Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing Blackbird Trojan & Smitfraud & others!


  • This topic is locked This topic is locked

#1
Leighwh

Leighwh

    Member

  • Member
  • PipPip
  • 23 posts
Hello, I hope you can help. My daughter's computer suddenly got sideswiped and taken over by Smitfraud, and after much cleaning with Norton AV, Spybot S&D, SmitRem, SmitFraudfix, RogueRemover, and CCCleaner, here are the problems that we can see for sure remain:

Desktop is under control of Smitfraud with blue screen and yellow message to click through to get anti-spyware.
IE remains open even under Safe mode and it seems to be communicating in the background.
TaskManager has been disabled and we can't get to it
DVD drive not operating so drivers may have been taken over or crunched, so we're unable to back up any data.
System restore points are all deleted

I'm afraid the Smitfraud click through may have occurred, as an IE window pops up occasionally pointing to an anti-spyware site.

Have run the cleaning tools repeatedly, and they report success but when rebooting Normal the blue screen is still there. Spybot claims it fixes Smitfraud and others but they're still there.

Please advise--we can pull a Hijack log but wanted to ask for best steps to follow now given everything so far. thank you so much

Edited by Leighwh, 09 April 2008 - 02:25 PM.

  • 0

Advertisements


#2
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
To help, I'm going ahead and attaching the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:11 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eqkontbh] C:\WINDOWS\system32\itclclex.exe
O4 - HKLM\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
O4 - HKCU\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13911 bytes
  • 0

#3
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Leighwh, and welcome to Geeks to Go! I'm Fredil. I'm currently reading over your log right now and I'll do my best to try to get your system clean :)

We're sorry about the delay, we do our best to get every log that passes through but some inevitably leak through the cracks because there are so many! Thanks for posting in the waiting room :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert. We'll get your problem solved eventually though :)

Edited by Fredil Yupigo, 13 April 2008 - 08:55 AM.

  • 0

#4
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Leighwh, don't know what you did to that box of yours :) Let's get started!

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Run ComboFix
------------------------------------------------

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open internet browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello Fredil, thank so much for your advice. Here is the ComboFix log, and the HiJack log will follow:

ComboFix 08-04-13.3 - Shannon Healy 2008-04-14 6:53:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.486 [GMT -4:00]
Running from: C:\Documents and Settings\Shannon Healy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\PC-Cleaner
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\ictions.dll
C:\WINDOWS\Installer\id53.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\textos.txt
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 16:38 . 2008-04-09 16:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 16:30 . 2008-04-09 16:31 <DIR> d-------- C:\Program Files\Hijack
2008-04-08 20:02 . 2008-04-08 20:02 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 20:01 . 2008-04-08 20:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-08 18:20 . 2008-04-08 18:20 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-08 17:46 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\HijackThis.exe
2008-04-08 17:25 . 2008-04-08 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-08 17:08 . 2008-04-08 17:08 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-08 17:08 . 2008-04-08 17:09 <DIR> d-------- C:\Program Files\CCleaner
2008-04-08 17:07 . 2008-04-08 18:05 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-08 17:03 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-08 17:03 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-08 17:03 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-08 17:03 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-08 17:03 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-08 17:03 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-08 17:03 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-08 17:03 . 2008-04-08 17:05 4,118 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 16:28 . 2008-04-08 16:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-06 15:04 . 2008-04-06 15:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-06 15:04 . 2008-04-06 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 12:14 . 2008-04-06 13:17 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-06 12:14 . 2008-04-06 13:17 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-06 11:57 . 2008-04-10 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\edkpezen
2008-04-06 11:55 . 2008-04-06 11:55 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 11:55 . 2008-04-06 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 11:44 . 2008-04-06 14:56 <DIR> d-------- C:\Program Files\Bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 10:45 --------- d-----w C:\Documents and Settings\Shannon Healy\Application Data\WTablet
2008-04-10 12:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-04-08 22:08 --------- d-----w C:\Program Files\HP
2008-04-08 22:08 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-08 21:46 13,739 ----a-w C:\Program Files\hijackthis.log
2008-04-06 17:44 --------- d-----w C:\Program Files\Norton Internet Security
2008-04-06 17:17 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-06 17:17 --------- d-----w C:\Program Files\Symantec
2008-03-31 03:01 --------- d-----w C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar
2008-03-17 15:24 --------- d-----w C:\Documents and Settings\Shannon Healy\Application Data\LimeWire
2008-03-14 19:21 --------- d-----w C:\Program Files\LimeWire
2008-02-19 23:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-19 23:07 --------- d-----w C:\Program Files\Netflix
2005-09-24 08:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-07-07 20:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( [email protected]_17.24.40.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 10:44:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-08-12 01:36:16 2,048 ------w C:\WINDOWS\CREATOR\MSCDBL.BIN
+ 2008-04-08 22:08:31 689,456 ----a-r C:\WINDOWS\Installer\{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
+ 2004-08-04 08:00:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 08:00:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 08:00:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 08:00:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2004-08-04 08:00:00 1,788 ----a-w C:\WINDOWS\system32\Dcache.bin
- 2007-12-07 01:07:12 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-26 17:37:10 148,480 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
+ 2004-08-04 07:07:58 2,944 ----a-w C:\WINDOWS\system32\dllcache\drmkaud.sys
- 2007-12-07 01:07:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-06 13:07:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-02-15 09:23:37 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-12-07 01:07:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 14:37:14 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 01:07:13 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 01:07:14 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-04 08:00:00 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
+ 2004-08-04 07:07:58 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 08:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-12-26 22:41:53 254,272 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-09 18:16:45 254,272 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-06-19 13:31:19 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2004-08-04 08:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2004-08-04 08:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 08:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 02:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2004-08-04 08:00:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
+ 2005-10-11 09:27:00 1,778 ----a-w C:\WINDOWS\system32\pcintro\laptop.bat
- 2008-04-08 21:19:37 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-14 10:49:33 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-08 21:19:37 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-14 10:49:33 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2004-08-04 08:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 08:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2004-08-04 08:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
- 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
- 2007-12-07 01:07:14 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2004-08-04 08:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 08:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 08:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08 67160]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 14:34 68856]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"eqkontbh"="C:\WINDOWS\system32\itclclex.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-02 19:25 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-02 19:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-02 19:26 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-11-22 15:55 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DetectorApp"="C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 10:15 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 03:04 761945]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 12:30 503808]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 17:22 53096]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 15:39 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 14:56 409600]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-05-18 14:29 233534]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 14:23 1187840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 17:03 36975]
"HostManager"="C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe" [2005-08-02 15:33 159832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"zango"="c:\program files\zango\zango.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 05:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mv1EMl2DnF"= C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mv1EMl2DnF"= C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1152635987\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-25 16:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-08 01:00:26 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Shannon Healy.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 06:56:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????1?0?6?7??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 6:56:58
ComboFix-quarantined-files.txt 2008-04-14 10:56:48
ComboFix2.txt 2008-04-08 23:02:08
ComboFix3.txt 2008-04-08 21:58:09
ComboFix4.txt 2008-04-08 21:25:01

Pre-Run: 38,545,981,440 bytes free
Post-Run: 38,533,697,536 bytes free
.
2008-04-09 00:03:39 --- E O F ---
  • 0

#6
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:34 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLServiceHost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eqkontbh] C:\WINDOWS\system32\itclclex.exe
O4 - HKLM\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
O4 - HKCU\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13878 bytes
  • 0

#7
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear Fredil,

I'm happy to report some progress--Task Manager is now operating again, and while the blue desktop remains, the yellow fake warning about anti-malware has disappeared from the middle of the desktop screen. I'll await further instructions. Many thanks.
  • 0

#8
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Leighwh, sorry to keep you waiting. That's good news indeed, can you change your Desktop now that the obnoxious warning is gone?

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. P2P
------------------------------------------------

I see you are using P2P file-transfer programs. Although the programs themselves (e.g. LimeWire, BitComet) are legal, most people are not so nice and use them for illegal purposes. Many of the files these programs download are infected with malware. Due to this, it would be best if you removed any P2P programs from your computer.

2. Fix Entries with HijackThis
------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present, sorry, I know they're a lot).

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [eqkontbh] C:\WINDOWS\system32\itclclex.exe
O4 - HKLM\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
O4 - HKCU\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

3. Clean Temporary Files
------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. Run a ComboFix Script
------------------------------------------------

1. Please open a blank Notepad document.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Bat
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\edkpezen
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar

DirLook::
C:\WINDOWS\system32\NtmsData


3. Go to File > Save As. Save the file name as CFScript and make sure "Text Documents (*.txt)" is selected in "Save as type". Save it to where you saved Combofix.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If it asks you to reboot, let it reboot. Either way, a Combofix log will be made. Post that in your next reply.

5. Scan with SmitFraudFix
------------------------------------------------

If you haven't already, please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

6. Update Java
------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
In your next post
------------------------------------------------

  • HijackThis log
  • ComboFix log
  • SmitFraudFix log

  • 0

#9
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Dear Fredil, thanks so much for your help thus far. We've run all the fixes and are attaching here the logs--it may take more than 1 post as the ComboFix log is quite long. Note that, yes, it is now possible to change the desktop and Task Manager is still accessible. The following as requested are SmitFraudFix, ComboFix, and HiJackThis logs. Will await further instructions based on what you see here. thanks so much--

SmitFraudFix v2.309

Scan done at 11:31:30.39, Sun 04/20/2008
Run from C:\Documents and Settings\Shannon Healy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shannon Healy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Shannon Healy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SHANNO~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\SYSTEM32\\Userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C1FDCB78-5D71-482D-AA27-1A0A0C90627D}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C1FDCB78-5D71-482D-AA27-1A0A0C90627D}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C1FDCB78-5D71-482D-AA27-1A0A0C90627D}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#10
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here's HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:53 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Common Files\AOL\1152635987\ee\AOLServiceHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12032 bytes
  • 0

Advertisements


#11
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here's ComboFix log, which had to be attached because it's too large. We're not aware of P2P apps on here so didn't see any to remove as programs. Will await your further instructions. thanks -- Leighwh

Sorry upload failed--too large--turns out it's 90 MB! Here's a sample of it--what should I do next?

ComboFix 08-04-13.3 - Shannon Healy 2008-04-20 11:03:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.410 [GMT -4:00]
Running from: C:\Documents and Settings\Shannon Healy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shannon Healy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\edkpezen
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\eskin\empty_bg_st.htm
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\eskin\FileManager.txt
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1000.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1000030.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1000279.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1001438.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1001517.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1001823.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1002431.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1002604.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1003320.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\100367.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1003768.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\10050.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1005148.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1005309.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1005480.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1006428.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1007359.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1009842.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\100988.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1009881.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\100998.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1012167.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1013110.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1013992.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1015189.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1016481.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1017134.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1017245.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1017873.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1018199.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1018523.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1018716.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1019337.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1019490.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1019962.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1020167.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1020601.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1021342.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1022703.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1023122.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1023230.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1023592.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1024439.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1024624.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1024727.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1025168.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1025206.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1025889.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1026236.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1026995.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\102878.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1028961.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1029191.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1030933.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\103135.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1031355.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1033189.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1033908.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\103601.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1036284.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1037132.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1037308.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\103778.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\10393.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1040556.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1041790.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1042547.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1043217.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1043399.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1044959.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1045744.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1045818.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1046400.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1046531.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1048757.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1048825.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1049246.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1050032.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1050269.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1050281.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1050860.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1051222.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1052460.sdf
C:\Documents and Settings\Shannon Healy\Application Data\ZangoToolbar\v3.0\ZangoToolbar\dynamic\1052703.sdf
C:\Documents and Settin

Edited by Leighwh, 20 April 2008 - 10:22 AM.

  • 0

#12
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Leighwh, I think ComboFix kinda went nuts on every piece of malware in your computer, which is probably a good thing :)

1. Fix Entries with HijackThis
------------------------------------------------

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

2. Make Batch File
------------------------------------------------

Please open a blank Notepad document. Copy and paste everything in the codebox below into the blank document:

@ECHO OFF
dir C:\WINDOWS\system32\NtmsData>C:\log.txt
start C:\log.txt
DEL peek.bat

Go to File > Save As. Make sure "All types" is selected in the "Save as Type" menu. Name the file "fix.bat" and save it to your Desktop. Double-click on peek.bat. A black window will open and close, and a Notepad window will open. Copy and paste the contents of the notepad window into your reply. If you close it for some reason, a copy is located at C:\log.txt.

3. Deckard's System Scanner
------------------------------------------------

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.

  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.

4. Scan with Kaspersky WebScanner
------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next post
------------------------------------------------

It's highly possible that the logs will not fit in one post, so use multiple posts if necessary :)
  • C:\log.txt
  • DSS main.txt and extra.txt
  • Kaspersky Webscanner log

  • 0

#13
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Fredil, whew! here are the logs in the order requested--will await your instructions, many thanks!

Volume Serial Number is 19FC-CEDF

Directory of C:\WINDOWS\system32\NtmsData

04/08/2008 04:31 PM <DIR> .
04/08/2008 04:31 PM <DIR> ..
04/08/2008 04:31 PM 122,880 NTMSDATA
04/08/2008 04:31 PM 122,880 NTMSDATA.BAK
04/08/2008 04:31 PM 84,392 NTMSIDX
04/08/2008 04:28 PM 816 NTMSREG
4 File(s) 330,968 bytes
2 Dir(s) 38,097,506,304 bytes free

Deckard's System Scanner v20071014.68
Run by Shannon Healy on 2008-04-21 17:44:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2008-04-21 21:44:32 UTC - RP19 - Deckard's System Scanner Restore Point
18: 2008-04-21 18:39:58 UTC - RP18 - System Checkpoint
17: 2008-04-20 16:05:12 UTC - RP17 - Installed Java™ 6 Update 6
16: 2008-04-20 15:50:21 UTC - RP16 - Removed J2SE Runtime Environment 5.0 Update 6
15: 2008-04-20 15:02:54 UTC - RP15 - ComboFix created restore point


-- First Restore Point --
1: 2008-04-08 18:38:50 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Shannon Healy.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:25 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1152635987\ee\AOLServiceHost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shannon Healy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Shannon Healy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11976 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080420-104652-110 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080420-104652-157 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080420-104652-164 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080420-104652-187 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080420-104652-188 O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
backup-20080420-104652-222 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080420-104652-224 O4 - HKCU\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
backup-20080420-104652-296 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080420-104652-299 O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
backup-20080420-104652-344 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080420-104652-365 O4 - HKCU\..\Run: [eqkontbh] C:\WINDOWS\system32\itclclex.exe
backup-20080420-104652-407 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
backup-20080420-104652-423 O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
backup-20080420-104652-495 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080420-104652-521 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080420-104652-528 O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
backup-20080420-104652-540 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080420-104652-552 R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
backup-20080420-104652-586 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080420-104652-700 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080420-104652-707 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080420-104652-781 O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - (no file)
backup-20080420-104652-803 O4 - HKLM\..\Policies\Explorer\Run: [mv1EMl2DnF] C:\Documents and Settings\All Users\Application Data\edkpezen\knkfqhsp.exe
backup-20080420-104652-912 O2 - BHO: (no name) - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - (no file)
backup-20080420-104652-951 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080421-173715-288 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080421-173716-498 O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
backup-20080421-173716-719 O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\shanno~1\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 USBDeviceService - c:\program files\sonic\digitalmedia plus v7\mydvd plus\usbdeviceservice.exe <Not Verified; ; USBDeviceService Module>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 21:00:26 564 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Shannon Healy.job
2008-02-25 12:36:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-21 and 2008-04-21 -----------------------------

2008-04-20 12:07:07 1160 --a------ C:\WINDOWS\mozver.dat
2008-04-10 08:10:42 0 d-------- C:\ca4512c83f5e7a82508302
2008-04-09 16:38:03 0 d-------- C:\Program Files\Trend Micro
2008-04-09 16:30:39 0 d-------- C:\Program Files\Hijack
2008-04-08 18:57:41 0 dr-h----- C:\Documents and Settings\Shannon Healy\Recent
2008-04-08 18:20:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-08 18:20:36 0 d-------- C:\Documents and Settings\Shannon Healy\Application Data\Mozilla
2008-04-08 17:46:26 218112 --a------ C:\Program Files\HijackThis.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-04-08 17:25:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-08 17:21:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-08 17:21:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-08 17:21:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-08 17:21:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-08 17:21:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-08 17:21:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-08 17:21:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-08 17:21:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-08 17:08:49 0 d-------- C:\Program Files\Yahoo!
2008-04-08 17:08:45 0 d-------- C:\Program Files\CCleaner
2008-04-08 17:07:23 0 d-------- C:\Program Files\RogueRemover FREE
2008-04-08 17:03:56 3756 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-08 16:28:23 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-06 17:30:25 0 d-------- C:\WINDOWS\CSC
2008-04-06 17:00:33 0 -rahs---- C:\MSDOS.SYS
2008-04-06 17:00:33 0 -rahs---- C:\IO.SYS
2008-04-06 15:04:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 14:02:19 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-04-21 17:45:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-21 07:09:00 0 d-------- C:\Documents and Settings\Shannon Healy\Application Data\WTablet
2008-04-20 12:05:48 0 d-------- C:\Program Files\Java
2008-04-14 13:55:42 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-08 18:08:27 0 d-------- C:\Program Files\HP
2008-04-08 18:08:15 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-08 17:46:56 13739 --a------ C:\Program Files\hijackthis.log
2008-04-06 14:56:23 0 d-------- C:\Program Files\Common Files
2008-04-06 13:44:00 0 d-------- C:\Program Files\Norton Internet Security
2008-04-06 13:17:58 0 d-------- C:\Program Files\Symantec
2008-04-05 20:11:18 0 d-------- C:\Documents and Settings\Shannon Healy\Application Data\Adobe
2008-03-17 11:24:34 0 d-------- C:\Documents and Settings\Shannon Healy\Application Data\LimeWire
2008-03-14 15:21:15 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/02/2005 07:25 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/02/2005 07:22 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/02/2005 07:26 PM]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [11/22/2005 03:55 PM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DetectorApp"="C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [10/20/2005 10:15 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/11/2005 03:04 AM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [11/16/2005 12:30 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/11/2008 05:22 PM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/12/2005 03:39 PM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/07/2005 02:56 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [05/18/2005 02:29 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 02:23 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1152635987\ee\AOLHostManager.exe" [08/02/2005 03:33 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 02:11 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"zango"="c:\program files\zango\zango.exe" []
"webHancer Agent"="C:\Program Files\webHancer\Programs\whagent.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 03:08 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/21/2007 02:34 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Shannon Healy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 5:39:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8116 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-21 17:46:28 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T1300 @ 1.66GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 1013.98 MiB / 484.36 MiB
Pagefile Memory (total/avail): 2440.09 MiB / 2000.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.54 MiB

C: is Fixed (NTFS) - 65.6 GiB total, 35.43 GiB free.
D: is Fixed (FAT32) - 7.91 GiB total, 0.51 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST98823AS - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 65.6 GiB - C:
\PARTITION1 - Unknown - 7.92 GiB - D:
\PARTITION2 - Unknown - 1027.6 MiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: Norton Internet Security 2006 v2006 (Symantec Corporation)
AV: Norton Internet Security 2006 v2006 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1152635987\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1152635987\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1152635987\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1152635987\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shannon Healy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHANNON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shannon Healy
LOGONSERVER=\\SHANNON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCTYPE=PAVILION
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHANNO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHANNO~1\LOCALS~1\Temp
USERDOMAIN=SHANNON
USERNAME=Shannon Healy
USERPROFILE=C:\Documents and Settings\Shannon Healy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shannon Healy (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3datelier.com SCREENSAVERpsy --> "C:\Program Files\3datelier.com SCREENSAVERpsy\unins000.exe"
5 Card Slingo from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5DE4D54F-AA79-43A4-9C8A-C173E7E2B025\Uninstall.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AOL Explorer --> C:\Program Files\Common Files\AOL\1152635987\ee\services\browser\ver1_1_1042\uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6E377D95-DF37-4E67-B64B-68C314600BCB\Uninstall.exe"
Big Kahuna Reef from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7948472C-423F-4134-B68F-48D660A05D71\Uninstall.exe"
Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\384E0BF4-1E1F-45A6-B60E-42144A3F15CD\Uninstall.exe"
Blasterball 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\9F3399B2-9ED6-4339-84A2-686432638B86\Uninstall.exe"
Boggle Supreme from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5658FB14-16A4-4DAE-946B-1457BE31572E\Uninstall.exe"
Bookworm Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0769D17-E72A-4E87-A83F-1F7A3F080008\Uninstall.exe"
Bounce Symphony from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7A940E33-6993-404B-ABA6-ED62E8FBE615\Uninstall.exe"
CC_ccProxyExt --> MsiExec.exe /I{2EBF25F1-F8A2-40EA-92BE-931C142A44E2}
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{30738666-9805-4926-A78F-91DA33B6C437}
Chuzzle Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\382C11F0-1A18-4F76-B8E0-15CA7F209C22\Uninstall.exe"
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -Iqta30a0a.INF
Crystal Maze from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2\Uninstall.exe"
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
FATE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89\Uninstall.exe"
Final Drive Nitro from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\320F055A-570F-4335-B026-16A836DB9549\Uninstall.exe"
Flip Words from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F2566CC2-D4C4-44ED-A838-3F8288D8D3FE\Uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_qta30a0k\HXFSETUP.EXE -U -IQTA30A0K.INF
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Game Console and games --> C:\Program Files\WildTangent\Apps\hpuninstall.exe
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP QuickPlay 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Rhapsody --> C:\PROGRA~1\HPRHAP~1\Unwise32.exe /A C:\PROGRA~1\HPRHAP~1\install.log
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HP User Guides--System Recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC96BBA7-C634-460E-AD18-A0A994213F80}\setup.exe" -l0x9 -removeonly
HP User Guides 0009 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58C62A8E-E628-4822-A0F2-BBE10329D53F}\Setup.exe" -l0x9 -removeonly
HP Wireless Assistant 2.00 B3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Inkscape 0.45.1 --> "C:\Program Files\Inkscape\uninst.exe"
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\0E5266B4-9069-401A-93AE-5FF9F1712016\Uninstall.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PRO Network Connections Drivers --> Prounstl.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Jewel Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\4C061F83-EE92-445A-A03F-184B0BD59242\Uninstall.exe"
Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E90E3AE9-73E4-4E5C-BB0F-673989A808D0\Uninstall.exe"
Lexibox Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\5758A0E8-A112-4A1D-82EC-EC72F7F16B88\Uninstall.exe"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Mah Jong Quest from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E76A7EFF-7758-49EE-B3FA-9699830A2D6B\Uninstall.exe"
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
muvee autoProducer 4.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{286F29AF-0BE2-4D5F-AB17-B7631A810553}\setup.exe" -l0x9
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{449F3A9E-9903-4a0d-A209-08030D45A935}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{AADFE0B9-F905-4d5f-A144-0ADB2EFA747B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FFB4DD53-28B7-4981-BFF0-9BD801F61095}
Norton Internet Security 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe" /X
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
Oasis from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\E332F38A-75F6-4EF2-88CC-246E8A1CB5D7\Uninstall.exe"
Office 2003 Trial Assistant --> MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
Polar Bowler from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54\Uninstall.exe"
Polar Golfer from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D2E44AA4-8665-4490-A6C9-2D0744B47B27\Uninstall.exe"
Puzzle Express from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\EF860173-4FB7-4DE1-8BE8-5400F05A0DC5\Uninstall.exe"
Quick Launch Buttons 5.20 F2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
SCRABBLE from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\103EFD47-9F2C-4490-95DD-AE6C442AFB92\Uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Slingo Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C264D692-8E15-4141-96A2-5621332E5DD0\Uninstall.exe"
Slyder from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\B0202B33-E73D-4FCD-AC88-0B2971AFC116\Uninstall.exe"
SmartAudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}\setup.exe" -l0x9 -removeonly
Snowboard SuperJam --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\DED8E2B5-BA9F-448F-84E8-0AEF79876F95\Uninstall.exe"
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super Granny from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\7ED8A70C-9597-40BE-AEA0-0573182F1F51\Uninstall.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tablet --> C:\Program Files\Tablet\Remove.exe /u
TourSetup --> MsiExec.exe /I{A01FC76F-CC09-4658-9E37-5C2F635EE708}
Tradewinds from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86\Uninstall.exe"
Tune Tools for iPod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31B5C6E6-15A4-4614-8169-DA9576575715}\setup.exe" -l0x9 -removeonly
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Viewpoint Toolbar --> C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe /u /k /url "http://www.viewpoint...completed.html"
Windows Driver Package - MicroVision (Mvc25U870_VID_1262&PID_25FD) Image (11/30/2005 1.0.1.1) --> C:\PROGRA~1\DIFX\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\mvc25u870_5F382E4712B10D6A2C8EE6AF940197B92B0D5AEC\mvc25u870.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Wireless Home Network Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{09D8492A-C8E2-421E-927D-46800FB327A3}\Setup.exe" -l0x9 -removeonly
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zuma Deluxe from Hewlett-Packard Laptops (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\074EEF5F-3BE8-4112-B253-C5D6CDE2924C\Uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6990 / Error
Event Submitted/Written: 04/21/2008 07:04:10 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application NMain.exe, version 104.0.1.17, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6985 / Error
Event Submitted/Written: 04/20/2008 06:41:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6449 / Error
Event Submitted/Written: 04/06/2008 04:17:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6325 / Error
Event Submitted/Written: 04/06/2008 08:44:52 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9e.ocx, version 9.0.115.0, fault address 0x001b427a.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type6278 / Error
Event Submitted/Written: 03/31/2008 09:47:51 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application symlcsvc.exe, version 1.9.1.1255, faulting module symlcnet.dll, version 1.9.1.1255, fault address 0x00010d44.
Processing media-specific event for [symlcsvc.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38134 / Warning
Event Submitted/Written: 04/21/2008 05:35:22 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

Event Record #/Type38133 / Warning
Event Submitted/Written: 04/21/2008 05:35:22 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

Event Record #/Type38132 / Warning
Event Submitted/Written: 04/21/2008 05:35:22 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

Event Record #/Type38131 / Warning
Event Submitted/Written: 04/21/2008 05:35:22 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

Event Record #/Type38130 / Warning
Event Submitted/Written: 04/21/2008 05:35:22 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"



-- End of Deckard's System Scanner: finished at 2008-04-21 17:46:28 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 21, 2008 7:53:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 719519
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 100113
Number of viruses found: 13
Number of infected objects: 31
Number of suspicious objects: 12
Duration of the scan process: 01:37:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip/id53.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader2.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader7.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant17.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant17.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip/saap.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango12.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locke
  • 0

#14
Chopin

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Leighwh, the Kaspersky scan got cut off. Did you save the report to your computer? If not, you'll need to do the scan again; if you did, please post the report in your reply :)

1. Fix Entries with HijackThis
------------------------------------------------

These two entries aren't going away, so we'll try to fix them this way one more time. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

2. Add/Remove Programs
------------------------------------------------

Please go to Start > Run. Type appwiz.cpl in the box. Press "Enter". When the list finishes loading, remove the following things:

Bat

If you get errors that they have already been removed, don't worry about it.

3. Run a ComboFix Script
------------------------------------------------

1. Please open a blank Notepad document.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\ca4512c83f5e7a82508302
C:\Documents and Settings\Shannon Healy\Application Data\LimeWire
C:\Program Files\LimeWire


3. Go to File > Save As. Save the file name as CFScript and make sure "Text Documents (*.txt)" is selected in "Save as type". Save it to where you saved Combofix.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If it asks you to reboot, let it reboot. Either way, a Combofix log will be made. Post that in your next reply.

In your next post
------------------------------------------------

  • Kaspersky Webscanner log
  • HijackThis log
  • ComboFix log

  • 0

#15
Leighwh

Leighwh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you Fredil. I'm out of town for the weekend without that laptop, so will be back on this late tomorrow--thanks
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP