Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Huge Virtumonde, Trojan and Malware Problem[RESOLVED]


  • This topic is locked This topic is locked

#16
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
You are going to need to re-install QuickTime, as that has been corrupted. The next time that iTunes updates itself, this will be done automatically, so is nothing to worry about now. Now this machine has had several P2P programs installed, and these are the most likely cause of the infections you have had. I would strongly advise staying clear of any P2P programs in the future.

OK, lets continue cleaning this machine.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Edward\Application Data\Microsoft\Windows\mihvo.exe
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-791376da
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-6c73eabb.zip
C:\Documents and Settings\Edward\Desktop\MP_ROOT\keygen.exe
C:\Documents and Settings\Maria\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\MemWatcher[1].exe
C:\Downloads\Gunship-dm[1].exe
C:\Downloads\Gunship-dm[2].exe
C:\Downloads\PedalToTheMetalSetup-dm[1].exe
C:\NETGEAR MIMO G\nGpxx182328.exe
C:\Program Files\QuickTime\qttask.exe
C:\ss_IGN7_setup.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\SYSTEM32\comz7\rewbydllcom6.exe

Folder::
C:\Documents and Settings\Linda\.limewire
C:\Documents and Settings\Linda\Incomplete
C:\Documents and Settings\Linda\Local Settings\Application Data\Wildtangent
C:\Program Files\AskSBar
C:\WINDOWS\SYSTEM32\bbbbb

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f5d94ac0-0718-4ed1-83fd-e34a38ac835b]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the contents of Combofix.txt in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Documents and Settings\Edward\removeme.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Paste the contents of the Report.txt in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following, preferably pasted into the reply, as opposed to attached:
  • The contents of Combofix.txt
  • The contents of Jotti.txt
  • The contents of Report.txt
  • The contents of DrWeb.cvs

We're getting there! :)

Regards,
RatHat
  • 0

Advertisements


#17
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
The last time I deleted this my router stopped working and my wireless signal wasn't being sent around my home.

C:\NETGEAR MIMO G\nGpxx182328.exe

What is this file?
Is it bad?

Edited by SeniorChief, 06 March 2008 - 06:35 PM.

  • 0

#18
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

C:\NETGEAR MIMO G\nGpxx182328.exe showed up in one of the logs as infected, but lets check it to make sure, as NetGear is a Router manufacturer, and it could be a false positive.

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\NETGEAR MIMO G\nGpxx182328.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as NetGear.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets run the Combofix script, without the inclusion of nGpxx182328.exe:


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Edward\Application Data\Microsoft\Windows\mihvo.exe
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-791376da
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-6c73eabb.zip
C:\Documents and Settings\Edward\Desktop\MP_ROOT\keygen.exe
C:\Documents and Settings\Maria\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\MemWatcher[1].exe
C:\Downloads\Gunship-dm[1].exe
C:\Downloads\Gunship-dm[2].exe
C:\Downloads\PedalToTheMetalSetup-dm[1].exe
C:\Program Files\QuickTime\qttask.exe
C:\ss_IGN7_setup.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\SYSTEM32\comz7\rewbydllcom6.exe

Folder::
C:\Documents and Settings\Linda\.limewire
C:\Documents and Settings\Linda\Incomplete
C:\Documents and Settings\Linda\Local Settings\Application Data\Wildtangent
C:\Program Files\AskSBar
C:\WINDOWS\SYSTEM32\bbbbb

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\f5d94ac0-0718-4ed1-83fd-e34a38ac835b]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Carry out the rest of the fix I posted before as laid out after the Combofix script, and post me the results back in your next reply.

Regards,
RatHat
  • 0

#19
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Looks like the majority of Jotti's malware scanner said that it was Trojan-Downloader.Win32.VB.cgu.

So I guess that I'll just carry out with the old Combo-Fix Directions and see what happens.
  • 0

#20
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Can you post me the contents of the Jotti scan first.
  • 0

#21
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Sure.

Here you go:

Attached Files


  • 0

#22
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, you have got me a bit uncertain about this one, and I don't want you to lose your internet connection before continuing with the fix.

Do you have the installation disks for the router? So if you do lose your connection you can reinstall and get back online?
  • 0

#23
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yes I have the installation disks handy just in case!

Ya......I just deleted the file and my internet and other wireless computers work perfectly fine. :)

For some reason last time I deleted file my internet stopped working??????
I guess it was just all the computer Viruses I had at the time :)
  • 0

#24
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well, thank **** for that! Had me worried there.

OK, could you continue on with the rest of the fixes and post me the results.
  • 0

#25
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Yes Sir!

I'll be back later with the results.
  • 0

Advertisements


#26
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Everything seemed to go very well!

