Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Stubborn Vundo Infection - can anyone help? [CLOSED]

Started by Charger1640 , Mar 14 2008 07:31 PM

  • This topic is locked This topic is locked

#16
RatHat
Posted 17 March 2008 - 04:42 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
No this will not effect it. What we are getting rid of here is the reference to C:\WINDOWS\system32\pmnnm.dll which is a vundo file set to run each time you log on to your computer.

Regards,
RatHat
  • 0

Advertisements

#17
Charger1640
Posted 17 March 2008 - 05:21 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I backed up my registry sucessfully. I copied the code and saved as "all files". When I click on the saved code I get a "not a valid win32 application" error
  • 0

#18
RatHat
Posted 17 March 2008 - 05:41 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, I have attached the reg fix below in a zip file. Can you unzip it on your desktop, the double click FixReg.reg to run it. Allow it to merge with your registry, then OK your way out. Reboot your computer when done, and let me know if you had any problems.


  • 0

#19
Charger1640
Posted 17 March 2008 - 06:02 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I got the same "not a valid Win32 Application" error
  • 0

#20
RatHat
Posted 17 March 2008 - 06:42 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, lets try this first:

Download ExpPol.zip to your desktop.

Unzip it onto your desktop. you will find two files:

swreg.exe
ExpPol.cmd

Double click ExpPol.cmd to run it.

A notepad file will be opened, post the contents in your next reply.

Regards,
RatHat
  • 0

#21
Charger1640
Posted 17 March 2008 - 06:51 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
File: ExpPOL.cmd
Author: RatHat
SWReg: By Bobbi Flekman
Run at: 20:50:34.87
On Mon 03/17/2008

Run from C:\Documents and Settings\



----------------- Export HKCU Policies-----------------






----------------- Export HKLM Policies-----------------






-----------------EOF-----------------
  • 0

#22
RatHat
Posted 17 March 2008 - 06:56 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download DAFT and save it to your Desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries in case they appear:


.reg

  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt
  • I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Try double clicking FixReg.reg again and lat me know what happens.
  • 0

#23
Charger1640
Posted 17 March 2008 - 07:39 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
That made it work

Here is a fresh DSS Log:

Deckard's System Scanner v20071014.68
Run by Mark ****** on 2008-03-17 21:32:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mark ******.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:08 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark ******\Desktop\gtg\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MARKHO~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ****** Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14743 bytes

-- Files created between 2008-02-17 and 2008-03-17 -----------------------------

2008-03-16 08:58:04 168 -r-hs---- C:\WINDOWS\system32\E447EDAD8A.sys
2008-03-15 13:17:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 13:17:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 12:39:08 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Malwarebytes
2008-03-15 12:38:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 12:38:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files\Authentium
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\Mark ******\Application Data\iolo
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-13 14:54:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-13 10:05:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Program Files\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-13 10:02:47 164 --a------ C:\install.dat
2008-03-13 00:52:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-03-12 20:55:08 0 d-------- C:\System32
2008-03-12 20:50:25 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-12 19:44:25 0 d-------- C:\VundoFix Backups
2008-03-10 21:07:30 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Symantec
2008-03-10 20:56:31 0 d-------- C:\Program Files\Windows Sidebar
2008-03-10 20:52:03 0 d-------- C:\Program Files\Norton Internet Security
2008-03-10 20:37:53 0 d-------- C:\Program Files\Symantec
2008-03-10 20:37:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 19:01:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 22:48:11 0 d-------- C:\WTablet
2008-03-09 22:42:14 0 d-------- C:\WINDOWS\system32\New Folder
2008-03-09 19:03:15 0 d-------- C:\Temp
2008-03-09 04:01:24 0 d-------- C:\Program Files\MSXML 6.0
2008-03-08 10:48:42 2516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-08 10:48:42 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\E447EDAD8A.sys
2008-03-08 10:46:48 0 d-------- C:\Program Files\Common Files\Protexis
2008-03-08 10:39:31 0 d-------- C:\Program Files\Common Files\Corel
2008-02-28 07:16:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-27 17:05:18 0 d-------- C:\Documents and Settings\Mark ******\Application Data\WTablet
2008-02-27 17:03:10 0 d-------- C:\WINDOWS\system32\WTablet
2008-02-27 17:03:04 0 d-------- C:\Program Files\Tablet
2008-02-24 17:44:59 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-24 17:41:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 09:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-02-24 09:24:46 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-02-24 09:24:46 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-02-24 09:24:46 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-02-24 09:24:46 188416 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-02-24 09:24:46 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-02-24 09:24:46 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-02-24 09:24:46 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-02-24 09:24:45 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-02-24 09:24:45 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-02-24 09:24:45 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-02-24 09:24:45 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-02-24 09:24:45 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-02-24 09:24:45 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-02-24 09:24:45 163840 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-02-24 09:24:45 94208 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-02-24 09:24:45 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-02-24 09:24:45 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-02-24 09:24:45 487424 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-02-24 09:24:44 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-02-24 09:24:05 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-02-24 09:24:05 0 d-------- C:\Program Files\MAGIX
2008-02-24 09:23:09 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-02-24 09:23:09 0 d-------- C:\WINDOWS\system32\MAGIX
2008-02-23 12:43:30 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-03-17 18:29:14 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Newsbin
2008-03-16 15:26:00 0 d-------- C:\Program Files\Employee Scheduling
2008-03-16 09:18:41 22370 --a------ C:\Documents and Settings\Mark ******\Application Data\wklnhst.dat
2008-03-14 20:39:14 0 d-------- C:\Program Files\Trend Micro
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:13 0 d-------- C:\Program Files\Creative
2008-03-13 00:06:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-13 00:03:20 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Real
2008-03-08 10:48:44 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Corel
2008-03-01 01:32:57 0 d-------- C:\Program Files\Online Services
2008-03-01 01:27:50 0 d-------- C:\Program Files\Dell
2008-03-01 01:27:16 0 d-------- C:\Program Files\EA SPORTS
2008-03-01 01:25:18 0 d-------- C:\Program Files\Azureus
2008-02-29 16:02:38 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:54:51 0 d-------- C:\Program Files\MasqueGames
2008-02-29 15:54:00 0 d-------- C:\Program Files\America's Army
2008-02-29 15:53:52 0 d-------- C:\Program Files\America's Army Server Manager
2008-02-27 17:26:26 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Apple Computer
2008-02-23 12:46:53 0 d-------- C:\Program Files\iTunes
2008-02-23 12:35:30 0 d-------- C:\Program Files\QuickTime
2008-02-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 16:21:37 0 d-------- C:\Program Files\D-Link Media Server
2008-02-08 15:55:14 0 d-------- C:\Documents and Settings\Mark ******\Application Data\ZoomBrowser EX
2008-02-08 15:41:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 15:40:49 0 d-------- C:\Program Files\Canon
2008-02-08 15:35:54 0 d-------- C:\Program Files\Common Files\Canon
2008-02-08 10:13:19 0 d-------- C:\Program Files\Quicken
2008-02-08 10:10:27 0 d-------- C:\Program Files\TurboTax
2008-02-02 11:33:19 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Intuit
2008-02-02 11:25:32 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 08:34:02 0 d-------- C:\Documents and Settings\Mark ******\Application Data\AKVIS LLC
2008-02-02 08:01:30 0 d-------- C:\Program Files\AKVIS
2008-02-01 22:36:49 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Azureus
2008-01-18 23:01:52 763 --a------ C:\WINDOWS\eReg.dat
2008-01-18 20:56:58 0 d-------- C:\Program Files\EA GAMES
2008-01-18 01:07:05 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-18 01:03:20 0 d-------- C:\Program Files\ATI Technologies
2008-01-17 22:00:28 0 d-------- C:\Program Files\Game Elements
2007-12-20 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/10/2008 09:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 04:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 11:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 10:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"BuildBU"="c:\dell\bldbubg.exe" [01/18/2006 11:47 AM]
"@"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [11/01/2006 01:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 08:23 PM]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [12/20/2006 01:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/18/2007 05:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/27/2006 12:54:24 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/24/2006 7:00:06 PM]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-17 21:33:52 ------------
  • 0

#24
RatHat
Posted 17 March 2008 - 07:56 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, thats good! Now I need you to run a small command script. Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

@echo off

Dir /s C:\System32 >> C:\DirLook.txt
start Notepad C:\DirLook.txt
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as Script.cmd using Save as Type: All files
  • Locate Script.cmd on your desktop
  • Double click to run.

When the Notepad file open, please copy and paste the contents here.
  • 0

#25
Charger1640
Posted 17 March 2008 - 08:02 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Volume in drive C has no label.
Volume Serial Number is F042-919A

Directory of C:\System32

03/12/2008 08:55 PM <DIR> .
03/12/2008 08:55 PM <DIR> ..
03/12/2008 08:55 PM 130 Tablet.dat
1 File(s) 130 bytes

Total Files Listed:
1 File(s) 130 bytes
2 Dir(s) 57,861,582,848 bytes free
  • 0

Advertisements

#26
RatHat
Posted 17 March 2008 - 08:18 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Do you use a Wacom Tablet? One of these models maybe: PenPartner, ArtPad, Graphire, Graphire2, Graphire3, ArtZ, Intuos, Intuos2, Intuos3, Cintiq 18SX, Cintiq 17SX, Cintiq 21UX, PL Series

I need you to run another small registry script. Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.

After that, Reboot.

If you don't have a Wacom tablet, please upload Tablet.dat to Jotti for analysis:


Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\System32\Tablet.dat
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.

  • 0

#27
Charger1640
Posted 17 March 2008 - 08:42 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes, I have a Wacom Tablet - Intuos 3

I ran your latest Reg Mod and Re-booted. Here is a fresh DSS scan if you need it:

Deckard's System Scanner v20071014.68
Run by Mark ****** on 2008-03-17 22:39:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mark ******.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:18 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\MARKHO~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mark ******\Desktop\gtg\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MARKHO~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ****** Internet Productions
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] "C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.xara.com
O15 - Trusted Zone: *.xaraonline.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.aka...vex-2.0.4.4.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138114010296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142794898406
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - K:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 14742 bytes

-- Files created between 2008-02-17 and 2008-03-17 -----------------------------

2008-03-16 08:58:04 168 -r-hs---- C:\WINDOWS\system32\E447EDAD8A.sys
2008-03-15 13:17:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 13:17:38 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 12:39:08 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Malwarebytes
2008-03-15 12:38:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-15 12:38:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files\Authentium
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\Mark ******\Application Data\iolo
2008-03-13 15:33:37 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-03-13 14:54:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-13 10:05:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Program Files\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Webroot
2008-03-13 10:04:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-13 10:02:47 164 --a------ C:\install.dat
2008-03-13 00:52:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-03-12 20:55:08 0 d-------- C:\System32
2008-03-12 20:50:25 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-03-12 19:44:25 0 d-------- C:\VundoFix Backups
2008-03-10 21:07:30 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Symantec
2008-03-10 20:56:31 0 d-------- C:\Program Files\Windows Sidebar
2008-03-10 20:52:03 0 d-------- C:\Program Files\Norton Internet Security
2008-03-10 20:37:53 0 d-------- C:\Program Files\Symantec
2008-03-10 20:37:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-10 19:01:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 22:48:11 0 d-------- C:\WTablet
2008-03-09 22:42:14 0 d-------- C:\WINDOWS\system32\New Folder
2008-03-09 19:03:15 0 d-------- C:\Temp
2008-03-09 04:01:24 0 d-------- C:\Program Files\MSXML 6.0
2008-03-08 10:48:42 2516 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-03-08 10:48:42 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\E447EDAD8A.sys
2008-03-08 10:46:48 0 d-------- C:\Program Files\Common Files\Protexis
2008-03-08 10:39:31 0 d-------- C:\Program Files\Common Files\Corel
2008-02-28 07:16:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
2008-02-27 17:05:18 0 d-------- C:\Documents and Settings\Mark ******\Application Data\WTablet
2008-02-27 17:03:10 0 d-------- C:\WINDOWS\system32\WTablet
2008-02-27 17:03:04 0 d-------- C:\Program Files\Tablet
2008-02-24 17:44:59 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-24 17:41:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 09:24:57 0 d-------- C:\Documents and Settings\All Users\Application Data\MAGIX
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTIC32.dll <Not Verified; PoINT Software & Systems GmbH; TTIC32>
2008-02-24 09:24:46 24576 --a------ C:\WINDOWS\system32\TTI32.dll <Not Verified; PoINT Software & Systems GmbH; TTI32>
2008-02-24 09:24:46 32768 --a------ C:\WINDOWS\system32\STRING32.dll <Not Verified; PoINT Software & Systems GmbH; STRING32>
2008-02-24 09:24:46 430080 --a------ C:\WINDOWS\system32\MXRestore.exe <Not Verified; MAGIX AG; MAGIX Restore>
2008-02-24 09:24:46 57344 --a------ C:\WINDOWS\system32\DLLTPO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLTPO32>
2008-02-24 09:24:46 188416 --a------ C:\WINDOWS\system32\DLLRES32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRES32>
2008-02-24 09:24:46 40960 --a------ C:\WINDOWS\system32\DLLRD32.dll <Not Verified; PoINT Software & Systems GmbH; DLLRD32>
2008-02-24 09:24:46 65536 --a------ C:\WINDOWS\system32\DLLPTL32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPTL32>
2008-02-24 09:24:46 53248 --a------ C:\WINDOWS\system32\DLLPRJ32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRJ32>
2008-02-24 09:24:45 49152 --a------ C:\WINDOWS\system32\DLLPRF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPRF32>
2008-02-24 09:24:45 36864 --a------ C:\WINDOWS\system32\DLLPNT32.dll <Not Verified; PoINT Software & Systems GmbH; DLLPNT32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLMSC32.dll <Not Verified; PoINT Software & Systems GmbH; DLLMSC32>
2008-02-24 09:24:45 24576 --a------ C:\WINDOWS\system32\DLLIX.dll <Not Verified; PoINT Software & Systems GmbH; DLLIX>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLISO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLISO32>
2008-02-24 09:24:45 53248 --a------ C:\WINDOWS\system32\DLLIO32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIO32>
2008-02-24 09:24:45 45056 --a------ C:\WINDOWS\system32\DLLIMG32.dll <Not Verified; PoINT Software & Systems GmbH; DLLIMG32>
2008-02-24 09:24:45 151552 --a------ C:\WINDOWS\system32\DLLDRV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDRV32>
2008-02-24 09:24:45 32768 --a------ C:\WINDOWS\system32\DLLDIR32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDIR32>
2008-02-24 09:24:45 163840 --a------ C:\WINDOWS\system32\DLLDEV32.dll <Not Verified; PoINT Software & Systems GmbH; DLLDEV32>
2008-02-24 09:24:45 94208 --a------ C:\WINDOWS\system32\DLLCPY32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCPY32>
2008-02-24 09:24:45 61440 --a------ C:\WINDOWS\system32\DLLCDF32.dll <Not Verified; PoINT Software & Systems GmbH; DLLCDF32>
2008-02-24 09:24:45 114688 --a------ C:\WINDOWS\system32\DLLCDA32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CDarchive for Windows>
2008-02-24 09:24:45 487424 --a------ C:\WINDOWS\system32\DLLAV32.dll <Not Verified; PoINT Software & Systems GmbH; PoINT CD/DVD Audio/Video SDK for Windows>
2008-02-24 09:24:44 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2008-02-24 09:24:05 120200 --a------ C:\WINDOWS\system32\DLLDEV32i.dll <Not Verified; ; DLLDEV32i>
2008-02-24 09:24:05 0 d-------- C:\Program Files\MAGIX
2008-02-24 09:23:09 700416 --a------ C:\WINDOWS\system32\mgxoschk.dll <Not Verified; MAGIX AG; mgxoschk>
2008-02-24 09:23:09 0 d-------- C:\WINDOWS\system32\MAGIX
2008-02-23 12:43:30 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-03-17 18:29:14 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Newsbin
2008-03-16 15:26:00 0 d-------- C:\Program Files\Employee Scheduling
2008-03-16 09:18:41 22370 --a------ C:\Documents and Settings\Mark ******\Application Data\wklnhst.dat
2008-03-14 20:39:14 0 d-------- C:\Program Files\Trend Micro
2008-03-13 15:34:41 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:13 0 d-------- C:\Program Files\Creative
2008-03-13 00:06:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-13 00:03:20 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Real
2008-03-08 10:48:44 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Corel
2008-03-01 01:32:57 0 d-------- C:\Program Files\Online Services
2008-03-01 01:27:50 0 d-------- C:\Program Files\Dell
2008-03-01 01:27:16 0 d-------- C:\Program Files\EA SPORTS
2008-03-01 01:25:18 0 d-------- C:\Program Files\Azureus
2008-02-29 16:02:38 0 d-------- C:\Program Files\Microsoft Works
2008-02-29 15:54:51 0 d-------- C:\Program Files\MasqueGames
2008-02-29 15:54:00 0 d-------- C:\Program Files\America's Army
2008-02-29 15:53:52 0 d-------- C:\Program Files\America's Army Server Manager
2008-02-27 17:26:26 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Apple Computer
2008-02-23 12:46:53 0 d-------- C:\Program Files\iTunes
2008-02-23 12:35:30 0 d-------- C:\Program Files\QuickTime
2008-02-10 08:42:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-09 16:21:37 0 d-------- C:\Program Files\D-Link Media Server
2008-02-08 15:55:14 0 d-------- C:\Documents and Settings\Mark ******\Application Data\ZoomBrowser EX
2008-02-08 15:41:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 15:40:49 0 d-------- C:\Program Files\Canon
2008-02-08 15:35:54 0 d-------- C:\Program Files\Common Files\Canon
2008-02-08 10:13:19 0 d-------- C:\Program Files\Quicken
2008-02-08 10:10:27 0 d-------- C:\Program Files\TurboTax
2008-02-02 11:33:19 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Intuit
2008-02-02 11:25:32 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-02 08:34:02 0 d-------- C:\Documents and Settings\Mark ******\Application Data\AKVIS LLC
2008-02-02 08:01:30 0 d-------- C:\Program Files\AKVIS
2008-02-01 22:36:49 0 d-------- C:\Documents and Settings\Mark ******\Application Data\Azureus
2008-01-18 23:01:52 763 --a------ C:\WINDOWS\eReg.dat
2008-01-18 20:56:58 0 d-------- C:\Program Files\EA GAMES
2008-01-18 01:07:05 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-01-18 01:03:20 0 d-------- C:\Program Files\ATI Technologies
2008-01-17 22:00:28 0 d-------- C:\Program Files\Game Elements
2007-12-20 22:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
03/10/2008 09:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 04:01 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 11:05 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [09/15/2005 11:47 AM]
"MBMon"="CTMBHA.DLL" [05/19/2005 10:54 AM C:\WINDOWS\system32\CTMBHA.DLL]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 06:30 PM]
"BuildBU"="c:\dell\bldbubg.exe" [01/18/2006 11:47 AM]
"@"="" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [05/25/2005 10:35 AM]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [11/01/2006 01:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/25/2007 12:53 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/01/2008 12:13 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [12/02/2004 08:23 PM]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [12/20/2006 01:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/18/2007 05:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/27/2006 12:54:24 PM]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/24/2006 7:00:06 PM]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [6/9/2004 2:16:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-03-17 22:39:58 ------------
  • 0

#28
RatHat
Posted 17 March 2008 - 08:46 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well you are looking clean now, however I would like to run one more scan to make sure:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient


Also let me know if you are experiencing any more problems.

Regards,
RatHat
  • 0

#29
Charger1640
Posted 17 March 2008 - 09:12 PM

Charger1640

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I am still unable to use Outlook Express. Program now fails to load new messages from server and crashes if I switch folders (to other e-mail accounts) Any Ideas on this one? Runtime error: program c:\program files\outlook express\msimn.exe

I'll start the final scan and check back tomorrow.

Thanks again for all your help

Charger1640
  • 0

#30
RatHat
Posted 18 March 2008 - 05:08 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Lets see if this clears the problem with Outlook Express:

Run System File Checker:

Go to Start >> Run and type in sfc /scannow and click OK.

Follow the prompts throughout the System File Checker process.

Note: You may be prompted to insert your original Windows CD, so please have this at hand.

When complete, reboot your computer, and try OE again.

Regards,
RatHat
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP