Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

yet another antispywareudates.net infection [RESOLVED]

Started by BillPro , Feb 28 2008 11:42 AM

  • This topic is locked This topic is locked

#1
BillPro
Posted 28 February 2008 - 11:42 AM

BillPro

    Member

  • Member
  • PipPip
  • 26 posts
Hello and Please Help,

I'm not far from just reformatting and starting over. My computer has the same symptoms mentioned by others: desktop contains link "click here to scan your pc for spyware..." (which I haven't followed), disabled task manager and the frustrating habit of preventing several programs from opening or staying open (e.g. hijack this and norton). It will allow internet explorer to open some pages but will shut down when loading pages related to virus removal software/info. Thus I'm posting from an uninfected PC. As stated, I can't open or run hijack this and therefore can't get a log to post but I was able to run combifix, the results of which are posted below. I hope it helps get us started.

Thanks,
Bill

William - 08-02-28 10:54:24.90 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\William \Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\William \Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\William \Application Data\FNTS~1\F?nts
C:\QooBox\Purity\Documents and Settings\William \Application Data\FNTS~1\msconfig.exe
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\MANTEC~1\mmc.exe


((((((((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 ))))))))))))))))))))))))))))))))))


2008-02-25 10:50 122,385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll
2008-02-25 07:53 9,984 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2008-02-25 07:53 9,472 --a------ C:\WINDOWS\eventlowg.dll
2008-02-25 07:53 8,960 --a------ C:\WINDOWS\xxxvideo.exe
2008-02-25 07:53 32,256 --a------ C:\WINDOWS\liqui.dll
2008-02-25 07:53 32,000 --a------ C:\WINDOWS\cbinst$.exe
2008-02-25 07:53 31,488 --a------ C:\WINDOWS\liqui.exe
2008-02-25 07:53 31,232 --a------ C:\WINDOWS\hotporn.exe
2008-02-25 07:53 29,952 --a------ C:\WINDOWS\jd2002.dll
2008-02-25 07:53 29,696 --a------ C:\WINDOWS\daxtime.dll
2008-02-25 07:53 29,184 --a------ C:\WINDOWS\xadbrk.exe
2008-02-25 07:53 29,184 --a------ C:\WINDOWS\wml.exe
2008-02-25 07:53 29,184 --a------ C:\WINDOWS\spredirect.dll
2008-02-25 07:53 27,136 --a------ C:\WINDOWS\liqad.exe
2008-02-25 07:53 26,624 --a------ C:\WINDOWS\adbar.dll
2008-02-25 07:53 26,368 --a------ C:\WINDOWS\fhfmm.exe
2008-02-25 07:53 24,832 --a------ C:\WINDOWS\kkcomp.dll
2008-02-25 07:53 21,248 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2008-02-25 07:53 20,992 --a------ C:\WINDOWS\ngd.dll
2008-02-25 07:53 20,224 --a------ C:\WINDOWS\xadbrk_.exe
2008-02-25 07:53 18,176 --a------ C:\WINDOWS\kkcomp$.exe
2008-02-25 07:53 16,896 --a------ C:\WINDOWS\liqad.dll
2008-02-25 07:53 15,360 --a------ C:\WINDOWS\aconti.exe
2008-02-25 07:53 14,848 --a------ C:\WINDOWS\kkcomp.exe
2008-02-25 07:53 14,080 --a------ C:\WINDOWS\system32\ESHOPEE.exe
2008-02-25 07:53 11,520 --a------ C:\WINDOWS\liqad$.exe
2008-02-25 07:53 11,264 --a------ C:\WINDOWS\ie_32.exe
2008-02-25 07:53 11,008 --a------ C:\WINDOWS\dp0.dll
2008-02-25 07:53 10,752 --a------ C:\WINDOWS\xadbrk.dll
2008-02-25 07:37 94,227 --a------ C:\WINDOWS\system32\rxjddnvj.exe
2008-02-23 17:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 09:31 12,906 ---hs---- C:\WINDOWS\system32\drivers\spools.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-02-28 10:46 -------- d-------- C:\Program Files\Hijackthis
2008-02-28 10:35 -------- d-------- C:\Program Files\Trend Micro
2008-02-28 09:35 -------- d-------- C:\Program Files\ERUNT
2008-02-27 08:55 -------- d-------- C:\Documents and Settings\William \Application Data\AdobeUM
2008-02-26 17:24 -------- d-------- C:\Program Files\Helper
2008-02-26 17:22 -------- d-------- C:\Program Files\amsys
2008-02-25 07:53 -------- d-------- C:\Program Files\p2pnetworks
2008-02-25 07:53 -------- d-------- C:\Program Files\e-zshopper
2008-02-25 07:53 -------- d-------- C:\Program Files\akl
2008-02-16 08:12 -------- d-------- C:\Program Files\Internet Explorer
2008-01-31 20:07 -------- d-------- C:\Program Files\pdf-tools
2008-01-15 00:18 -------- d-------- C:\Program Files\Dell
2008-01-09 21:42 33280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-12-06 21:21 63488 --a------ C:\WINDOWS\system32\icardie.dll
2007-12-06 21:21 6066176 --a------ C:\WINDOWS\system32\ieframe.dll
2007-12-06 21:21 52224 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2007-12-06 21:21 459264 --a------ C:\WINDOWS\system32\msfeeds.dll
2007-12-06 21:21 44544 --------- C:\WINDOWS\system32\iernonce.dll
2007-12-06 21:21 384512 --------- C:\WINDOWS\system32\iedkcs32.dll
2007-12-06 21:21 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-12-06 21:21 267776 --a------ C:\WINDOWS\system32\iertutil.dll
2007-12-06 21:21 233472 --a------ C:\WINDOWS\system32\webcheck.dll
2007-12-06 21:21 230400 --------- C:\WINDOWS\system32\ieaksie.dll
2007-12-06 21:21 153088 --------- C:\WINDOWS\system32\ieakeng.dll
2007-12-06 21:21 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-12-06 21:21 105984 --a------ C:\WINDOWS\system32\url.dll
2007-12-06 21:21 102912 --------- C:\WINDOWS\system32\occache.dll
2007-12-06 06:00 70656 --------- C:\WINDOWS\system32\ie4uinit.exe
2007-12-06 06:00 13824 --------- C:\WINDOWS\system32\ieudinit.exe
2007-12-05 23:59 161792 --------- C:\WINDOWS\system32\ieakui.dll
2007-12-04 13:38 550912 --------- C:\WINDOWS\system32\oleaut32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Ncao"="\"C:\\DOCUME~1\\WILLIA~1\\APPLIC~1\\FNTS~1\\msconfig.exe\" -vt yazb"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\William \\Local Settings\\Application Data\\cftmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"EPSON Stylus Photo RX500"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2K1.EXE /P24 \"EPSON Stylus Photo RX500\" /O6 \"USB001\" /M \"Stylus Photo RX500\""
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"
"netsv32"="C:\\WINDOWS\\sv.exe"
"netzip"="C:\\WINDOWS\\svzip.exe"
"netc"="C:\\WINDOWS\\svc.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"netw"="C:\\WINDOWS\\svw.exe"
"netx"="C:\\WINDOWS\\svx.exe"
"autoload"="C:\\Documents and Settings\\William \\Local Settings\\Application Data\\cftmon.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,01,00,00,00,00,00,00,00,06,00,00,8a,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\cftmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"NoRecentDocsMenu"=dword:00000001
"NoStartBanner"=hex:01,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoRecentDocsNetHood"=hex:01,00,00,00
"NoWinKeys"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"NoNetworkConnections"=hex:01,00,00,00
"NoStrCmpLogical"=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TaskPanl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PropelAC"
"hkey"="HKLM"
"command"="C:\\Program Files\\EarthLink TotalAccess\\Accelerator\\PropelAC.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=dword:00000003

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abfbdacbbfeacb

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 08-02-28 10:56:57.23
C:\ComboFix.txt ... 08-02-28 10:56
C:\ComboFix2.txt ... 08-02-25 21:44
C:\ComboFix3.txt ... 07-09-29 14:20
  • 0

Advertisements

#2
Rorschach112
Posted 28 February 2008 - 05:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
BillPro
Posted 28 February 2008 - 07:06 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thanks so much for the help. Smitfraudfix removed the desktop background. . . impressive. Here are the logs from both programs:

Deckard's System Scanner v20071014.68
Run by William Procopio on 2008-02-28 19:43:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).


-- HijackThis (run as William Procopio.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-28 19:47:24
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\William Procopio\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {711C06FE-C1C3-4843-8E3D-B599121AABD1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [netsv32] C:\WINDOWS\sv.exe
O4 - HKLM\..\Run: [netzip] C:\WINDOWS\svzip.exe
O4 - HKLM\..\Run: [netc] C:\WINDOWS\svc.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [netw] C:\WINDOWS\svw.exe
O4 - HKLM\..\Run: [netx] C:\WINDOWS\svx.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.caremark.com (HKCU)
O15 - Trusted Zone: https://line6.net (HKCU)
O15 - Trusted Zone: *.line6.net (HKCU)
O15 - Trusted Zone: http://service1.symantec.com (HKCU)
O15 - Trusted Zone: http://www.symantec.com (HKCU)
O15 - Trusted Zone: http://xponentialmusic.org (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092947926171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientsp...d/RapidocsX.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: abfbdacbbfeacb - C:\WINDOWS\system32\abfbdacbbfeacb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: System Event Notification SENSUPS (SENSUPS) - Unknown owner - C:\WINDOWS\system32\~.exe srv
O23 - Service: Dell Wireless WLAN Tray Service (WLTRYSVC) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 9618 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 OMCI (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; ; Bluetooth Software 1.4.1 Build 5>
R2 portD (CMS PortIO Service) - c:\windows\system32\drivers\portd2k.sys <Not Verified; CMS Peripherals, Inc.; BounceBack>
R3 L6DP - c:\windows\system32\drivers\l6dp.sys <Not Verified; Line 6; Line 6 Device Proxy>

S3 ATIXPGAA - c:\dell\drivers\r75495\atixpgaa.sys <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys (file missing)
S3 GPWADrv (Service for L6 GuitarPort Driver (WDM)) - c:\windows\system32\drivers\gpwadrv.sys <Not Verified; Line 6; GuitarPort>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S2 SENSUPS (System Event Notification SENSUPS) - c:\windows\system32\~.exe srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3A321F38&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3A321F38&0&00F0
Service: bcm4sbxp


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 12:35:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-28 and 2008-02-28 -----------------------------

2008-02-28 19:39:19 0 d-------- C:\WINDOWS\LastGood
2008-02-28 19:32:48 0 dr-h----- C:\Documents and Settings\William Procopio\Recent
2008-02-28 19:28:21 3874 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-28 15:53:20 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-02-28 14:34:02 0 d-------- C:\My Music
2008-02-28 14:33:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-28 14:13:10 516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-02-28 14:13:10 307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-02-28 14:13:10 602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-02-28 14:13:10 1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-02-28 14:13:10 614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-02-28 14:13:08 118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-02-28 14:13:08 356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files\eSellerate
2008-02-28 14:08:09 1634304 --a------ C:\WINDOWS\system32\3D Windows XP.scr
2008-02-28 12:06:02 0 d-------- C:\Program Files\ACW
2008-02-28 10:54:11 0 d-------- C:\sUBs
2008-02-28 10:35:18 0 d-------- C:\Program Files\Trend Micro
2008-02-25 10:50:51 122385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll
2008-02-23 17:27:42 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 17:27:42 2552 --a------ C:\WINDOWS\unins000.dat
2008-02-23 09:31:55 12906 ---hs---- C:\WINDOWS\system32\drivers\spools.exe
2008-01-31 20:07:54 0 d-------- C:\Program Files\pdf-tools


-- Find3M Report ---------------------------------------------------------------

2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files
2008-02-28 14:08:00 0 d-------- C:\Program Files\Secure PC Solutions
2008-02-28 14:07:05 0 d-------- C:\Documents and Settings\William Procopio\Application Data\Line 6
2008-02-28 13:58:27 2 --a------ C:\WINDOWS\FixReportFound
2008-02-28 13:58:27 4 --a----c- C:\WINDOWS\FixFound
2008-02-27 08:55:22 0 d-------- C:\Documents and Settings\William Procopio\Application Data\AdobeUM
2008-02-25 08:37:11 1009 --ahs---- C:\WINDOWS\system32\2962003880.dat
2008-01-15 00:18:17 0 d-------- C:\Program Files\Dell


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711C06FE-C1C3-4843-8E3D-B599121AABD1}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 05:04 PM]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [06/01/2003 03:00 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [04/29/2004 01:15 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03/03/2003 12:29 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2005 08:30 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 02:24 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"netsv32"="C:\WINDOWS\sv.exe" []
"netzip"="C:\WINDOWS\svzip.exe" []
"netc"="C:\WINDOWS\svc.exe" []
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"netw"="C:\WINDOWS\svw.exe" []
"netx"="C:\WINDOWS\svx.exe" []
"autoload"="C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe" [02/23/2008 03:50 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [02/23/2008 09:31 AM]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [01/22/2008 07:43 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"="C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" []
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [02/23/2008 09:31 AM]
"autoload"="C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe" [02/23/2008 03:50 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe

C:\Documents and Settings\William Procopio\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartBanner"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoRecentDocsNetHood"=01000000
"NoWinKeys"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoStrCmpLogical"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abfbdacbbfeacb]
C:\WINDOWS\system32\abfbdacbbfeacb.dll 02/25/2008 10:50 AM 122385 C:\WINDOWS\system32\abfbdacbbfeacb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.4d5.net
127.0.0.1 4d5.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 scripps.com
127.0.0.1 www.sitefinder.verisign.com
127.0.0.1 adsremote.scripps.com
127.0.0.1 mas.scripps.com
127.0.0.1 scripps.com
127.0.0.1 googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com

8037 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-28 19:51:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 511.21 MiB / 114.82 MiB
Pagefile Memory (total/avail): 1245.64 MiB / 783.78 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.94 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 6.18 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 2 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Windows Live OneCare Firewall v1.0.0 (Microsoft Corporation)
AV: Windows Live OneCare v1.0.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape\\Netscape\\Netscp.exe:*:Enabled:Netscape"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"="C:\\Program Files\\Kensington\\MouseWorks\\k_update.exe:*:Enabled:Kensington Digital Update of installed software via the Web."
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Codemasters\\Insane Demo\\Game.exe"="C:\\Codemasters\\Insane Demo\\Game.exe:*:Disabled:INSANE"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\William Procopio\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DARWIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\William Procopio
LOGONSERVER=\\DARWIN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.1_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp
USERDOMAIN=DARWIN
USERNAME=William Procopio
USERPROFILE=C:\Documents and Settings\William Procopio
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

William Procopio (admin)
Kim Burns
Kim
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe" REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C1B8CBC-9118-11D7-86D3-00055DF3561E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArcSoft Camera Suite --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66C8BE35-8BBB-472B-96C7-C7C9A499F988}\Setup.exe" -l0x9
ASIO4ALL v2 --> C:\Program Files\ASIO4ALL v2\uninstall.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.3 --> "C:\Program Files\Audacity\unins000.exe"
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
BitTornado 0.3.17 --> C:\Program Files\BitTornado\uninst.exe
BounceBack Professional --> C:\WINDOWS\system32\BBUninstall.exe
Broadcom 440x 10/100 Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Canon Camera Access Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"
Canon PowerShot A40 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 WIA\UNSTD113.dll"
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44E24545-F317-4498-B7CD-240DE7BA8DE2}
Canon Utilities PhotoStitch 3.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoStitch\Uninst.isu"
Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"
Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CK Becky Higgins' Creative Clips --> C:\CKBROW~1\UNWISE.EXE C:\CKBROW~1\CKCREA~1.LOG
CK Font Organizer --> C:\PROGRA~1\CKFONT~1\UNWISE.EXE C:\PROGRA~1\CKFONT~1\INSTALL.LOG
CMN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F8C8FC80-E542-11D3-8F7F-009027591AA8}\setup.exe"
Dell Bluetooth Software --> MsiExec.exe /X{0F51A262-1ADF-4914-B448-78AC58C4178A}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON Copy Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B53B71D-9E2F-42B8-9123-96354872D166}\setup.exe" -l0x9 MyUninstall
EPSON PhotoStarter3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5983C895-DDA4-45D9-A8D1-877D5DE7693E}\Setup.exe" -l0x9 uninst
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON RX500 Reference Guide --> C:\Program Files\epson\guide\rx500_e\uninstall.exe
EPSON Scan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\Setup.exe" -l0x9 UNINSTALL
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\Setup.exe" -l0x9 Uninstall
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
Family Feud --> "C:\Program Files\Verizon Online\Family Feud\Uninstall.exe" "C:\Program Files\Verizon Online\Family Feud\install.log"
GoldWave v5.08 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.08" "C:\Program Files\GoldWave\unstall.log"
GTOneCare --> MsiExec.exe /X{72690A58-4C2A-4CDE-928C-DF925B125F43}
GuitarPort 2.51 (Remove Only) --> C:\Program Files\Line6\GuitarPort\Uninstall.exe
GuitarPort Drivers 2.8.9.0 (Remove Only) --> C:\Program Files\Line6\Tools\Driver Archive\GuitarPort\2.8.9.0\Uninstall.exe
GuitarPort Drivers 3.0.0.4 (Remove Only) --> C:\Program Files\Line6\Tools\Driver Archive\GuitarPort\3.0.0.4\Uninstall.exe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
ImageTool --> C:\WINDOWS\uninst.exe -f"c:\program files\image tool\DeIsL1.isu" -c"c:\program files\image tool\_ISREG32.DLL"
InterVideo WinDVD 8 --> C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\setup.exe -runfromtemp -l0x0409
iolo technologies' System Mechanic 5 --> C:\PROGRA~1\iolo\SYSTEM~2\UNWISE.EXE C:\PROGRA~1\iolo\SYSTEM~2\INSTALL.LOG
iTunes --> MsiExec.exe /I{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kensington MouseWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C78937F-0C8E-11D9-A3EB-0001025FA304}\setup.exe" -l0x9 -u
KRISTAL Audio Engine --> C:\Program Files\Kreatives.org\KRISTAL Audio Engine\Uninstall.exe
Line 6 Drivers 3.2.7.0 (Remove Only) --> C:\Program Files\Line6\Tools\Driver Archive\All Drivers\3.2.7.0\Uninstall.exe
Line 6 Drivers 3.2.9.2 (Remove Only) --> C:\Program Files\Line6\Tools\Driver Archive\All Drivers\3.2.9.2\Uninstall.exe
Line 6 Drivers 3.3.3.6 (Remove Only) --> C:\Program Files\Line6\Tools\Driver Archive\All Drivers\3.3.3.6\Uninstall.exe
Line 6 Monkey 1.13 (Remove Only) --> C:\Program Files\Line6\Tools\Line 6 Monkey\Uninstall.exe
Line 6 Monkey 1.15 (Remove Only) --> C:\Program Files\Line6\Tools\Line 6 Monkey\Uninstall.exe
Line 6 Monkey 1.16 (Remove Only) --> C:\Program Files\Line6\Tools\Line 6 Monkey\Uninstall.exe
Line 6 Monkey 1.18 (Remove Only) --> C:\Program Files\Line6\Tools\Line 6 Monkey\Uninstall.exe
LiveUpdate 1.7 (Symantec Corporation) --> C:\Program Files\\Symantec\LiveUpdate\LSETUP.EXE /U
LucasArts' Jedi Knight --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LucasArts\Jedi Knight\DeIsL1.isu"
LucasArts' Outlaws --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LucasArts\Outlaws\DeIsL1.isu"
Magic ISO Maker v4.9 (build 0144) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Pro Step by Step Interactive --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FC7D8E1-F14F-11D4-943A-00E02950B496}\setup.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Protection Service --> MsiExec.exe /I{85CFDC2D-710E-49D5-B799-F3743CA506BA}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Live OneCare Resources v2.0.2500.22 --> MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
Microsoft Windows OneCare Live AntiSpyware and AntiVirus --> MsiExec.exe /I{E6A31482-989E-4E3C-B0C0-1ED4DBD5BC83}
Microsoft Windows OneCare Live v2.0.2500.22 --> MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
Microsoft Windows OneCare Live v2.0.2500.22 Idcrl Install --> MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PX Engine --> MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime --> MsiExec.exe /I{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}
Radio@Netscape Plus --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Radio@Netscape Plus\uninst.isu" -c"C:\Program Files\Radio@Netscape Plus\program\uninst.dll"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SigmaTel AC97 Audio Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
SiSoftware Sandra Lite 2005 (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\unins000.exe"
SiSoftware Sandra Lite 2005.SR1 (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\unins000.exe"
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
StuffIt Expander 8.0 --> MsiExec.exe /X{DB74D322-389F-4C0C-810C-081D88CA62B1}
Symantec AntiVirus Client --> MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
TuneXP 1.5 --> C:\WINDOWS\iun6002.exe "C:\Program Files\TuneXP\irunin.ini"
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unreal Tournament --> C:\UnrealTournament\System\Setup.exe uninstall "UnrealTournament"
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live OneCare --> "C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XQDC X-Setup Pro 7.0.300.Final1 --> "C:\Program Files\X-Setup Pro\unins000.exe"
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui


-- Application Event Log -------------------------------------------------------

Event Record #/Type5490 / Warning
Event Submitted/Written: 02/27/2008 09:40:07 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit158.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type5489 / Warning
Event Submitted/Written: 02/27/2008 09:40:07 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit157.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type5488 / Warning
Event Submitted/Written: 02/27/2008 09:40:07 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit156.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type5487 / Warning
Event Submitted/Written: 02/27/2008 09:40:06 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit155.zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type5486 / Warning
Event Submitted/Written: 02/27/2008 09:40:06 AM
Event ID/Source: 6 / Norton AntiVirus
Event Description:
Could not scan 1 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit154.zip due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type53959 / Warning
Event Submitted/Written: 02/28/2008 10:59:30 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 009096AE497A. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type53952 / Warning
Event Submitted/Written: 02/28/2008 10:44:21 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.71.105 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type53951 / Error
Event Submitted/Written: 02/28/2008 10:44:21 AM
Event ID/Source: 20106 / RemoteAccess
Event Description:
Unable to add the interface {91A86EF0-5112-4D31-B674-E362039AAB05} with the Router Manager for the IP protocol. The
following error occurred: Cannot complete this function.

Event Record #/Type53938 / Error
Event Submitted/Written: 02/28/2008 10:44:14 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The HidServ service terminated with the following error:
%%126

Event Record #/Type53937 / Error
Event Submitted/Written: 02/28/2008 10:44:14 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-02-28 19:51:46 ------------

SmitFraudFix v2.298

Scan done at 19:26:17.65, Thu 02/28/2008
Run from C:\Documents and Settings\William Procopio\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.4d5.net
127.0.0.1 4d5.net
127.0.0.1 media.popuptraffic.com
127.0.0.1 scripps.com
127.0.0.1 www.sitefinder.verisign.com
127.0.0.1 adsremote.scripps.com
127.0.0.1 mas.scripps.com
127.0.0.1 scripps.com
127.0.0.1 googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 rcm.amazon.com
127.0.0.1 view.popupsponsor.com
127.0.0.1 www.popuptraffic.com
127.0.0.1 mediamgr.ugo.com
127.0.0.1 www.mediamgr.ugo.com
127.0.0.1 ads.gamespy.com
127.0.0.1 www.ads.gamespy.com
127.0.0.1 ads.hitcents.com
127.0.0.1 www.ads.hitcents.com
127.0.0.1 web2.realtracker.com
127.0.0.1 www.web2.realtracker.com
127.0.0.1 www2.addfreestats.com
127.0.0.1 www.addfreestats.com
127.0.0.1 addfreestats.com
127.0.0.1 www.systemsoap.com
127.0.0.1 ar.atwola.com
127.0.0.1 atwola.com
127.0.0.1 www.atwola.com
127.0.0.1 systemsoap.com
127.0.0.1 img.rn11.com
127.0.0.1 rn11.com
127.0.0.1 www.sitepoint.com
127.0.0.1 sitepoint.com
127.0.0.1 opennetinitiative.net
127.0.0.1 www.opennetinitiative.net
127.0.0.1 hc2.humanclick.com
127.0.0.1 humanclick.com
127.0.0.1 www.humanclick.com
127.0.0.1 clickability.com
127.0.0.1 www.clickability.com
127.0.0.1 adserver.anm.co.uk
127.0.0.1 adserver.news.com.au
127.0.0.1 ads2.newtimes.com
127.0.0.1 ads.newtimes.com
127.0.0.1 ads.tripod.lycos.de
127.0.0.1 ads.telegraph.co.uk
127.0.0.1 ads.thestar.com
127.0.0.1 ads.techtv.com
127.0.0.1 adsrv.bankrate.com
127.0.0.1 www.megago.com
127.0.0.1 megago.com
127.0.0.1 exit.megago.com
127.0.0.1 www.searching.net
127.0.0.1 searching.net
127.0.0.1 as.casalemedia.com
127.0.0.1 casalemedia.com
127.0.0.1 www.casalemedia.com
127.0.0.1 is.casalemedia.com
127.0.0.1 ads.warcry.com
127.0.0.1 www.ads.warcry.com
127.0.0.1 ads.warcry.com
127.0.0.1 ads.gorillanation.com
127.0.0.1 gorillanation.com
127.0.0.1 www.gorillanation.com
127.0.0.1 affiliates.barenecessities.com
127.0.0.1 www.starchamber.net
127.0.0.1 starchamber.net
127.0.0.1 ssl-images.amazon.com
127.0.0.1 la1-w-merry.universalinteractive.com
127.0.0.1 beveragebistro.com
127.0.0.1 www.beveragebistro.com
127.0.0.1 www.anarchy-online.com
127.0.0.1 www.rarebeer.com
127.0.0.1 www.qksrv.net
127.0.0.1 qksrv.net
127.0.0.1 books.textbookx.com
127.0.0.1 www.textbookx.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100
  • 0

#4
BillPro
Posted 28 February 2008 - 07:12 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The smitfraudfix report is huge so I'm attaching the file.

Attached Files


  • 0

#5
Rorschach112
Posted 28 February 2008 - 07:43 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Smitfraudfix removed the desktop background. . . impressive.

Yes it is impressive, one of the best tools we have at removing malware. The work that went into creating it and updating it is beyond belief. Without it your computer would be unusable. I will pass on your regards to the developer.


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.


Also post a new DSS log

Edited by Rorschach112, 28 February 2008 - 07:44 PM.

  • 0

#6
BillPro
Posted 28 February 2008 - 08:35 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I'm not worthy...I await the next expert direction. Here are the logs:

SDFix: Version 1.149

Run by William Procopio on Thu 02/28/2008 at 09:05 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Application Data\cftmon.exe - Deleted
C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe - Deleted
C:\WINDOWS\system32\TFTP2892 - Deleted
C:\WINDOWS\system32\TFTP3176 - Deleted
C:\WINDOWS\system32\TFTP3184 - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 21:15:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape\\Netscape\\Netscp.exe:*:Enabled:Netscape"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"="C:\\Program Files\\Kensington\\MouseWorks\\k_update.exe:*:Enabled:Kensington Digital Update of installed software via the Web."
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Codemasters\\Insane Demo\\Game.exe"="C:\\Codemasters\\Insane Demo\\Game.exe:*:Disabled:INSANE"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 19 Mar 2006 33,280 ...H. --- "C:\Documents and Settings\Kim\My Documents\~WRL0002.tmp"
Sat 23 Feb 2008 12,906 ..SH. --- "C:\WINDOWS\system32\drivers\spools.exe"
Wed 25 Oct 2006 438,272 ..SHR --- "C:\QooBox\Purity\WINDOWS\MANTEC~1\mmc.exe"
Thu 16 Nov 2006 71,680 ..SHR --- "C:\QooBox\Purity\Documents and Settings\William Procopio\Application Data\FNTS~1\msconfig.exe"
Thu 28 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch1\lock.tmp"
Thu 28 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch2\lock.tmp"
Thu 28 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch3\lock.tmp"
Thu 28 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch4\lock.tmp"

Finished!

Deckard's System Scanner v20071014.68
Run by William Procopio on 2008-02-28 21:28:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).


-- HijackThis (run as William Procopio.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-28 21:28:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Documents and Settings\William Procopio\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {711C06FE-C1C3-4843-8E3D-B599121AABD1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" -vt yazb
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.caremark.com (HKCU)
O15 - Trusted Zone: https://line6.net (HKCU)
O15 - Trusted Zone: *.line6.net (HKCU)
O15 - Trusted Zone: http://service1.symantec.com (HKCU)
O15 - Trusted Zone: http://www.symantec.com (HKCU)
O15 - Trusted Zone: http://xponentialmusic.org (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092947926171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientsp...d/RapidocsX.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: abfbdacbbfeacb - C:\WINDOWS\system32\abfbdacbbfeacb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: System Event Notification SENSUPS (SENSUPS) - Unknown owner - C:\WINDOWS\system32\~.exe srv
O23 - Service: Dell Wireless WLAN Tray Service (WLTRYSVC) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 7906 bytes

-- Files created between 2008-01-28 and 2008-02-28 -----------------------------

2008-02-28 21:00:03 0 d-------- C:\WINDOWS\ERUNT
2008-02-28 20:56:44 0 dr-h----- C:\Documents and Settings\William Procopio\Recent
2008-02-28 19:28:21 3874 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-28 15:53:20 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-02-28 14:34:02 0 d-------- C:\My Music
2008-02-28 14:33:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-28 14:13:10 516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-02-28 14:13:10 307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-02-28 14:13:10 602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-02-28 14:13:10 1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-02-28 14:13:10 614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-02-28 14:13:08 118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-02-28 14:13:08 356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files\eSellerate
2008-02-28 14:08:09 1634304 --a------ C:\WINDOWS\system32\3D Windows XP.scr
2008-02-28 12:06:02 0 d-------- C:\Program Files\ACW
2008-02-28 10:54:11 0 d-------- C:\sUBs
2008-02-28 10:35:18 0 d-------- C:\Program Files\Trend Micro
2008-02-25 10:50:51 122385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll
2008-02-23 17:27:42 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 17:27:42 2552 --a------ C:\WINDOWS\unins000.dat
2008-02-23 09:31:55 12906 ---hs---- C:\WINDOWS\system32\drivers\spools.exe
2008-01-31 20:07:54 0 d-------- C:\Program Files\pdf-tools


-- Find3M Report ---------------------------------------------------------------

2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files
2008-02-28 14:08:00 0 d-------- C:\Program Files\Secure PC Solutions
2008-02-28 14:07:05 0 d-------- C:\Documents and Settings\William Procopio\Application Data\Line 6
2008-02-28 13:58:27 2 --a------ C:\WINDOWS\FixReportFound
2008-02-28 13:58:27 4 --a----c- C:\WINDOWS\FixFound
2008-02-27 08:55:22 0 d-------- C:\Documents and Settings\William Procopio\Application Data\AdobeUM
2008-02-25 08:37:11 1009 --ahs---- C:\WINDOWS\system32\2962003880.dat
2008-01-15 00:18:17 0 d-------- C:\Program Files\Dell


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711C06FE-C1C3-4843-8E3D-B599121AABD1}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 05:04 PM]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [06/01/2003 03:00 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [04/29/2004 01:15 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03/03/2003 12:29 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2005 08:30 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 02:24 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [01/22/2008 07:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"="C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" []

C:\Documents and Settings\William Procopio\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartBanner"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoStrCmpLogical"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abfbdacbbfeacb]
C:\WINDOWS\system32\abfbdacbbfeacb.dll 02/25/2008 10:50 AM 122385 C:\WINDOWS\system32\abfbdacbbfeacb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe




-- End of Deckard's System Scanner: finished at 2008-02-28 21:30:19 ------------
  • 0

#7
Rorschach112
Posted 29 February 2008 - 09:18 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do you want help or do you just want to make rude comments ?
  • 0

#8
BillPro
Posted 29 February 2008 - 03:39 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
My apologies if my comments were misinterpreted. My only intent was to be complementary and perhaps a little humorous...failed on both accounts apparently.

As someone with only enough computer experience to get myself in trouble (that's why I'm here), I do know enough to be able to appreciate a level of expertise and understanding far beyond mine. Thus, I'm simply eager to see what's in store next. I find it very interesting process. Please accept my apology and continue.
  • 0

#9
Rorschach112
Posted 29 February 2008 - 03:45 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Sorry about that misunderstanding then, no harm done :)

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {711C06FE-C1C3-4843-8E3D-B599121AABD1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" -vt yazb
O15 - Trusted Zone: https://line6.net (HKCU)
O15 - Trusted Zone: *.line6.net (HKCU)
O20 - Winlogon Notify: abfbdacbbfeacb - C:\WINDOWS\system32\abfbdacbbfeacb.dll

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\abfbdacbbfeacb.dll
C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe
C:\WINDOWS\system32\drivers\spools.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143}
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and post a new DSS log
  • 0

#10
BillPro
Posted 03 March 2008 - 06:49 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I still can't run hijackthis. I've tried various ways of starting the program (start menu, double click on icon, right click, etc.) but absolutely nothing happens when I do so. I've also tried to uninstalling (which didn't seem to work) and/or reinstalling the program. During the install, I get to the dialog box that asks what folder to put the program in then it just automatically closes and I'm back to the desktop. Any suggestions? Thanks
  • 0

Advertisements

#11
Rorschach112
Posted 03 March 2008 - 07:58 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You should be able to run DSS since you did it earlier, try that
  • 0

#12
BillPro
Posted 05 March 2008 - 07:08 AM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Okay, ran DSS and results are posted below. Since this clone of HiJackThis doesn't seem sllow you to fix system line items I didn't proceed with OTMoveIt2. Let me know if I should. Additionally, just as I was posting this reply the microsoft protection software "Windows Live OneCare" alerted me to the presence of the following, Backdoor:Win32/Koceg.gen!A

Bill

Deckard's System Scanner v20071014.68
Run by William Procopio on 2008-03-05 07:55:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).


-- HijackThis (run as William Procopio.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-05 07:55:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\William Procopio\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {711C06FE-C1C3-4843-8E3D-B599121AABD1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" -vt yazb
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.caremark.com (HKCU)
O15 - Trusted Zone: https://line6.net (HKCU)
O15 - Trusted Zone: *.line6.net (HKCU)
O15 - Trusted Zone: http://service1.symantec.com (HKCU)
O15 - Trusted Zone: http://www.symantec.com (HKCU)
O15 - Trusted Zone: http://xponentialmusic.org (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092947926171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientsp...d/RapidocsX.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: abfbdacbbfeacb - C:\WINDOWS\system32\abfbdacbbfeacb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: System Event Notification SENSUPS (SENSUPS) - Unknown owner - C:\WINDOWS\system32\~.exe srv
O23 - Service: Dell Wireless WLAN Tray Service (WLTRYSVC) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 8811 bytes

-- Files created between 2008-02-05 and 2008-03-05 -----------------------------

2008-02-28 23:10:41 0 dr-h----- C:\Documents and Settings\William Procopio\Recent
2008-02-28 21:00:03 0 d-------- C:\WINDOWS\ERUNT
2008-02-28 19:28:21 3874 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-28 15:53:20 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-02-28 14:34:02 0 d-------- C:\My Music
2008-02-28 14:33:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-28 14:13:10 516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-02-28 14:13:10 307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-02-28 14:13:10 602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-02-28 14:13:10 1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-02-28 14:13:10 614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-02-28 14:13:08 118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-02-28 14:13:08 356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files\eSellerate
2008-02-28 14:08:09 1634304 --a------ C:\WINDOWS\system32\3D Windows XP.scr
2008-02-28 12:06:02 0 d-------- C:\Program Files\ACW
2008-02-28 10:54:11 0 d-------- C:\sUBs
2008-02-28 10:35:18 0 d-------- C:\Program Files\Trend Micro
2008-02-25 10:50:51 122385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll
2008-02-23 17:27:42 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 17:27:42 2552 --a------ C:\WINDOWS\unins000.dat
2008-02-23 09:31:55 12906 ---hs---- C:\WINDOWS\system32\drivers\spools.exe


-- Find3M Report ---------------------------------------------------------------

2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files
2008-02-28 14:08:00 0 d-------- C:\Program Files\Secure PC Solutions
2008-02-28 14:07:05 0 d-------- C:\Documents and Settings\William Procopio\Application Data\Line 6
2008-02-28 13:58:27 2 --a------ C:\WINDOWS\FixReportFound
2008-02-28 13:58:27 4 --a----c- C:\WINDOWS\FixFound
2008-02-27 08:55:22 0 d-------- C:\Documents and Settings\William Procopio\Application Data\AdobeUM
2008-02-25 08:37:11 1009 --ahs---- C:\WINDOWS\system32\2962003880.dat
2008-01-31 20:07:54 0 d-------- C:\Program Files\pdf-tools
2008-01-15 00:18:17 0 d-------- C:\Program Files\Dell


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711C06FE-C1C3-4843-8E3D-B599121AABD1}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 05:04 PM]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [06/01/2003 03:00 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [04/29/2004 01:15 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03/03/2003 12:29 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2005 08:30 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 02:24 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [01/22/2008 07:43 PM]
"autoload"="C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe" [02/29/2008 10:03 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [02/23/2008 09:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"="C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" []
"autoload"="C:\Documents and Settings\William Procopio\Local Settings\Application Data\cftmon.exe" [02/29/2008 10:03 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [02/23/2008 09:31 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe

C:\Documents and Settings\William Procopio\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartBanner"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoStrCmpLogical"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abfbdacbbfeacb]
C:\WINDOWS\system32\abfbdacbbfeacb.dll 02/25/2008 10:50 AM 122385 C:\WINDOWS\system32\abfbdacbbfeacb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure20.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe




-- End of Deckard's System Scanner: finished at 2008-03-05 07:56:00 ------------
  • 0

#13
Rorschach112
Posted 05 March 2008 - 07:38 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please do the OTMoveIt step then post a new DSS log
  • 0

#14
BillPro
Posted 05 March 2008 - 08:31 PM

BillPro

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Okay, ran OTMoveIT2 and it did ask me to reboot and selecting that option prevented me from copying the results. I restarted and ran OTMoveIT2 again (repeating the same procedure), this time declining to reboot, copied the results window and posted them below. Also ran DSS again.

LoadLibrary failed for C:\WINDOWS\system32\abfbdacbbfeacb.dll
C:\WINDOWS\system32\abfbdacbbfeacb.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\abfbdacbbfeacb.dll scheduled to be moved on reboot.
File/Folder C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe not found.
File/Folder C:\WINDOWS\system32\drivers\spools.exe not found.
[Custom Input]
< purity >
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60bbfe66-7f79-11d9-8c15-000f1f1624f0}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b057c20e-e635-11dc-ace4-886797ccf143}\\ not found.

OTMoveIt2 v1.0.20 log created on 03052008_212353

Deckard's System Scanner v20071014.68
Run by William Procopio on 2008-03-05 21:25:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).


-- HijackThis (run as William Procopio.exe) ------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-05 21:25:45
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\William Procopio\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f431.mail.....com/ym/login?x
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {711C06FE-C1C3-4843-8E3D-B599121AABD1} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" -vt yazb
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.www.caremark.com (HKCU)
O15 - Trusted Zone: https://line6.net (HKCU)
O15 - Trusted Zone: *.line6.net (HKCU)
O15 - Trusted Zone: http://service1.symantec.com (HKCU)
O15 - Trusted Zone: http://www.symantec.com (HKCU)
O15 - Trusted Zone: http://xponentialmusic.org (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink...xp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092947926171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientsp...d/RapidocsX.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: abfbdacbbfeacb - C:\WINDOWS\system32\abfbdacbbfeacb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: System Event Notification SENSUPS (SENSUPS) - Unknown owner - C:\WINDOWS\system32\~.exe srv
O23 - Service: Dell Wireless WLAN Tray Service (WLTRYSVC) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 8029 bytes

-- Files created between 2008-02-05 and 2008-03-05 -----------------------------

2008-03-05 21:10:10 0 dr-h----- C:\Documents and Settings\William Procopio\Recent
2008-02-28 21:00:03 0 d-------- C:\WINDOWS\ERUNT
2008-02-28 19:28:21 3874 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-28 15:53:20 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-02-28 14:34:02 0 d-------- C:\My Music
2008-02-28 14:33:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-28 14:13:10 516096 --a------ C:\WINDOWS\system32\ExTab.dll <Not Verified; Exontrol Inc.; ExTab Module>
2008-02-28 14:13:10 307200 --a------ C:\WINDOWS\system32\ExPMenu.dll <Not Verified; Exontrol Inc.; ExPopupMenu Control>
2008-02-28 14:13:10 602112 --a------ C:\WINDOWS\system32\ExMenu.dll <Not Verified; Exontrol Inc.; ExMenu Control>
2008-02-28 14:13:10 1753088 --a------ C:\WINDOWS\system32\ExGrid.dll <Not Verified; Exontrol Inc.; ExGrid Module>
2008-02-28 14:13:10 614400 --a------ C:\WINDOWS\system32\ExButton.dll <Not Verified; Exontrol Inc.; ExButton Module>
2008-02-28 14:13:08 118784 --a------ C:\WINDOWS\system32\eWebControl.dll <Not Verified; eSellerate Inc.; >
2008-02-28 14:13:08 356352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files\eSellerate
2008-02-28 14:08:09 1634304 --a------ C:\WINDOWS\system32\3D Windows XP.scr
2008-02-28 12:06:02 0 d-------- C:\Program Files\ACW
2008-02-28 10:54:11 0 d-------- C:\sUBs
2008-02-28 10:35:18 0 d-------- C:\Program Files\Trend Micro
2008-02-25 10:50:51 122385 --a------ C:\WINDOWS\system32\abfbdacbbfeacb.dll
2008-02-23 17:27:42 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-23 17:27:42 2552 --a------ C:\WINDOWS\unins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-02-28 14:13:08 0 d-------- C:\Program Files\Common Files
2008-02-28 14:08:00 0 d-------- C:\Program Files\Secure PC Solutions
2008-02-28 14:07:05 0 d-------- C:\Documents and Settings\William Procopio\Application Data\Line 6
2008-02-28 13:58:27 2 --a------ C:\WINDOWS\FixReportFound
2008-02-28 13:58:27 4 --a----c- C:\WINDOWS\FixFound
2008-02-27 08:55:22 0 d-------- C:\Documents and Settings\William Procopio\Application Data\AdobeUM
2008-02-25 08:37:11 1009 --ahs---- C:\WINDOWS\system32\2962003880.dat
2008-01-31 20:07:54 0 d-------- C:\Program Files\pdf-tools
2008-01-15 00:18:17 0 d-------- C:\Program Files\Dell


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711C06FE-C1C3-4843-8E3D-B599121AABD1}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 05:04 PM]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [06/01/2003 03:00 PM]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [04/29/2004 01:15 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03/03/2003 12:29 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2005 08:30 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/24/2006 02:24 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 05:34 PM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [01/22/2008 07:43 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"="C:\DOCUME~1\WILLIA~1\APPLIC~1\FNTS~1\msconfig.exe" []

C:\Documents and Settings\William Procopio\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoStartBanner"=01000000
"ClearRecentDocsOnExit"=01000000
"NoRecentDocsHistory"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoStrCmpLogical"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\abfbdacbbfeacb]
C:\WINDOWS\system32\abfbdacbbfeacb.dll 02/25/2008 10:50 AM 122385 C:\WINDOWS\system32\abfbdacbbfeacb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-03-05 21:27:04 ------------
  • 0

#15
Rorschach112
Posted 06 March 2008 - 11:35 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete ComboFix.exe and the folder C:\ComboFix then do this


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP