----w C:\Program Files\Apoint
2008-02-15 18:14 --------- d-----w C:\Program Files\mail.com
2008-02-15 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 17:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 03:18 --------- d-----w C:\Program Files\CyberLink
2008-02-11 16:58 --------- d-----w C:\Documents and Settings\me\Application Data\CyberLink
2008-01-30 07:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-28 17:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 01:18 --------- d-----w C:\Program Files\SmartFTP Client 2.0 Setup Files
2008-01-22 01:18 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-01-21 18:01 --------- d-----w C:\Program Files\spss14
2007-12-29 14:35 112,992 ----a-w C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-11 23:00 28672 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14 7401472]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56 602182]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-29 21:44 356429]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\me\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 08:31:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 10:35]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 17:15]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2005-12-09 15:39]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 17:39:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2009-07-02 13:45:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{4AB48691-D6DA-4F8E-9C68-3D4422888995}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:59:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\TEMP\ZQ30B6.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-02-17 14:01:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 18:01:38
.
2008-02-15 07:01:24 --- E O F ---



And, finally, here is the most recent HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 16:37, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JZC988.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\me\Desktop\Software Set-ups & Programs\computer cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


[color="#000080"]Is the 020 - Winlogon Notify area normal? I read somewhere that Winlogon processes are one place that Vundo likes to cause problems.

I think that’s everything you asked for. So what do you think? Is Vundo really gone? Are there other viruses hiding somewhere?

Thank-you VERY much for your time!

-Takk

Edited by takk, 17 February 2008 - 06:17 PM.

[Advertisements]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Rorschach112]

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[takk]

Thanks for getting back to me so quickly, Rorschach - I can see you've been crazy busy replying to posts today. Here are the DSS log files. Thanks so much for your help.

-takk

******************************************

Deckard's System Scanner v20071014.68
Run by takk on 2008-02-17 21:14:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-02-18 01:15:03 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-02-17 17:50:59 UTC - RP3 - ComboFix created restore point
2: 2008-02-16 20:22:22 UTC - RP2 - b4 vundo removal - according to spybot
1: 2008-02-16 20:20:48 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as takk.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-17 21:16:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JZC988.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nwtray.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\POP3Trap.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Documents and Settings\takk\Desktop\Software Set-ups & Programs\computer cleaners\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - Startup: Rainlendar.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9195 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys
S3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ntrtscan (OfficeScanNT RealTime Scan) - "c:\program files\trend micro\officescan client\ntrtscan.exe" <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 OfcPfwSvc (OfficeScanNT Personal Firewall) - "c:\program files\trend micro\officescan client\ofcpfwsvc.exe" <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 tmlisten (OfficeScanNT Listener) - "c:\program files\trend micro\officescan client\tmlisten.exe" <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S2 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2009-07-02 09:45:14 426 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{4AB48691-D6DA-4F8E-9C68-3D4422888995}.job
2008-02-17 20:39:01 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-01-17 and 2008-02-17 -----------------------------

2008-02-17 13:50:19 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-17 13:50:19 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-17 13:50:19 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-17 13:50:19 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-17 03:34:59 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\SUPERAntiSpyware.com
2008-02-17 00:33:33 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 16:50:06 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\Grisoft
2008-02-16 16:28:54 0 d-------- C:\Documents and Settings\takk\Application Data\Grisoft
2008-02-16 16:28:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 15:46:00 0 d-------- C:\VundoFix Backups
2008-02-16 08:22:30 0 d-------- C:\Hijackthis <HIJACK~1>
2008-02-15 13:27:20 0 d-------- C:\Documents and Settings\takk\Application Data\SUPERAntiSpyware.com
2008-02-14 23:26:08 0 d-------- C:\Documents and Settings\takk\.housecall6.6
2008-02-14 22:14:57 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 22:14:57 3450 --a------ C:\WINDOWS\unins000.dat
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\zts2.exe
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\system32\systems.txt
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\rundll16.exe
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\rundl132.dll
2008-02-14 14:17:43 0 d-a------ C:\WINDOWS\logo1_.exe
2008-02-14 13:58:22 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-02-14 13:47:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 13:46:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 13:46:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 13:43:46 0 d-------- C:\mwav
2008-02-14 01:07:48 0 d-------- C:\Documents and Settings\takk\Application Data\HouseCall 6.6
2008-02-14 01:03:12 0 d-------- C:\Documents and Settings\takk\Recent
2008-02-13 21:53:55 0 d-------- C:\Documents and Settings\takk\Application Data\Nero
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files\Nero
2008-02-13 13:17:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-05 11:46:26 0 d-------- C:\Program Files\MSECache
2008-01-28 15:34:21 0 d-------- C:\Program Files\uTorrent
2008-01-28 15:34:11 0 d-------- C:\Documents and Settings\takk\Application Data\uTorrent
2008-01-28 13:38:50 0 d-------- C:\WINDOWS\msdownld.tmp
2008-01-28 13:20:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-01-22 12:05:29 0 d-------- C:\Documents and Settings\takk\Application Data\vlc
2008-01-22 12:05:26 0 d-------- C:\Documents and Settings\takk\Application Data\dvdcss
2008-01-22 12:03:44 0 d-------- C:\Program Files\VideoLAN
2008-01-21 21:32:47 0 d-------- C:\Program Files\SmartFTP Client
2008-01-21 21:32:18 0 d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-21 13:56:59 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-21 13:43:01 0 d-------- C:\NALCache
2008-01-21 13:42:46 28672 --a------ C:\WINDOWS\system32\ZENAPPWS.DLL <Not Verified; Novell, Inc.; ZENworks Application Launcher>
2008-01-21 13:42:46 638976 --a------ C:\WINDOWS\system32\ZENAPP32.DLL <Not Verified; Novell, Inc.; >
2008-01-21 13:42:45 131072 --a------ C:\WINDOWS\system32\NALEXPEX.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:44 57344 --a------ C:\WINDOWS\system32\ZENVER.EXE
2008-01-21 13:42:44 118784 --a------ C:\WINDOWS\system32\ZENPOL32.DLL <Not Verified; Novell, Inc.; ZENworks for Desktops>
2008-01-21 13:42:44 157696 --a------ C:\WINDOWS\system32\NALNRD95.DLL
2008-01-21 13:42:44 143872 --a------ C:\WINDOWS\system32\NALNRD32.DLL
2008-01-21 13:42:44 1273856 --a------ C:\WINDOWS\system32\NALEXP32.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:43 50176 --a------ C:\WINDOWS\system32\ZWSNMP32.DLL <Not Verified; ACE*COMM Corporation; NetPlus WSNMP32>
2008-01-21 13:42:43 152576 --a------ C:\WINDOWS\system32\NLSAPI32.DLL
2008-01-21 13:42:42 1339392 --a------ C:\WINDOWS\system32\NALDESK.EXE <Not Verified; Novell, Inc; ZENworks Application Explorer>


-- Find3M Report ---------------------------------------------------------------

2008-02-17 02:28:30 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-17 02:20:41 0 d-------- C:\Program Files\Rainlendar
2008-02-17 02:15:00 0 d-------- C:\Program Files\KeyScrambler
2008-02-17 02:10:55 0 d-------- C:\Program Files\Apoint
2008-02-15 14:14:21 0 d-------- C:\Program Files\mail.com
2008-02-14 13:45:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 12:01:37 128209 --a------ C:\WINDOWS\system32\nvModes.dat
2008-02-13 23:18:07 0 d-------- C:\Program Files\CyberLink
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files
2008-02-11 12:58:48 0 d-------- C:\Documents and Settings\takk\Application Data\CyberLink
2008-01-30 03:07:52 0 d-------- C:\Documents and Settings\takk\Application Data\Adobe
2008-01-30 03:07:35 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-30 03:06:32 6557 --a------ C:\WINDOWS\mozver.dat
2008-01-28 13:04:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 21:18:47 0 d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2008-01-21 21:18:37 0 d-------- C:\Program Files\SmartFTP Client 2.0
2008-01-21 14:01:01 0 d-------- C:\Program Files\spss14
2007-12-13 07:15:08 3534 --a------ C:\Documents and Settings\takk\Application Data\evpro32.prf


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-11 23:00 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-29 21:44]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB5324"=command /c del "C:\WINDOWS\system32\ddcca.dll_old"
"SpybotDeletingD7247"=cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA5021"=command /c del "C:\WINDOWS\system32\ddcca.dll_old"
"SpybotDeletingC7838"=cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

C:\Documents and Settings\takk\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 08:31:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

-- End of Deckard's System Scanner: finished at 2008-02-17 21:18:32 ------------

******************************************************************************

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel® CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1022.11 MiB / 485.48 MiB
Pagefile Memory (total/avail): 2459.01 MiB / 1997.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.7 MiB

C: is Fixed (NTFS) - 74.49 GiB total, 28.75 GiB free.
D: is CDROM (No Media)
R: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2080BH - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 74.49 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"


-- Environment Variables -------------------------------------------------------

AA=2006
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\takk\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=takk-NB5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\ADC3
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32\nls;C:\WINDOWS\system32\nls\ENGLISH;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\takk\LOCALS~1\Temp
TMP=C:\DOCUME~1\takk\LOCALS~1\Temp
USERDOMAIN=ACADIA
USERNAME=takk
USERPROFILE=C:\Documents and Settings\takk
VERSION=29-Jun-2006
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

tempuser (admin)
takk.takk-NB5 (admin)
Administrator (admin)
takk (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE5629A0-B057-480A-9585-8C45360A56B1}\Setup.exe" -l0x9 /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Audacity 1.2.4 --> "C:\Program Files\Audacity\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40A6C96D-808E-41DD-8716-617AB6B0F1F1}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cisco Systems VPN Client 4.6.00.0049 --> MsiExec.exe /X{6DC47739-3BB0-4494-A43D-193BF54070AE}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Cool ReadWrite --> MsiExec.exe /I{436C0BE1-5C4D-4B85-A6E0-C7B903FAE86B}
CoolReadWrite --> MsiExec.exe /I{B047BA05-9BE7-44A0-BDBA-91C90A7ECEDD}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Disney's Winnie the Pooh Preschool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09E26120-0322-11D5-B231-0050DACD394D}\setup.exe" Uninstall
Dragon NaturallySpeaking 8 --> MsiExec.exe /I{DDDD0C4B-57F7-4A85-ACF0-DB3FC8F1DBB4}
ExamProctor --> MsiExec.exe /I{7084D88C-44F1-40FA-9FFD-F5B645FCF975}
ExamView Assessment Suite --> C:\WINDOWS\unvise32.exe C:\ExamView\uninst5.log
Express Burn Uninstall --> C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip Uninstall --> C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe"
getPlus®_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
HijackThis 1.99.1 --> E:\Scanners\hijackthis\HijackThis.exe /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\takk\Application Data\HouseCall 6.6\uninstaller.exe"
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
KeyScrambler --> C:\Program Files\KeyScrambler\uninstall.exe
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Mail.com Alert --> C:\Program Files\mail.com\uninst.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 UNINSTALL
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-7) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OZ776 SCR CardBus Windows Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48} /l1033
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Privoxy 3.0.3 --> "C:\Program Files\Privoxy\privoxy_uninstall.exe"
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTax 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}\isetup.ex_" -l0x9 -uninst
QuickTax 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}\isetup.ex_" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Rainlendar (remove only) --> "C:\Program Files\Rainlendar\uninst.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordPad Sound Recorder Uninstall --> C:\Program Files\NCH Swift Sound\RecordPad\uninst.exe
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SPSS 14.0 for Windows --> MsiExec.exe /X{0AE19D89-17A9-404D-932A-FAAF43F3C77E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SSH Secure Shell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Swift To-Do List Lite 1.16 --> "C:\Program Files\Swift To-Do List\unins000.exe"
Switch Uninstall --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
TestGen --> C:\WINDOWS\unvise32.exe C:\Program Files\TestGen\uninstal.log
Tor 0.1.1.24 --> "C:\Program Files\Tor\Uninstall.exe"
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
TrustyFilesPro --> C:\WINDOWS\unvise32.exe C:\Program Files\TrustyFilesPro\uninstal.log
Ulead VideoStudio 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E188D820-1218-4E28-8BCA-91134C3664C2}\setup.exe" -l0x9
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Vidalia 0.0.7 --> "C:\Program Files\Vidalia\uninstall.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
XeFlashPlayer 1.0 --> C:\Program Files\XeFlashPlayer\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type12507 / Error
Event Submitted/Written: 02/17/2008 08:04:09 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Event Record #/Type12506 / Error
Event Submitted/Written: 02/17/2008 07:51:59 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Event Record #/Type12505 / Error
Event Submitted/Written: 02/17/2008 06:27:36 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Event Record #/Type12504 / Error
Event Submitted/Written: 02/17/2008 06:09:25 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.

Event Record #/Type12503 / Error
Event Submitted/Written: 02/17/2008 04:35:04 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-02-17 21:18:32 ------------

[Rorschach112]

No rest for the wicked as they say

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\zts2.exe
  C:\WINDOWS\system32\vcmgcd32.dll
  C:\WINDOWS\system32\systems.txt
  C:\WINDOWS\system32\iifgfgf.dll
  C:\WINDOWS\rundll16.exe
  C:\WINDOWS\rundl132.dll
  C:\WINDOWS\logo1_.exe
  C:\WINDOWS\system32\ddcca.dll_old
  C:\WINDOWS\system32\ddcca.dll

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  purity

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log

[takk]

Okay... I did what you said. But when HJT was running the fix, in the middle of it, I got the same SpyBot "registry-change blocked" alerts. I continued on and ran OTMoveIt, then rebooted. When I got the SpyBot alerts yet again during reboot, I went back and tried the HJT fix again on those 4 lines (they were still there), this time with all my anti-malware programs disabled. I then ran OTMoveIt again, rebooted, and ran DSS. I pasted the second OTMoveIt log under the first one. Thanks for doing this!

-takk

First OTMoveIt2 Log (after doing HJT Fix with SpyBot & AVG-AntiSpyware turned on)

C:\WINDOWS\zts2.exe moved successfully.
C:\WINDOWS\system32\vcmgcd32.dll moved successfully.
C:\WINDOWS\system32\systems.txt moved successfully.
C:\WINDOWS\system32\iifgfgf.dll moved successfully.
C:\WINDOWS\rundll16.exe moved successfully.
C:\WINDOWS\rundl132.dll moved successfully.
C:\WINDOWS\logo1_.exe moved successfully.
File/Folder C:\WINDOWS\system32\ddcca.dll_old not found.
File/Folder C:\WINDOWS\system32\ddcca.dll not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 02182008_003428

Second OTMoveIt2 log (after running HJT fixes with SpyBot & AVG disabled)

File/Folder C:\WINDOWS\zts2.exe not found.
File/Folder C:\WINDOWS\system32\vcmgcd32.dll not found.
File/Folder C:\WINDOWS\system32\systems.txt not found.
File/Folder C:\WINDOWS\system32\iifgfgf.dll not found.
File/Folder C:\WINDOWS\rundll16.exe not found.
File/Folder C:\WINDOWS\rundl132.dll not found.
File/Folder C:\WINDOWS\logo1_.exe not found.
File/Folder C:\WINDOWS\system32\ddcca.dll_old not found.
File/Folder C:\WINDOWS\system32\ddcca.dll not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.20 log created on 02182008_004738



DSS log:

Deckard's System Scanner v20071014.68
Run by takk on 2008-02-18 00:56:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as takk.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-18 00:56:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Temp\KU779B.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\nwtray.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\POP3Trap.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Documents and Settings\takk\Desktop\Software Set-ups & Programs\computer cleaners\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - Startup: Rainlendar.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 9150 bytes

-- Files created between 2008-01-18 and 2008-02-18 -----------------------------

2008-02-17 13:50:19 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-17 13:50:19 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-17 13:50:19 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-17 13:50:19 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-17 03:34:59 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\SUPERAntiSpyware.com
2008-02-17 00:33:33 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 16:50:06 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\Grisoft
2008-02-16 16:28:54 0 d-------- C:\Documents and Settings\takk\Application Data\Grisoft
2008-02-16 16:28:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 15:46:00 0 d-------- C:\VundoFix Backups
2008-02-16 08:22:30 0 d-------- C:\Hijackthis <HIJACK~1>
2008-02-15 13:27:20 0 d-------- C:\Documents and Settings\takk\Application Data\SUPERAntiSpyware.com
2008-02-14 23:26:08 0 d-------- C:\Documents and Settings\takk\.housecall6.6
2008-02-14 22:14:57 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 22:14:57 3450 --a------ C:\WINDOWS\unins000.dat
2008-02-14 13:58:22 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-02-14 13:47:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 13:46:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 13:46:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 13:43:46 0 d-------- C:\mwav
2008-02-14 01:07:48 0 d-------- C:\Documents and Settings\takk\Application Data\HouseCall 6.6
2008-02-14 01:03:12 0 d-------- C:\Documents and Settings\takk\Recent
2008-02-13 21:53:55 0 d-------- C:\Documents and Settings\takk\Application Data\Nero
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files\Nero
2008-02-13 13:17:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-05 11:46:26 0 d-------- C:\Program Files\MSECache
2008-01-28 15:34:21 0 d-------- C:\Program Files\uTorrent
2008-01-28 15:34:11 0 d-------- C:\Documents and Settings\takk\Application Data\uTorrent
2008-01-28 13:38:50 0 d-------- C:\WINDOWS\msdownld.tmp
2008-01-28 13:20:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-01-22 12:05:29 0 d-------- C:\Documents and Settings\takk\Application Data\vlc
2008-01-22 12:05:26 0 d-------- C:\Documents and Settings\takk\Application Data\dvdcss
2008-01-22 12:03:44 0 d-------- C:\Program Files\VideoLAN
2008-01-21 21:32:47 0 d-------- C:\Program Files\SmartFTP Client
2008-01-21 21:32:18 0 d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-21 13:56:59 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-21 13:43:01 0 d-------- C:\NALCache
2008-01-21 13:42:46 28672 --a------ C:\WINDOWS\system32\ZENAPPWS.DLL <Not Verified; Novell, Inc.; ZENworks Application Launcher>
2008-01-21 13:42:46 638976 --a------ C:\WINDOWS\system32\ZENAPP32.DLL <Not Verified; Novell, Inc.; >
2008-01-21 13:42:45 131072 --a------ C:\WINDOWS\system32\NALEXPEX.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:44 57344 --a------ C:\WINDOWS\system32\ZENVER.EXE
2008-01-21 13:42:44 118784 --a------ C:\WINDOWS\system32\ZENPOL32.DLL <Not Verified; Novell, Inc.; ZENworks for Desktops>
2008-01-21 13:42:44 157696 --a------ C:\WINDOWS\system32\NALNRD95.DLL
2008-01-21 13:42:44 143872 --a------ C:\WINDOWS\system32\NALNRD32.DLL
2008-01-21 13:42:44 1273856 --a------ C:\WINDOWS\system32\NALEXP32.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:43 50176 --a------ C:\WINDOWS\system32\ZWSNMP32.DLL <Not Verified; ACE*COMM Corporation; NetPlus WSNMP32>
2008-01-21 13:42:43 152576 --a------ C:\WINDOWS\system32\NLSAPI32.DLL
2008-01-21 13:42:42 1339392 --a------ C:\WINDOWS\system32\NALDESK.EXE <Not Verified; Novell, Inc; ZENworks Application Explorer>


-- Find3M Report ---------------------------------------------------------------

2008-02-17 02:28:30 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-17 02:20:41 0 d-------- C:\Program Files\Rainlendar
2008-02-17 02:15:00 0 d-------- C:\Program Files\KeyScrambler
2008-02-17 02:10:55 0 d-------- C:\Program Files\Apoint
2008-02-15 14:14:21 0 d-------- C:\Program Files\mail.com
2008-02-14 13:45:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 12:01:37 128209 --a------ C:\WINDOWS\system32\nvModes.dat
2008-02-13 23:18:07 0 d-------- C:\Program Files\CyberLink
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files
2008-02-11 12:58:48 0 d-------- C:\Documents and Settings\takk\Application Data\CyberLink
2008-01-30 03:07:52 0 d-------- C:\Documents and Settings\takk\Application Data\Adobe
2008-01-30 03:07:35 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-30 03:06:32 6557 --a------ C:\WINDOWS\mozver.dat
2008-01-28 13:04:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 21:18:47 0 d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2008-01-21 21:18:37 0 d-------- C:\Program Files\SmartFTP Client 2.0
2008-01-21 14:01:01 0 d-------- C:\Program Files\spss14
2007-12-13 07:15:08 3534 --a------ C:\Documents and Settings\takk\Application Data\evpro32.prf


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-11 23:00 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-29 21:44]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB5324"=command /c del "C:\WINDOWS\system32\ddcca.dll_old"
"SpybotDeletingD7247"=cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA5021"=command /c del "C:\WINDOWS\system32\ddcca.dll_old"
"SpybotDeletingC7838"=cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

C:\Documents and Settings\takk\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 08:31:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

-- End of Deckard's System Scanner: finished at 2008-02-18 00:57:17 ------------

[Rorschach112]

Ok that is TeaTimer being annoying

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Then do all those steps again and post a new DSS log

[takk]

Okay - I repeated the steps above with TeaTimer disabled. However, those four "run once" lines were no longer there in the HJT system scan log. Here is the latest DSS log. FWIW, I updated my java last night and also ran a Kapersky online scan. I will past the results of the Kapersky scan after the DSS log in case there's anything useful in it. Thanks again! -takk

Deckard's System Scanner v20071014.68
Run by takk on 2008-02-18 13:56:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as takk.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-18 13:57:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Temp\BNE5FB.EXE
C:\WINDOWS\system32\nwtray.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\OfficeScan Client\POP3Trap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\takk\Desktop\Software Set-ups & Programs\computer cleaners\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 8911 bytes

-- Files created between 2008-01-18 and 2008-02-18 -----------------------------

2008-02-18 02:10:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 02:10:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 13:50:19 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-17 13:50:19 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-17 13:50:19 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-17 13:50:19 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-17 03:34:59 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\SUPERAntiSpyware.com
2008-02-17 00:33:33 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 16:50:06 0 d-------- C:\Documents and Settings\takk.takk-NB5\Application Data\Grisoft
2008-02-16 16:28:54 0 d-------- C:\Documents and Settings\takk\Application Data\Grisoft
2008-02-16 16:28:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-16 15:46:00 0 d-------- C:\VundoFix Backups
2008-02-16 08:22:30 0 d-------- C:\Hijackthis <HIJACK~1>
2008-02-15 13:27:20 0 d-------- C:\Documents and Settings\takk\Application Data\SUPERAntiSpyware.com
2008-02-14 23:26:08 0 d-------- C:\Documents and Settings\takk\.housecall6.6
2008-02-14 22:14:57 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 22:14:57 3450 --a------ C:\WINDOWS\unins000.dat
2008-02-14 13:58:22 0 d-------- C:\Documents and Settings\Administrator\Recent
2008-02-14 13:47:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 13:46:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 13:46:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 13:43:46 0 d-------- C:\mwav
2008-02-14 01:07:48 0 d-------- C:\Documents and Settings\takk\Application Data\HouseCall 6.6
2008-02-14 01:03:12 0 d-------- C:\Documents and Settings\takk\Recent
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files\Nero
2008-02-05 11:46:26 0 d-------- C:\Program Files\MSECache
2008-01-28 15:34:21 0 d-------- C:\Program Files\uTorrent
2008-01-28 15:34:11 0 d-------- C:\Documents and Settings\takk\Application Data\uTorrent
2008-01-28 13:38:50 0 d-------- C:\WINDOWS\msdownld.tmp
2008-01-28 13:20:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-01-22 12:05:29 0 d-------- C:\Documents and Settings\takk\Application Data\vlc
2008-01-22 12:05:26 0 d-------- C:\Documents and Settings\takk\Application Data\dvdcss
2008-01-22 12:03:44 0 d-------- C:\Program Files\VideoLAN
2008-01-21 21:32:47 0 d-------- C:\Program Files\SmartFTP Client
2008-01-21 21:32:18 0 d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-01-21 13:56:59 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth2.dll
2008-01-21 13:56:28 1024 --a------ C:\WINDOWS\system32\clauth1.dll
2008-01-21 13:43:01 0 d-------- C:\NALCache
2008-01-21 13:42:46 28672 --a------ C:\WINDOWS\system32\ZENAPPWS.DLL <Not Verified; Novell, Inc.; ZENworks Application Launcher>
2008-01-21 13:42:46 638976 --a------ C:\WINDOWS\system32\ZENAPP32.DLL <Not Verified; Novell, Inc.; >
2008-01-21 13:42:45 131072 --a------ C:\WINDOWS\system32\NALEXPEX.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:44 57344 --a------ C:\WINDOWS\system32\ZENVER.EXE
2008-01-21 13:42:44 118784 --a------ C:\WINDOWS\system32\ZENPOL32.DLL <Not Verified; Novell, Inc.; ZENworks for Desktops>
2008-01-21 13:42:44 157696 --a------ C:\WINDOWS\system32\NALNRD95.DLL
2008-01-21 13:42:44 143872 --a------ C:\WINDOWS\system32\NALNRD32.DLL
2008-01-21 13:42:44 1273856 --a------ C:\WINDOWS\system32\NALEXP32.DLL <Not Verified; Novell, Inc; ZENworks Application Explorer>
2008-01-21 13:42:43 50176 --a------ C:\WINDOWS\system32\ZWSNMP32.DLL <Not Verified; ACE*COMM Corporation; NetPlus WSNMP32>
2008-01-21 13:42:43 152576 --a------ C:\WINDOWS\system32\NLSAPI32.DLL
2008-01-21 13:42:42 1339392 --a------ C:\WINDOWS\system32\NALDESK.EXE <Not Verified; Novell, Inc; ZENworks Application Explorer>


-- Find3M Report ---------------------------------------------------------------

2008-02-18 01:43:10 0 d-------- C:\Program Files\Java
2008-02-17 02:28:30 0 d-------- C:\Program Files\Windows Live Toolbar
2008-02-17 02:20:41 0 d-------- C:\Program Files\Rainlendar
2008-02-17 02:15:00 0 d-------- C:\Program Files\KeyScrambler
2008-02-17 02:10:55 0 d-------- C:\Program Files\Apoint
2008-02-15 14:14:21 0 d-------- C:\Program Files\mail.com
2008-02-14 13:45:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 12:01:37 128209 --a------ C:\WINDOWS\system32\nvModes.dat
2008-02-13 23:18:07 0 d-------- C:\Program Files\CyberLink
2008-02-13 13:17:06 0 d-------- C:\Program Files\Common Files
2008-02-11 12:58:48 0 d-------- C:\Documents and Settings\takk\Application Data\CyberLink
2008-01-30 03:07:52 0 d-------- C:\Documents and Settings\takk\Application Data\Adobe
2008-01-30 03:07:35 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-30 03:06:32 6557 --a------ C:\WINDOWS\mozver.dat
2008-01-28 13:04:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 21:18:47 0 d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2008-01-21 21:18:37 0 d-------- C:\Program Files\SmartFTP Client 2.0
2008-01-21 14:01:01 0 d-------- C:\Program Files\spss14
2007-12-13 07:15:08 3534 --a------ C:\Documents and Settings\takk\Application Data\evpro32.prf


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-11 23:00 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-19 08:14]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-05-29 21:44]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

C:\Documents and Settings\takk\Start Menu\Programs\Startup\
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 08:31:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=1 (0x1)
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


-- End of Deckard's System Scanner: finished at 2008-02-18 13:57:33 ------------


Kapersky online scan log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-18 11:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570433
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
R:\

Scan Statistics:
Total number of scanned objects: 71399
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:53:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\takk\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\takk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\takk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\takk\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\takk\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\takk\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\takk\My Documents\mIRC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.582 skipped
C:\Documents and Settings\takk\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\takk\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20080218.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{659E39E4-B470-43C9-8AB0-4735A20D0FE1}\RP5\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D10BA43F-25A6-4C21-8BAC-8BC378941688}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F3634ACA-5C8C-41E5-BF68-0198E9DB86EB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\system32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by takk, 18 February 2008 - 12:18 PM.

[takk]

Hi again Rorschach112,

I just ran an mbam scan - I still have the program open b/c I wasn't sure whether to click on "remove selected". Here's the log:

Malwarebytes' Anti-Malware 1.03
Database version: 374

Scan type: Full Scan (C:\|R:\|)
Objects scanned: 98793
Time elapsed: 40 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications (Rogue.Multiple) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Rorschach112]

You can remove those entries, they are all bad

Let me know how your PC is running after that

[takk]

Thanks - deleted the infected registry keys.

Quick question - in mbam, under tools, there is an option to let "File Assassin" delete locked files. In my Kapersky scan log, there was a whole list of locked files. Would it be worth running File Assassin? I'm not sure what a locked file is. Thanks! - takk

P.S. I will let you know in a few min if things appear to be running better now. Does it look like vundo (or whatever I had) is now gone?!

[Rorschach112]

Hello

Would it be worth running File Assassin?

Haha no I would not do that for those Kaspersky files as they are all legit. File Assassin is to be used when you want to delete a file but you are being prevented. Most malware won't let you delete it, so programs like File Assassin are used to remove them.

I wouldn't mess with it yourself.

Your computer should be clean, just play around and let me know how its running

[takk]

I was feeling quite optimistic and thinking it should be safe to turn TeaTimer back on, so I did... and when I rebooted, those same "command.com" boxes flashed on the screen, and the same four TeaTimer "registry-change blocked" boxes came up. I obviously blacklisted them myself last week when I was infected with vundo, but are they signs of a virus? And if not, do you know how I go about removing them from the TeaTimer "blacklist"?

I ran HJT again and the log has reverted back to having those four "run once" items in the list. I was about to re-do the fix you described before (select those 4 items & "fix selected items" in HJT, run OTMoveIt2, then DSS), but since that only got rid of the problem temporarily, I thought I'd better let you know what's going on first. Here's the most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:36, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\TS67.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Documents and Settings\takk\Desktop\Software Set-ups & Programs\computer cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

[Rorschach112]

They aren't hugely important to fix

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ddcca.dll_old
C:\WINDOWS\system32\ddcca.dll

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKLM\..\RunOnce: [SpybotDeletingA5021] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7838] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5324] command /c del "C:\WINDOWS\system32\ddcca.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7247] cmd /c del "C:\WINDOWS\system32\ddcca.dll_old"

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log and tell me how your PC is running

[takk]

I'm afraid this last detail has had us going in circles. I did what you said in your last post (a few times!) but every time I turned TeaTimer back on, the same warning boxes would come up and the HJT log would revert back to including those four annoying lines. In the end, I removed SpyBot and reinstalled it... that seemed to do the trick. Here is the most recent HJT log (and, with any luck, my last!). Thanks for all your help. You rock! I made a donation.

Please let me know whether everything looks okay now... or not!
Thanks again.
- takk

Logfile of HijackThis v1.99.1
Scan saved at 19:33, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\AEB079.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\takk\Desktop\Software Set-ups & Programs\computer cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145051039640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\Software\..\Telephony: DomainName = ad.acadiau.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.acadiau.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

[Rorschach112]

Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

The above procedure will do the following:

• Delete ComboFix and its associated files and folders.
• Delete VundoFix backups, if present
• Delete the C:\Deckard folder, if present
• Delete the C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it.
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
• Click Yes to beging the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.