Except I'm not sure about the DrWeb-Curelt because some of the directions that I was suppose to do, didn't seem to work. Meaning, I couldn't find how to do them because most of the buttons I was suppose to select weren't there. (It seemed as if the app was an older version or something. So it only found 1 thing and the log is really short.)

Combo-Fix

ComboFix 08-03-03.16 - Edward 2008-03-06 21:07:42.4 - NTFSx86

Running from: C:\Documents and Settings\Edward\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Edward\Desktop\CFScript.txt

FILE ::
C:\Documents and Settings\Edward\Application Data\Microsoft\Windows\mihvo.exe
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-791376da
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-6c73eabb.zip
C:\Documents and Settings\Edward\Desktop\MP_ROOT\keygen.exe
C:\Documents and Settings\Maria\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\MemWatcher[1].exe
C:\Downloads\Gunship-dm[1].exe
C:\Downloads\Gunship-dm[2].exe
C:\Downloads\PedalToTheMetalSetup-dm[1].exe
C:\NETGEAR MIMO G\nGpxx182328.exe
C:\Program Files\QuickTime\qttask.exe
C:\ss_IGN7_setup.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\SYSTEM32\comz7\rewbydllcom6.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Edward\Application Data\Microsoft\Windows\mihvo.exe
C:\Documents and Settings\Edward\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-791376da
C:\Documents and Settings\Edward\Desktop\MP_ROOT\keygen.exe
C:\Downloads\Gunship-dm[1].exe
C:\Downloads\Gunship-dm[2].exe
C:\Downloads\PedalToTheMetalSetup-dm[1].exe
C:\Program Files\QuickTime\qttask.exe
C:\ss_IGN7_setup.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\SYSTEM32\comz7\rewbydllcom6.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-06 19:08 . 2008-03-06 19:08 0 --a------ C:\Documents and Settings\Edward\.exe
2008-03-04 20:07 . 2008-03-04 20:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-04 20:07 . 2008-03-04 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 16:47 . 2008-03-04 19:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-04 16:47 . 2008-03-04 16:47 <DIR> d-------- C:\Documents and Settings\Edward\Application Data\Malwarebytes
2008-03-04 16:47 . 2008-03-04 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-03 23:15 . 2008-03-04 15:52 0 ---hs---- C:\WINDOWS\S7E46A0CD.tmp
2008-03-02 22:45 . 2008-03-06 20:07 <DIR> d-------- C:\VundoFix Backups
2008-02-26 19:03 . 2008-02-26 19:03 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-02-26 19:02 . 2008-03-01 21:04 <DIR> d-------- C:\Documents and Settings\Edward\.housecall6.6
2008-02-26 16:46 . 2008-02-26 16:46 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-26 16:13 . 2008-02-26 16:13 <DIR> d-------- C:\Program Files\LIUtilities
2008-02-25 21:45 . 2008-03-03 19:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 21:44 . 2008-03-03 23:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-25 21:44 . 2008-02-25 21:44 <DIR> d-------- C:\Documents and Settings\Edward\Application Data\PC Tools
2008-02-25 21:44 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-02-25 21:44 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-02-25 21:44 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-02-25 21:44 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-02-25 18:00 . 2008-02-25 18:00 <DIR> d-------- C:\Program Files\inKline Global
2008-02-23 23:57 . 2008-02-23 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-02-23 23:34 . 2008-03-03 23:05 <DIR> d-------- C:\Program Files\Pop up Blocker Pro RMA Edition
2008-02-23 21:17 . 2008-02-23 23:42 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-02-19 21:27 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-02-19 21:27 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-02-19 21:27 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-02-19 21:27 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-02-19 21:27 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-02-19 21:27 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-02-19 21:26 . 2008-02-19 21:26 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-19 21:26 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-02-19 21:26 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-02-19 20:55 . 2008-03-06 20:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 16:27 . 2008-03-03 23:05 <DIR> d-------- C:\Program Files\Spybot Search & Destroy
2008-02-17 17:50 . 2008-02-18 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-16 01:30 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 23:18 . 2008-02-14 23:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-14 19:36 . 2008-02-14 19:36 <DIR> d-------- C:\Program Files\CookieBoy 2k8 Ltd
2008-02-14 16:41 . 2008-02-14 16:41 10,344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2008-02-14 16:21 . 2008-02-14 16:34 8,014 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-02-14 16:21 . 2008-02-14 16:34 806 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-02-11 22:30 . 2008-02-11 23:30 <DIR> d-------- C:\Program Files\UltraVNC
2008-02-09 22:02 . 2008-02-19 21:30 1,519,616 --a------ C:\WINDOWS\SYSTEM32\nwiz.exe
2008-02-09 19:02 . 2008-02-09 19:02 <DIR> d-------- C:\Program Files\Webroot
2008-02-09 19:02 . 2008-02-09 19:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-09 19:02 . 2008-02-09 19:02 <DIR> d-------- C:\Documents and Settings\Edward\Application Data\Webroot
2008-02-09 19:02 . 2008-02-09 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-09 19:02 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-02-09 19:02 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-02-09 19:02 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-02-09 19:02 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-02-09 19:02 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-02-09 18:24 . 2008-02-09 18:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-08 22:05 . 2007-12-06 21:21 6,066,176 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-02-08 22:05 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-02-08 22:05 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-02-08 22:05 . 2007-12-06 21:21 459,264 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-02-08 22:05 . 2007-12-06 21:21 383,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-02-08 22:05 . 2007-12-06 21:21 267,776 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-02-08 22:05 . 2007-12-06 21:21 63,488 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-02-08 22:05 . 2007-12-06 21:21 52,224 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-02-08 22:05 . 2007-12-06 06:00 13,824 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-08 22:04 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 02:08 --------- d-----w C:\Program Files\QuickTime
2008-03-07 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-07 00:08 0 ----a-w C:\Documents and Settings\Edward\.exe
2008-03-06 02:22 --------- d-----w C:\Program Files\Google
2008-03-06 02:20 --------- d-----w C:\Program Files\mozilla.org
2008-03-04 20:47 --------- d-----w C:\Program Files\Java
2008-03-04 04:05 --------- d-----w C:\Program Files\Windows Defender
2008-03-04 04:05 --------- d-----w C:\Program Files\iTunes
2008-03-04 04:05 --------- d-----w C:\Program Files\ESPNRunTime
2008-03-04 04:05 --------- d-----w C:\Program Files\AIM95
2008-02-26 03:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-25 23:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 22:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 07:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 21:12 --------- d--h--w C:\Documents and Settings\Edward\Application Data\Move Networks
2008-02-05 21:11 --------- d-----w C:\Program Files\Common Files\Real
2008-02-05 21:06 --------- d-----w C:\Program Files\Palm
2008-02-05 20:57 --------- d-----w C:\Program Files\My Stuff
2008-01-30 22:27 --------- d-----w C:\Program Files\Plaxo
2008-01-29 02:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 01:55 --------- d-----w C:\Program Files\Microsoft Works
2008-01-29 01:53 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-29 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-01-23 04:21 90,616 ----a-w C:\Documents and Settings\Edward\Application Data\GDIPFONTCACHEV1.DAT
2008-01-21 23:09 --------- d-----w C:\Program Files\Yahoo!
2008-01-21 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-21 23:05 --------- d-----w C:\Program Files\Living Books
2008-01-19 20:53 --------- d-----w C:\Documents and Settings\Edward\Application Data\MD5 Checksum Verifier
2008-01-16 22:39 --------- d-----w C:\Program Files\Audio Editor Gold
2008-01-14 22:16 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-01-11 23:25 --------- d-----w C:\Program Files\RcvSystem
2008-01-07 20:17 10 ----a-w C:\Program Files\.autoreg
2006-12-18 05:41 5,632 --sh--w C:\Program Files\Thumbs.db
2006-03-16 23:02 560 ----a-w C:\Documents and Settings\Edward\Application Data\ViewerApp.dat
2006-02-12 22:59 11,486,720 ----a-w C:\Program Files\TiVo Desktop 2.2.exe
2005-08-30 23:13 313,283 ----a-w C:\Program Files\cwshredder.zip
2004-11-03 23:34 28,124 ----a-w C:\Program Files\PI's Adam.pdf
2004-06-01 13:27 137,216 ----a-w C:\Program Files\CWShredder.exe
2003-10-14 04:42 32,320 ----a-w C:\Documents and Settings\Edward\removeme.exe
2007-04-07 15:33 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
<pre>
----a-w		 5,367,664 2008-02-20 02:31:03  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Pop up Blocker Pro Rich-Media Ads Edition"="C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" [2008-03-03 15:19 1311232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\SYSTEM32\rundll32.exe]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-03-03 15:19 847872]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [2008-03-03 15:19 14450688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-02-19 21:30 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-11-24 03:40:29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\UltraVNC\\repeater.exe"=
"C:\\Program Files\\UltraVNC\\winvnc.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50292d6e-7815-11db-8d54-0007e9bbeae2}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50292d6f-7815-11db-8d54-0007e9bbeae2}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8bc06e0-c3bd-11db-8d74-0007e9bbeae2}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert .ex
- C:\Program Files\AdwareAlert.EdwardWRuns AdwareAlert to scan your computer for malicious and potenially unwanted programs.
"2008-02-29 21:16:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-06 06:49:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-07 02:15:08 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job"
- C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 21:18:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-06 21:27:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 02:27:43
ComboFix2.txt 2008-03-04 21:20:12
ComboFix3.txt 2008-03-04 04:24:38
ComboFix4.txt 2008-03-04 01:10:55
.
2008-02-13 08:13:07 --- E O F ---


Jotti


File: removeme.exe
Status: OK
MD5: 1f8b3585ab39014f652c98a55ce46d79
Packers detected: -
Bit9 reports: File not found

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scanner results
Scan taken on 07 Mar 2008 02:36:23 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


SDFix: Version 1.153

Run by SeniorChief on Thu 03/06/2008 at 10:01 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
wer32

Path:
\??\C:\WINDOWS\system32\jkghje.dll

wer32 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HQIMECL.EXE - Deleted
C:\WINDOWS\SYSTEM32\DPMPK.DLL - Deleted
C:\Program Files\.autoreg - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 22:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\\xcejpl\OpenWithList]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:SBC Yahoo! Music Engine"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1130193630\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\\Program Files\\UltraVNC\\repeater.exe"="C:\\Program Files\\UltraVNC\\repeater.exe:*:Disabled:distributer"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Disabled:VNC server for Win32"
"C:\\Program Files\\UltraVNC\\vncviewer.exe"="C:\\Program Files\\UltraVNC\\vncviewer.exe:*:Disabled:VNCViewer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 4 Mar 2008 0 ..SH. --- "C:\WINDOWS\S7E46A0CD.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot Search & Destroy\SpybotSD.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 22 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sat 7 Apr 2007 2,516 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Sun 18 Jan 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1832\A0545198.exe"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 8 Feb 2007 1,749 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT11D.tmp"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT11B.tmp"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT121.tmp"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT11F.tmp"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT124.tmp"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT11C.tmp"
Sun 18 Jan 2004 4,348 ...H. --- "C:\Documents and Settings\Edward\My Documents\My Music\License Backup\drmv1key.bak"
Fri 5 Oct 2007 20 A..H. --- "C:\Documents and Settings\Edward\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 4 Sep 2005 488 A.SH. --- "C:\Documents and Settings\Edward\My Documents\My Music\License Backup\drmv2key.bak"
Mon 10 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!


DrWeb-Curelt

System Analyzer.exe;C:\Documents and Settings\Edward\My Documents\Downloads\Ad-Aware SE Professional v1.06 + Multi Lang + All Ad-Ons\Ad-Aware SE Pr;Trojan.Encoder;Deleted.;

Edited by SeniorChief, 07 March 2008 - 09:13 PM.

  • 0

#27
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

Looks like there is a new version of DrWeb out, so the instructions I gave you are outdated. I have just downloaded it and checked it out, and the default settings would have been OK for you. You can delete DrWeb now.

SD fix got a couple of things and you are starting to look like you have a clean machine!

To be on the safe side, I would like you to do a couple more things:

Firstly, lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Next I would like you to run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer (or Firefox's IE Tab extension)
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient


Finally, download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


So post me the results from the F-Secure scan along with the DSS logs and let me know how your computer is behaving now, and if you are experiencing any more problems.

Regards,
RatHat
  • 0

#28
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Here you go.
Sorry for the wait, I haven't been home lately. :)

F-Secure Doesn't fit on a post, so I put it as an attachment

DSS: Main



Deckard's System Scanner v20071014.68
Run by Edward on 2008-03-09 15:02:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Edward.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:48 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Edward\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Edward.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lakeorion.k12.mi.us/lohs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pop up Blocker Pro Rich-Media Ads Edition] "C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" Minimize
O4 - HKUS\S-1-5-21-3262582141-619540180-3980966549-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3262582141-619540180-3980966549-1005\..\Run: [Pop up Blocker Pro Rich-Media Ads Edition] "C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" Minimize (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Pop up Blocker Pro Rich-Media Ads Edition - {0FDE313D-9F9A-4264-AAEF-E1B7037EF9A6} - C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143329679230
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143329664558
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomic...activex/AMC.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {94418D7F-29BF-460F-8614-DEFB34871FA4} - https://secure3.true.../TrueConfig.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF468D2E-0575-4271-BEC8-A3787CFE7E85}: NameServer = 192.168.1.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10050 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080301-210903-869 F2 - REG:system.ini: UserInit=userinit.exe,
backup-20080301-210903-952 F3 - REG:win.ini: load=C:\WINDOWS\system32\pmnnk.exe
backup-20080303-230100-305 R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
backup-20080303-230100-364 O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
backup-20080303-230100-533 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20080303-230100-743 O4 - HKUS\S-1-5-21-3262582141-619540180-3980966549-1005\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot (User '?')
backup-20080303-230100-754 O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll (file missing)
backup-20080303-230100-929 O4 - HKLM\..\Run: [braviax] braviax.exe
backup-20080303-230101-571 O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...orts/wtinst.cab
backup-20080303-230101-582 O20 - Winlogon Notify: gebcbcy - gebcbcy.dll (file missing)
backup-20080303-230102-426 O20 - Winlogon Notify: khfecca - khfecca.dll (file missing)
backup-20080303-230102-617 O20 - Winlogon Notify: qomkigg - qomkigg.dll (file missing)
backup-20080304-155825-309 O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll (file missing)
backup-20080304-155826-182 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim .exe (file missing)
backup-20080304-155826-662 O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
backup-20080304-155826-712 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

0 adwarealert - system32\drivers\adwarealert.sys (file missing)
3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys (file missing)
3 catchme - c:\docume~1\edward\locals~1\temp\catchme.sys (file missing)
3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - system32\drivers\el90xbc5.sys (file missing)
3 hkaqyeb.sys - c:\windows\system32\hkaqyeb.sys (file missing)
3 iAimTV2 - system32\drivers\watv03nt.sys (file missing)
3 IFPUSB (iRiver Internet Audio Player IFP-100) - c:\windows\system32\drivers\ifpusb.sys <Not Verified; iRiver, Inc.; IFP-100>
3 ip6fw (IPv6 Windows Firewall Driver) - system32\drivers\ip6fw.sys (file missing)
3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - c:\windows\system32\pcampr5.sys (file missing)
3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
1 redbookk - system32\drivers\redbookk.sys (file missing)
3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>
3 wanatw (WAN Miniport (ATW)) - system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\program files\bonjour\mdnsresponder.exe
3 DSBrokerService - c:\program files\dellsupport\brkrsvc.exe
3 FLEXnet Licensing Service - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
2 NWCWorkstation (Client Service for NetWare) - c:\windows\system32\svchost.exe
2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
3 YPCService - c:\windows\system32\ypcservice.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-09 15:00:00 340 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job
2008-03-09 02:49:12 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-03-08 04:00:00 500 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
2008-03-07 17:16:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-09 and 2008-03-09 -----------------------------

2008-03-08 15:06:29 0 d-------- C:\fsaua.data
2008-03-07 22:20:45 0 d-------- C:\Documents and Settings\Edward\DoctorWeb
2008-03-06 22:56:53 0 d-------- C:\WINDOWS\ERUNT
2008-03-06 20:08:48 0 --a------ C:\Documents and Settings\Edward\.exe
2008-03-04 21:07:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 21:07:13 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-04 17:47:39 0 d-------- C:\Documents and Settings\Edward\Application Data\Malwarebytes
2008-03-04 17:47:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 17:47:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 20:30:47 0 d-------- C:\cmdcons
2008-02-26 20:02:51 0 d-------- C:\Documents and Settings\Edward\.housecall6.6
2008-02-26 17:46:31 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-26 17:13:00 0 d-------- C:\Program Files\LIUtilities
2008-02-25 22:45:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-25 22:44:34 0 d-------- C:\Program Files\Spyware Doctor
2008-02-25 22:44:34 0 d-------- C:\Documents and Settings\Edward\Application Data\PC Tools
2008-02-25 19:00:21 0 d-------- C:\Program Files\inKline Global
2008-02-24 01:07:51 0 d-------- C:\CloneDVDTemp
2008-02-24 00:57:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-02-24 00:34:49 0 d-------- C:\Program Files\Pop up Blocker Pro RMA Edition
2008-02-23 22:17:53 0 d-------- C:\Program Files\Elaborate Bytes
2008-02-19 22:26:47 0 d-------- C:\Program Files\Alwil Software
2008-02-19 21:55:32 0 d-------- C:\Program Files\Trend Micro
2008-02-19 17:27:55 0 d-------- C:\Program Files\Spybot Search & Destroy
2008-02-18 15:53:20 0 d-------- C:\WINDOWS\CSC
2008-02-17 18:50:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-16 02:30:57 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-15 00:18:58 0 d-------- C:\Program Files\Enigma Software Group
2008-02-14 20:36:56 0 d-------- C:\Program Files\CookieBoy 2k8 Ltd
2008-02-11 23:30:32 0 d-------- C:\Program Files\UltraVNC
2008-02-09 23:02:03 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2008-02-09 22:59:28 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-02-09 22:58:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2008-02-09 22:57:39 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-02-09 22:57:31 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-09 22:57:24 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-02-09 20:02:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-02-09 20:02:06 0 d-------- C:\Documents and Settings\Edward\Application Data\Webroot
2008-02-09 20:02:05 0 d-------- C:\Program Files\Webroot
2008-02-09 20:02:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-09 19:24:16 0 d-------- C:\Program Files\SpywareBlaster


-- Find3M Report ---------------------------------------------------------------

2008-03-06 22:08:07 0 d-------- C:\Program Files\QuickTime
2008-03-05 22:22:40 0 d-------- C:\Program Files\Google
2008-03-05 22:20:16 0 d-------- C:\Program Files\mozilla.org
2008-03-05 22:20:03 0 d-a------ C:\Program Files\Common Files
2008-03-04 16:47:36 0 d-------- C:\Program Files\Java
2008-03-04 00:05:34 0 d-------- C:\Program Files\Windows Defender
2008-03-04 00:05:12 0 d-------- C:\Program Files\Messenger
2008-03-04 00:05:11 0 d-------- C:\Program Files\iTunes
2008-03-04 00:05:07 0 d-------- C:\Program Files\ESPNRunTime
2008-03-04 00:05:00 0 d-------- C:\Program Files\AIM95
2008-02-25 23:10:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-25 19:00:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-21 01:37:43 17232 --a------ C:\Documents and Settings\Edward\Application Data\asuh._sy
2008-02-17 18:34:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-16 12:00:12 12773 --a------ C:\Documents and Settings\Edward\Application Data\tuniqu.lib
2008-02-16 12:00:12 17940 --a------ C:\Documents and Settings\Edward\Application Data\lujupiqipy.lib
2008-02-09 23:31:10 28672 --a------ C:\WINDOWS\system32\DSentry.exe <Not Verified; Dell - Advanced Desktop Engineering; Dell - DVDSentry>
2008-02-09 23:06:48 97888 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-09 23:02:59 1648 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-05 17:12:17 0 d--h----- C:\Documents and Settings\Edward\Application Data\Move Networks
2008-02-05 17:11:00 0 d-------- C:\Program Files\Common Files\Real
2008-02-05 17:06:23 0 d-------- C:\Program Files\Palm
2008-02-05 16:57:31 0 d-------- C:\Program Files\My Stuff
2008-01-30 18:27:37 0 d-------- C:\Program Files\Plaxo
2008-01-28 21:55:28 0 d-------- C:\Program Files\Microsoft Works
2008-01-28 21:53:11 0 d-------- C:\Program Files\Microsoft.NET
2008-01-23 00:21:01 90616 --a------ C:\Documents and Settings\Edward\Application Data\GDIPFONTCACHEV1.DAT
2008-01-21 19:09:42 0 d-------- C:\Program Files\Yahoo!
2008-01-21 19:05:57 0 d-------- C:\Program Files\Living Books
2008-01-21 18:13:54 0 d-------- C:\Program Files\Online Services
2008-01-19 16:53:49 0 d-------- C:\Documents and Settings\Edward\Application Data\MD5 Checksum Verifier
2008-01-16 18:39:06 0 d-------- C:\Program Files\Audio Editor Gold
2008-01-14 18:16:25 0 d-------- C:\Program Files\Microsoft Home Publishing 2000
2008-01-11 19:25:34 0 d-------- C:\Program Files\RcvSystem
2008-01-05 00:45:40 17 --a------ C:\WINDOWS\system32\'
2007-12-17 13:59:22 12796 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 03:56 AM C:\WINDOWS\SYSTEM32\rundll32.exe]
"Logitech Utility"="Logi_MwX.Exe" [11/08/2002 05:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [03/03/2008 04:19 PM]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [03/03/2008 04:19 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [02/19/2008 10:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Pop up Blocker Pro Rich-Media Ads Edition"="C:\Program Files\Pop up Blocker Pro RMA Edition\pdie.exe" [03/03/2008 04:19 PM]

C:\Documents and Settings\Edward\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 3:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [12/11/2002 2:48:23 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/24/2002 4:40:29 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50292d6e-7815-11db-8d54-0007e9bbeae2}]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50292d6f-7815-11db-8d54-0007e9bbeae2}]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8bc06e0-c3bd-11db-8d74-0007e9bbeae2}]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER



-- End of Deckard's System Scanner: finished at 2008-03-09 15:05:30 ------------


DSS: Extra


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 42%
Physical Memory (total/avail): 510.98 MiB / 294.32 MiB
Pagefile Memory (total/avail): 1730.73 MiB / 1513.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.05 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.73 GiB total, 31.34 GiB free.
G: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Edward\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DCFTN321
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Edward
LOGONSERVER=\\DCFTN321
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Sonic Shared\Ligos\GoMotion;C:\Program Files\Common Files\Sonic Shared\Ligos\Decoders;C:\Program Files\Common Files\Sonic Shared\MainConcept;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Edward\LOCALS~1\Temp
TMP=C:\DOCUME~1\Edward\LOCALS~1\Temp
USERDOMAIN=DCFTN321
USERNAME=Edward
USERPROFILE=C:\Documents and Settings\Edward
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Edward (admin)
Linda (admin)
Alex
Maria
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55BC7EFA-D832-4EE3-9DEA-49B0C07539D9}\setup.exe" -l0x9 -L0x9anything
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DCDC8E79-4600-4C02-9824-CD3BB8971D4E}\Setup.exe" -l0x9 -L0x9anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2600_Help -->
2600Trb -->
2700 -->
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Setup --> MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AdWare & SpyWare --> "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.adwarerem...evid=31418&s=1"
AdwareAlert --> MsiExec.exe /X{466E4597-4833-4CCD-8EE8-509450CA1BE9}
AiO_Scan -->
AiOSoftware -->
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Arthur's Teacher Trouble --> C:\WINDOWS\uninst.exe -f"c:\games\Arthur\Teacher Trouble\DeIsL1.isu"
Audio Editor Gold v9.2.19.1 --> "C:\Program Files\Audio Editor Gold\unins000.exe"
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Avatar Sizer --> MsiExec.exe /X{110DEFF6-1BC3-4C3C-8A9D-F482EA6BA70F}
AXIS Media Control --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control\AxisMediaControl.dll",UninstallMe
BufferChm -->
Classic PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C3}\setup.exe" -l0x9 ControlPanel
ClearStream Accelerator --> C:\WINDOWS\UNWISE.EXE C:\WINDOWS\System32\river.log
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\HXFSETUP.EXE -U -IVEN_14F1&DEV_2016&SUBSYS_021913E0
Contextual Tool --> C:\WINDOWS\System32\ZQInContextactx1.exe /uninstall
Cookies Xbox360 Game Burner 1.00 --> C:\Program Files\CookieBoy 2k8 Ltd\Cookies Xbox360 Game Burner\Uninstall.exe
Copy -->
CreativeProjects -->
CreativeProjectsTemplates -->
CueTour -->
CuteFTP 8 Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9
DebugMode Wax 2.0 --> "C:\Documents and Settings\Alex\My Documents\Video Editing Software\Wax20e\uninst.exe"
Dell Modem-On-Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Destinations -->
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Director -->
DocProc -->
DocumentViewer -->
DVD Shrink 3.2 --> "C:\Downloads\DVD Shrink\unins000.exe"
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Electronic Arts Game Updater --> C:\WINDOWS\IsUninst.exe -f"c:\Program Files\EACom\Update\Uninst.isu"
ESPN RunTime --> C:\Program Files\ESPNRunTime\DIGSvcUninstall.exe /brand=ESPN
Fax -->
Franklin The Turtle School --> C:\WINDOWS\UninstFrankSchool.exe
FS One --> "C:\WINDOWS\FS One\uninstall.exe" "/U:C:\Program Files\FS One\Uninstall\uninstall.xml"
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google SketchUp --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E1423608-F529-40A1-93CA-C7F396F30DF0}\setup.exe" -l0x9
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
Help and Support Customization -->
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\Scanner\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
HP Diagnostic Assistant -->
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HPODiscovery -->
HPSystemDiagnostics -->
InstantShare -->
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
iPod for Windows 2005-11-17 -->
iPod for Windows 2005-11-17 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8338BA06-E527-491B-9400-F51708FEE695} /l1033
iPod Updater 2004-11-15 -->
iPod Updater 2004-11-15 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{06E73C0B-7DE7-4F41-860B-587033B75BD9} /l1033
iRiver Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\iRiver\iRiver Manager\Uninst.isu"
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
JetFighter IV --> C:\PROGRA~1\Maverick\UNWISE.EXE C:\PROGRA~1\Maverick\INSTALL.LOG
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech iTouch Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{036AA4D4-6D32-11D4-9875-00105ACE7734}\setup.exe" -l0x9 UNINSTALL
Logitech MouseWare 9.75 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Resource Center --> C:\PROGRA~1\Logitech\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\RESOUR~1\rem\INSTALL.LOG
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Encarta 97 Encyclopedia --> C:\WINDOWS\unenc97.exe
Microsoft Flight Simulator for Windows 95 --> C:\program files\microsoft games\setup\acmsetup.exe /z customui.dll
Microsoft Home Publishing 2000 --> MsiExec.exe /I{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money 2002 --> MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft Money 2002 System Pack --> MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft WinUsb 1.0 --> "C:\WINDOWS\$NtUninstallwinusb0100$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\setup.exe" -l0x9 -L0x9 /SMAINT
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Overland -->
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PC Booster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0601E1-B65C-11D5-80A9-0000B494D9A6}\setup.exe" -l0x9 -removeonly
PCsync --> MsiExec.exe /X{DDBC8703-AA18-491F-97BE-98D4543A901B}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pepakura Designer2 --> "C:\Program Files\tamasoftware\epuninst.exe" /s
PhotoGallery -->
Picture Package --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
Plaxo Toolbar for Outlook and Outlook Express --> C:\Program Files\Plaxo\2.13.1.2\uninstall.exe
Pop up Blocker Pro RMA Edition 5.0.1 (remove only) --> "C:\Program Files\Pop up Blocker Pro RMA Edition\uninst.exe"
PrintScreen -->
ProductContext -->
QFolder -->
QuickProjects -->
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Readme -->
Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
SBC Yahoo! DSL Activation --> C:\PROGRA~1\Yahoo!\Common\undsldlk.exe
Scan -->
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
SkinsHP1 -->
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot Search & Destroy\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TI Connect 1.5 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
TrayApp -->
TVUPlayer 2.2.0 --> C:\Program Files\TVUPlayer\uninst.exe
UltraVNC v1.0.2 --> "C:\Program Files\UltraVNC\unins000.exe"
Unload -->
Videora iPod Converter 0.91 --> C:\Program Files\VideoraiPodConverter\uninst.exe
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WebFldrs XP -->
WebReg -->
WickedOrange BandwidthMonitor 0.1 --> "C:\Program Files\WickedOrange\BandwidthMonitor\unins000.exe"
Windows Defender --> MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Easy Transfer --> "C:\WINDOWS\$NtUninstallWETCable$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTasks Trial --> MsiExec.exe /X{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}
Yahoo! Toolbar -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type9399 / Error
Event Submitted/Written: 03/09/2008 02:11:05 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 671716912.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type9398 / Error
Event Submitted/Written: 03/09/2008 01:07:36 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module fscax.dll, version 3.3.2.0, fault address 0x0001d560.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type9397 / Error
Event Submitted/Written: 03/08/2008 07:35:54 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.20121, faulting module fscax.dll, version 3.3.2.0, fault address 0x0001d560.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type9395 / Warning
Event Submitted/Written: 03/08/2008 02:35:34 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{91130409-6000-11D3-8CFE-0050048383C9}', feature 'OUTLOOKNonBootFiles' failed during request for component '{72C23EF9-E5CF-11D1-A17F-00A0C90AB50F}'

Event Record #/Type9394 / Warning
Event Submitted/Written: 03/08/2008 02:35:34 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91130409-6000-11D3-8CFE-0050048383C9}', feature 'OUTLOOKNonBootFiles', component '{AE6180B0-1655-11D4-8D54-00500483845D}' failed. The resource 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\DependentComponents\Microsoft Outlook 2002' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3731 / Error
Event Submitted/Written: 03/09/2008 02:27:56 AM
Event ID/Source: 1 / F-Secure Standalone Minifilter
Event Description:
\Device\HarddiskVolume2\WIN...wua

Event Record #/Type3730 / Error
Event Submitted/Written: 03/08/2008 03:36:15 PM / 03/08/2008 03:36:16 PM
Event ID/Source: 1 / F-Secure Standalone Minifilter
Event Description:
\Device\HarddiskVolume2\WINDO...m

Event Record #/Type3729 / Warning
Event Submitted/Written: 03/08/2008 00:37:29 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type3725 / Error
Event Submitted/Written: 03/07/2008 10:56:29 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type3724 / Error
Event Submitted/Written: 03/07/2008 10:56:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-03-09 15:05:30 ------------

Attached Files


Edited by SeniorChief, 09 March 2008 - 01:16 PM.

  • 0

#29
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well Edward, the war is over! :)

Just some cleaning up to do and you are good to go.

Please uninstall the following programs:


µTorrent
Logitech Desktop Messenger

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
Note that Logitech Desktop Messenger is a legitimate program, but it uses a lot of resources and does very little other than slow your computer. If you want to keep it, you can.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The next thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove the infected files that have been backed up by Windows and were reported by F-Secure. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 4). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting all of them, and running each at least once a month. Note that you may already have some of these.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#30
SeniorChief

SeniorChief

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
As Senior Chief, Gunnery Sargent Edward Turner of the U.S 25th infantry division military, I salute you Mr. RatHat for your warm hearted acts of kindness.

This is probubly one of the nicest community's that I have ever been involved in, in a long time. I hope that someday this forum is recognized even more for the great services that it provides, along with the nice staff of people that help out here as well.

I can now say that I'm truly going to miss doing all of this work with you Mr. RatHat, but in the future I will most likely come to you first if I have any problems. :)

Thank you for all you've done,

SeniorChief

Edited by SeniorChief, 09 March 2008 - 02:32 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP