Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

But I can't run HijackThis!?! [RESOLVED]


  • This topic is locked This topic is locked

#16
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David,

Yes please, run those scans and post me the logs, I want to see what is hidden away and respawning this bugger. It may be that you have a new variant which has found a way to stay hidden, but hopefully these scans will pick it up. Now it is very late with me so I am going to have to pick this up in the morning OK.

Don't worry about this, we will get it fixed, it just takes time. It is good that you have not got the computers connected to the internet, as there is no way they can download any other crap.

Regards,
RatHat
  • 0

Advertisements


#17
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts

I'm burning a CD with HiJackThis (I'm going to try renaming it) and all the other apps named in this thread. Do you have others I should add now, while I am burning the disk?


No lets just stick with what we have just now. I don't want the worm to be able to mess with any other tools that I may want you to use later. Just make sure you get a few more CD's OK. :)
  • 0

#18
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay, I'll burn the CD, run those scans, post them and call it a night. Thanks so much and I'll talk to you in the morning. Good night.

d

PS: Oh, I see you are from Thailand. I spent 3 months there some years ago, living at Wat Suan Mokkh in the south. That was when Ajahn Buddhadassa was still alive.

UPDATE: I've completed the scans and am attaching the logs. Remember: These scans were of the laptop, not the work PC. I previously posted ComboFix and DSS logs from the work PC.

Attached Files


Edited by d_Oregon, 10 April 2008 - 10:22 PM.

  • 0

#19
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Good Morning David.

This is for your Work Computer:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\mdelk.exe

Driver::
catchme
srosa
DarkSpy
f6cB5

FileLook::
C:\Program Files\MCj04244600000[1].wmf
C:\WINDOWS\system32\D2178F15B2.sys

DirLook::
C:\WINDOWS\system32\drivers\downld


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new DSS log.

OK, the other two logs are going to take a bit more time to work through, so I'll get back to you later on them.

Regards,
RatHat
  • 0

#20
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David,

I see you are also receiving help from negster22 at CastleCops in this topic.

It is both dangerous and a waste of time to have two people assisting the same log.

1. I, or negster22 will probably want to attack your log using different methods, which can cause conflicts and possible damage to the computer.

2. Either of us would be better off spending our time helping someone else, instead of both trying to work the same log. You may have noticed that this site, and other sites are overrun with people requiring assistance, and with not enough trained helpers to assist them all, so having a log worked on in two places at the same time is a drain on limited resources.

So it is make your mind up time for you. You need to inform either myself or negster22 that you are being assisted at another site, and no longer require their assistance.
  • 0

#21
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Yes, RatHat, I agree with you. I have NOT done anything in response to Negster22. Because I got DSS from your site and such prompt and efficient help from you--and Negster said that he/she might have to hand the problem off--I decided to proceed here. Again, I have done those things you suggested and have not done anything else.

I will post at CastleCops to let them know.

Awaiting your feedback from latest logs.

D
  • 0

#22
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, David, lets move on.

Can you post me the Combofix.txt and a new DSS log, after running the fix on your Work Computer as laid out in Post 19. Then we can move onto your original computer.

Regards,
RatHat
  • 0

#23
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
RatHat,
Sorry, I missed post #19. BTW, I installed the Recovery Console before running ComboFix again. Here are new logs from the work PC:

ComboFix, based on CFscript:

ComboFix 08-04-10.7 - David Olsson 2008-04-11 12:49:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.558 [GMT -7:00]
Running from: C:\Documents and Settings\David Olsson\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\David Olsson\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\drivers\mdelk.exe
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\mdelk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CATCHME
-------\Legacy_DARKSPY
-------\Legacy_F6CB5
-------\Legacy_SROSA
-------\Service_catchme
-------\Service_DarkSpy
-------\Service_f6cB5
-------\Service_srosa


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 09:34 . 2008-04-11 09:34 <DIR> d-------- C:\WINDOWS\system32\vmm32
2008-04-10 19:33 . 2008-04-10 19:33 <DIR> d-------- C:\Deckard
2008-04-10 17:44 . 2008-04-10 17:44 <DIR> d-------- C:\WINDOWS\system32\drivers\downld
2008-04-08 08:25 . 2008-04-08 08:25 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\Runaware
2008-04-08 08:25 . 2008-04-08 08:25 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\ICAClient
2008-03-27 14:07 . 2008-03-27 14:08 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-27 10:15 . 2008-03-27 11:49 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\Download Manager
2008-03-26 15:04 . 2008-03-26 15:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-26 15:04 . 2008-03-26 15:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-26 11:29 . 2008-03-26 11:29 <DIR> d-------- C:\Program Files\Common Files\Vbox
2008-03-26 11:28 . 2003-11-11 19:55 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-03-26 11:15 . 2008-03-26 11:16 <DIR> d-------- C:\Program Files\Astonsoft
2008-03-26 11:15 . 2008-03-26 11:16 <DIR> d-------- C:\Documents and Settings\David Olsson\Application Data\DeepBurner
2008-03-24 16:06 . 2008-03-24 16:07 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-24 16:04 . 2008-03-24 16:05 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-24 16:03 . 2004-10-01 08:01 139,345 --a------ C:\WINDOWS\system32\hpzlnt12.dll
2008-03-24 16:02 . 2008-03-24 16:02 687 --a------ C:\WINDOWS\hpntwksetup.ini
2008-03-24 15:53 . 2008-03-24 16:09 68,937 --a------ C:\WINDOWS\hpoins05.dat
2008-03-24 15:53 . 2004-12-15 00:39 19,696 --------- C:\WINDOWS\hpomdl05.dat
2008-03-24 14:17 . 2007-03-10 10:11 2,680,320 --a------ C:\WINDOWS\system32\ImageEnXlibrary.ocx
2008-03-24 13:41 . 2008-03-24 15:52 <DIR> d-------- C:\TEMP\HP_WebRelease

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 16:33 --------- d-----w C:\Program Files\Dell
2008-04-11 16:10 --------- d-----w C:\Program Files\Password Safe
2008-04-11 16:10 --------- d-----w C:\Program Files\IDrive
2008-04-11 01:15 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-09 16:56 --------- d-----w C:\Program Files\Hijack This
2008-03-27 22:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 23:05 --------- d-----w C:\Program Files\HP
2008-03-17 20:00 --------- d-----w C:\Program Files\pdf995
2008-03-17 19:42 --------- d-----w C:\Program Files\Timeslips by Sage 2007 Trial Version
2008-03-09 19:02 --------- d-----w C:\Program Files\Java
2008-03-04 19:47 --------- d-----w C:\Program Files\Intuit
2008-01-17 20:09 1,788 ----a-w C:\WINDOWS\Fonts\HVCDO___.PFM
2008-01-17 20:09 1,780 ----a-w C:\WINDOWS\Fonts\HVC_____.PFM
2007-10-07 20:19 34,368 ----a-w C:\Program Files\MCj04244600000[1].wmf
2006-10-07 01:27 8 --sha-r C:\WINDOWS\system32\D2178F15B2.sys
2006-10-21 03:08 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

- Invalid filepath

- Not a PE file.

---- Directory of C:\WINDOWS\system32\drivers\downld ----



((((((((((((((((((((((((((((( [email protected]_19.26.11.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\ERDNT.EXE
+ 2008-04-11 02:22:37 5,025,792 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\Users\00000001\NTUSER.DAT
+ 2008-04-11 02:22:38 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-10\Users\00000002\UsrClass.dat
+ 2005-10-20 20:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\ERDNT.EXE
+ 2008-04-11 16:10:50 5,058,560 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\Users\00000001\NTUSER.DAT
+ 2008-04-11 16:10:51 188,416 ----a-w C:\WINDOWS\ERDNT\AutoBackup\4-11-2008\Users\00000002\UsrClass.dat
- 2007-05-18 20:04:11 45,056 ----a-r C:\WINDOWS\Installer\{FCD9CD52-7222-4672-94A0-A722BA702FD0}\NewShortcut1.EXE
+ 2008-04-11 16:34:27 45,056 ----a-r C:\WINDOWS\Installer\{FCD9CD52-7222-4672-94A0-A722BA702FD0}\NewShortcut1.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 19:29 389120]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-05-26 02:01 688128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"IDriveE Startup"="C:\Program Files\IDrive\IDrvieEStartup.exe" [2007-11-29 18:02 194000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12 98304]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-10 19:08 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-10 19:08 135224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-07 06:53 185784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 07:38 282624 C:\WINDOWS\stsystra.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19 15872]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 15:02 988701]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 15:02 118784]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 10:24 1115728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-14 15:03 155648]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 12:21:00 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 12:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 10:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 IDriveE Service;IDriveE Service;"C:\Program Files\IDrive\IDriveE Service.exe" [2007-12-19 15:41]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R2 TSScheduleBackup;TimeslipsBackup;C:\WINDOWS\system32\TSSchBkpService.exe [2006-02-02 16:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08cde423-53d9-11db-8655-806d6172696f}]
\Shell\AutoRun\command - D:\autoRcd.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 17:00:00 C:\WINDOWS\Tasks\ABF OB backup.job"
- C:\Program Files\ABF Outlook Backup\abfOutlookBackup.exe|b
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 12:59:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

DSS main (there was no extra):

Deckard's System Scanner v20071014.68
Run by David Olsson on 2008-04-11 13:16:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-11 13:17:25
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IDrive\IDriveE Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TSSchBkpService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\IDrive\ClsIdle.exe
C:\Program Files\IDrive\IDriveETray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\IDrive\IDriveEBackground.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Olsson\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goappeals.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0060921
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: DeskBandHelper Class - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: PCLaw Web Timer - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [IDriveE Startup] "C:\Program Files\IDrive\IDrvieEStartup.exe" Hide
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PClaw\PLIETool.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www3.valic.com (HKCU)
O16 - DPF: PLUpdate () - http://www.pclaw.com/PLUpdate.cab
O16 - DPF: Web-Based Email Tools () - http://email.secures...et/Download.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} () - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168112709250
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} () - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168112702734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonelite...bex/ieatgpc.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program Files\IDrive\IDriveE Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
O23 - Service: TimeslipsBackup (TSScheduleBackup) - Unknown owner - C:\WINDOWS\system32\TSSchBkpService.exe


--
End of file - 13317 bytes

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 13:02:00 0 d-------- C:\WINDOWS\system32\vmm32
2008-04-11 12:49:31 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-11 12:48:52 0 d-------- C:\Combo-Fix
2008-04-11 09:35:38 0 dr-hs---- C:\cmdcons
2008-04-10 19:04:21 68096 --a------ C:\WINDOWS\zip.exe
2008-04-10 19:04:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-10 19:04:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-10 19:04:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-10 19:04:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-10 19:04:21 98816 --a------ C:\WINDOWS\sed.exe
2008-04-10 19:04:21 80412 --a------ C:\WINDOWS\grep.exe
2008-04-10 19:04:21 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-10 17:44:33 0 d-------- C:\WINDOWS\system32\drivers\downld
2008-04-08 08:25:23 0 d-------- C:\Documents and Settings\David Olsson\Application Data\ICAClient
2008-04-08 08:25:16 0 d-------- C:\Documents and Settings\David Olsson\Application Data\Runaware
2008-03-27 14:07:54 96577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-27 10:15:41 0 d-------- C:\Documents and Settings\David Olsson\Application Data\Download Manager
2008-03-26 11:29:10 0 d-------- C:\Program Files\Common Files\Vbox
2008-03-26 11:28:51 9856 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-03-26 11:15:46 0 d-------- C:\Documents and Settings\David Olsson\Application Data\DeepBurner
2008-03-26 11:15:00 0 d-------- C:\Program Files\Astonsoft
2008-03-24 16:06:38 0 d-------- C:\Program Files\Common Files\HP
2008-03-24 16:04:41 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-24 15:53:06 19696 -----n--- C:\WINDOWS\hpomdl05.dat
2008-03-24 15:53:06 68937 --a------ C:\WINDOWS\hpoins05.dat
2008-03-17 15:26:26 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-04-11 13:13:29 0 d-------- C:\Program Files\Password Safe
2008-04-11 13:13:26 0 d-------- C:\Program Files\IDrive
2008-04-11 09:33:40 0 d-------- C:\Program Files\Dell
2008-04-10 18:15:05 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-09 09:56:38 0 d-------- C:\Program Files\Hijack This
2008-03-27 15:30:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-27 15:28:03 0 d-------- C:\Documents and Settings\David Olsson\Application Data\Adobe
2008-03-27 14:27:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-26 11:29:10 0 d-------- C:\Program Files\Common Files
2008-03-24 16:05:05 0 d-------- C:\Program Files\HP
2008-03-17 13:00:27 0 d-------- C:\Program Files\pdf995
2008-03-17 12:42:41 0 d-------- C:\Program Files\Timeslips by Sage 2007 Trial Version
2008-03-09 12:02:05 0 d-------- C:\Program Files\Java
2008-03-04 12:47:39 0 d-------- C:\Program Files\Intuit


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2008-04-10 19:08]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2008-04-10 19:08]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-07 06:53]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 07:38 C:\WINDOWS\stsystra.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 15:02]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 15:02]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 10:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-14 15:03]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 19:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-05-26 02:01]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"IDriveE Startup"="C:\Program Files\IDrive\IDrvieEStartup.exe" [2007-11-29 18:02]

C:\Documents and Settings\David Olsson\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 01:12:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-09-28 12:22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2006-10-19 10:12 258048 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"


-- End of Deckard's System Scanner: finished at 2008-04-11 13:17:43 ------------

What is the current status of the workPC, do you think?

Eagerly awaiting the next step.

D

PS: In the interest of full disclosure, I did not cut and paste that CFscript, because of the difiiculty of getting from one machine to another. I typed it by hand, but had my partner double-check it for accuracy.

Edited by d_Oregon, 11 April 2008 - 03:21 PM.

  • 0

#24
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David, I am not certain of the status of the work computer yet.

Could you run a small batch file for me on the Original Computer:

Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

@echo off
if exist AutorunQuery.txt Del AutorunQuery.txt
echo %date% %time% >>AutorunQuery.txt
echo.>>AutorunQuery.txt
attrib -h -r -s %SystemDrive%\autorun.inf
type %SystemDrive%\autorun.inf>>AutorunQuery.txt
start notepad AutorunQuery.txt & exit
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as Script.cmd using Save as Type: All files
  • Locate Script.cmd on your desktop
  • Double click to run.
It will open a Notepad file for you when it has run. Please copy the contents into your next reply.


Now on the Work Computer, please run OTScanIt using the same settings as in Post 8 and attach the results here.

Regards,
RatHat
  • 0

#25
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Okay, the script on the originally infected machine (again, I typed it carefully by hand) resulted in:

Fri 04/11/2008 14:48:29.16

And here is the OTscanIT log from the laptop. (BTW, I got internet back on the laptop, using ethernet. My wireless is still down--I cannot get WZC service to start):

[code=auto:0]OTScanIt logfile created on: 2008-04-11 14:59:41
OTScanIt by OldTimer - Version 1.0.9.0 Folder = C:\Documents and Settings\David Olsson\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

958.42 Mb Total Physical Memory | 564.92 Mb Available Physical Memory | 58.94% Memory free
2.26 Gb Paging File | 1.99 Gb Available in Paging File | 87.85% Paging File free
Paging file location(s): c:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.26 Gb Total Space | 41.77 Gb Free Space | 58.61% Space Free | Partition Type: NTFS
Drive D: | 4.75 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GOAPPEALSDCO
Current User Name: David Olsson
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users

[Processes - Non-Microsoft Only]
schedul2.exe -> %CommonProgramFiles%\Acronis\Schedule2\schedul2.exe -> MD5 = D5A40B566B6BF947B2E643DE621B1BDE | Acronis [Ver = 1,0,0,214 | Size = 172032 bytes | Modified Date = 2005-11-28 15:02:54 | Attr = ]
photoshopelementsfileagent.exe -> %ProgramFiles%\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -> MD5 = E42F7B36B4D8866184E8DF9776CA4226 | [Ver = | Size = 98304 bytes | Modified Date = 2004-10-04 04:47:04 | Attr = ]
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> MD5 = 73686FE0B2E0469F89FD2075BE724704 | Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2006-02-28 13:42:38 | Attr = ]
idrivee service.exe -> %ProgramFiles%\IDrive\IDriveE Service.exe -> MD5 = 31CBD5D8F05C4352C4462166508A083B | Pro Softnet Corporation [Ver = 1, 0, 0, 5 | Size = 128464 bytes | Modified Date = 2007-12-19 15:41:08 | Attr = ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> MD5 = 0FEBE37DB6650FAA5965C00545009D1D | NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
photoshopelementsdeviceconnect.exe -> %ProgramFiles%\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -> MD5 = D0F9F362023BF94CF58A1C3CDBBEBE06 | [Ver = | Size = 118784 bytes | Modified Date = 2004-10-04 03:40:50 | Attr = ]
qbdbmgrn.exe -> %ProgramFiles%\Intuit\QuickBooks 2006\QBDBMgrN.exe -> MD5 = CE48E6270962C3D1FAF787B609D11241 | Intuit, Inc. [Ver = 8.0.3.5307 | Size = 126976 bytes | Modified Date = 2005-10-20 10:54:16 | Attr = ]
tsschbkpservice.exe -> %SystemRoot%\system32\TSSchBkpService.exe -> MD5 = 4FEDBC885A5DE3C6AD4D5A3535D420C1 | [Ver = | Size = 705024 bytes | Modified Date = 2006-02-02 16:42:50 | Attr = ]
dmxlauncher.exe -> %ProgramFiles%\Dell\Media Experience\DMXLauncher.exe -> MD5 = 906B35ED797CDE6A59D5798118CC225D | [Ver = | Size = 98304 bytes | Modified Date = 2006-05-03 03:12:00 | Attr = ]
dlactrlw.exe -> %SystemRoot%\system32\DLA\DLACTRLW.EXE -> MD5 = CEFD0E35B35AFD9D1C2FEC9AF81AFDB8 | Sonic Solutions [Ver = 5.20.08a | Size = 122940 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> MD5 = 8A71139A5CD86AC55CF0E4383AB4AE33 | RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Modified Date = 2006-10-07 06:53:47 | Attr = ]
stsystra.exe -> %SystemRoot%\stsystra.exe -> MD5 = 289BDC9E5681BD1BE0FB871C460BD254 | SigmaTel, Inc. [Ver = 1.0.5143.0 nd491 cp1 | Size = 282624 bytes | Modified Date = 2006-08-15 07:38:14 | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> MD5 = 836DC47E6CAD975304D1D3EB2F516A1C | Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2008-02-22 05:25:21 | Attr = ]
trueimagemonitor.exe -> %ProgramFiles%\Acronis\TrueImage\TrueImageMonitor.exe -> Unable to obtain MD5 | Acronis [Ver = 9,0,0,2323 | Size = 988701 bytes | Modified Date = 2005-11-28 15:02:56 | Attr = ]
schedhlp.exe -> %CommonProgramFiles%\Acronis\Schedule2\schedhlp.exe -> MD5 = B1423F4A808192F09026375AEA25952B | Acronis [Ver = 1,0,0,214 | Size = 118784 bytes | Modified Date = 2005-11-28 15:02:54 | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> MD5 = C74C7963EEC07AF49DCE44D64819B2BF | Apple Computer, Inc. [Ver = 7.0.4 | Size = 155648 bytes | Modified Date = 2007-12-14 15:03:21 | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe -> MD5 = E558CDE2913DAA077D4E25732D1AA176 | Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 2004-09-13 16:49:00 | Attr = ]
dsagnt.exe -> %ProgramFiles%\Dell Support\DSAgnt.exe -> MD5 = 04361EE0F0D95CDE6432D0A2B23ABAC1 | Gteko Ltd. [Ver = 2, 1, 3, 173 | Size = 389120 bytes | Modified Date = 2006-07-16 19:29:54 | Attr = ]
hpqtra08.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> MD5 = C519CEC624CF9BCBA3059F32266C8FFF | Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 2004-11-04 20:28:24 | Attr = ]
clsidle.exe -> %ProgramFiles%\IDrive\ClsIdle.exe -> MD5 = 6C50327E235A44C0F69EF03DA0E8453F | Pro Softnet Corporation [Ver = 1, 0, 0, 4 | Size = 50744 bytes | Modified Date = 2007-11-29 17:50:50 | Attr = ]
hpqgalry.exe -> %ProgramFiles%\HP\Digital Imaging\bin\hpqgalry.exe -> MD5 = 6B2B9B46D7DA5C67397412DEA6CF9A14 | Hewlett-Packard Co. [Ver = 045.004.157.000 | Size = 425984 bytes | Modified Date = 2004-11-04 20:36:46 | Attr = ]
idriveebackground.exe -> %ProgramFiles%\IDrive\IDriveEBackground.exe -> MD5 = 1E30DD6FAA8319250F59FBAD20EAC135 | Pro Softnet Corp. [Ver = 1.00.0004 | Size = 34256 bytes | Modified Date = 2007-12-19 15:41:50 | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> MD5 = F6A57C651C4B28B87125A3DA39DCF448 | OldTimer Tools [Ver = 1.0.9.0 | Size = 369152 bytes | Modified Date = 2008-04-04 12:24:38 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AcrSch2Svc) Acronis Scheduler2 Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Acronis\Schedule2\schedul2.exe -> MD5 = D5A40B566B6BF947B2E643DE621B1BDE | Acronis [Ver = 1,0,0,214 | Size = 172032 bytes | Modified Date = 2005-11-28 15:02:54 | Attr = ]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> MD5 = F3463E6967C3C396921551C0CDC633C1 | Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 2006-10-22 12:21:47 | Attr = ]
(AdobeActiveFileMonitor) Adobe Active File Monitor [Win32_Own | Auto | Running] -> %ProgramFiles%\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -> MD5 = E42F7B36B4D8866184E8DF9776CA4226 | [Ver = | Size = 98304 bytes | Modified Date = 2004-10-04 04:47:04 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> MD5 = 4D070B4341AE2DEF0A257E67C1112ADD | Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 2008-04-10 18:20:58 | Attr = ]
(Bonjour Service) ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> MD5 = 73686FE0B2E0469F89FD2075BE724704 | Apple Computer, Inc. [Ver = 1,0,3,1 | Size = 229376 bytes | Modified Date = 2006-02-28 13:42:38 | Attr = ]
(CmdAgent) Comodo Application Agent [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Comodo\Firewall\cmdagent.exe -> MD5 = DBBCD3702D684395DC5D63BEA87AE483 | COMODO [Ver = 2.4.0.20 | Size = 361040 bytes | Modified Date = 2008-04-10 18:35:05 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> MD5 = 554C7CB178FE3BD12450B81AD63ADBC3 | Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> MD5 = 227846995AFEEFA70D328BF5334A86A5 | Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 2007-12-12 22:03:47 | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> MD5 = 751C1D2CA2ABF4A9F5A6B8D7D45B907C | Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2007-01-12 18:05:55 | Attr = ]
(IDriveE Service) IDriveE Service [Win32_Own | Auto | Running] -> %ProgramFiles%\IDrive\IDriveE Service.exe -> MD5 = 31CBD5D8F05C4352C4462166508A083B | Pro Softnet Corporation [Ver = 1, 0, 0, 5 | Size = 128464 bytes | Modified Date = 2007-12-19 15:41:08 | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> MD5 = DAF66902F08796F9C694901660E5A64A | Macrovision Corporation [Ver = 11.50.42618 | Size = 69632 bytes | Modified Date = 2005-11-14 02:06:04 | Attr = ]
(McAfeeFramework) McAfee Framework Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Network Associates\Common Framework\FrameworkService.exe -> MD5 = 963806548BC93F0D0189B631A68A7452 | Network Associates, Inc. [Ver = 3.1.2.266 | Size = 102463 bytes | Modified Date = 2004-04-07 03:12:00 | Attr = ]
(McShield) Network Associates McShield [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Network Associates\VirusScan\Mcshield.exe -> MD5 = 260D285091722D801E5FDD6E1F5AC2D9 | Network Associates, Inc. [Ver = 7.1.0.116 | Size = 237657 bytes | Modified Date = 2008-04-10 18:35:06 | Attr = ]
(McTaskManager) Network Associates Task Manager [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Network Associates\VirusScan\VsTskMgr.exe -> MD5 = 184078283F0ED17E2CB86A1C8262F53B | Network Associates, Inc. [Ver = 7.1.0.187 | Size = 69706 bytes | Modified Date = 2003-09-29 07:10:00 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> MD5 = 0FEBE37DB6650FAA5965C00545009D1D | NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
(PhotoshopElementsDeviceConnect) Photoshop Elements Device Connect [Win32_Own | Auto | Running] -> %ProgramFiles%\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -> MD5 = D0F9F362023BF94CF58A1C3CDBBEBE06 | [Ver = | Size = 118784 bytes | Modified Date = 2004-10-04 03:40:50 | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\HPZipm12.exe -> MD5 = 2D091A99624FB9E7EEF0A86D872EC0C3 | HP [Ver = 10, 1, 1, 6 | Size = 73728 bytes | Modified Date = 2007-08-09 00:27:52 | Attr = ]
(QuickBooksDB) QuickBooksDB [Win32_Own | Auto | Running] -> %ProgramFiles%\Intuit\QuickBooks 2006\QBDBMgrN.exe -> MD5 = CE48E6270962C3D1FAF787B609D11241 | Intuit, Inc. [Ver = 8.0.3.5307 | Size = 126976 bytes | Modified Date = 2005-10-20 10:54:16 | Attr = ]
(TSScheduleBackup) TimeslipsBackup [Win32_Own | Auto | Running] -> %SystemRoot%\system32\TSSchBkpService.exe -> MD5 = 4FEDBC885A5DE3C6AD4D5A3535D420C1 | [Ver = | Size = 705024 bytes | Modified Date = 2006-02-02 16:42:50 | Attr = ]

[Driver Services - Non-Microsoft Only]
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\aliide.sys -> MD5 = 1140AB9938809700B46BB88E46D72A96 | Acer Laboratories Inc. [Ver = 1.20 | Size = 5248 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\AMDAGP.SYS -> MD5 = 675C16A3C1F8482F85EE4A97FC0DDE3D | Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 2004-08-03 21:07:44 | Attr = ]
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AmdK8.sys -> MD5 = 0A4D13B388C814560BD69C3A496ECFA8 | Advanced Micro Devices [Ver = 1.3.2 (dnsrv(wmbla).060618-2337) | Size = 36864 bytes | Modified Date = 2006-06-19 02:37:34 | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\asc.sys -> MD5 = 62D318E9A0C8FC9B780008E724283707 | Advanced System Products, Inc. [Ver = 2.9I-MS (XPClient.010817-1148) | Size = 26496 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\asc3550.sys -> MD5 = 5D8DE112AA0254B907861E9E9C31D597 | Advanced System Products, Inc. [Ver = 3.1E-MS (XPClient.010817-1148) | Size = 14848 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\ASPI32.SYS -> MD5 = ED8CEE58C1E4C5893F5B2FD686A272BF | Adaptec [Ver = 4.71 (0001) | Size = 17005 bytes | Modified Date = 2002-08-14 16:03:36 | Attr = ]
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> MD5 = 7D78B7FD0EBE00F177B053A08C78E35B | [Ver = | Size = 4096 bytes | Modified Date = 2006-09-28 07:13:34 | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AvgAsCln.sys -> MD5 = 6D4A1DA6E6D522B3EBBCBFF4A3589EC5 | GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 2006-09-05 09:03:16 | Attr = ]
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\bcm4sbxp.sys -> MD5 = 78E7B52DA292FA90BAD2F887BBF22159 | Broadcom Corporation [Ver = 4.47.0.0 built by: WinDDK | Size = 44544 bytes | Modified Date = 2006-08-14 11:29:44 | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\DAVIDO~1\LOCALS~1\Temp\catchme.sys -> File not found
(cercsr6) cercsr6 [Kernel | Boot | Stopped] -> %SystemRoot%\system32\drivers\cercsr6.sys -> MD5 = 84853B3FD012251690570E9E7E43343F | Adaptec, Inc. [Ver = 4.1.0.7405 | Size = 39904 bytes | Modified Date = 2004-12-13 14:14:00 | Attr = ]
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\cmdide.sys -> MD5 = E5DCB56C533014ECBC556A8357C929D5 | CMD Technology, Inc. [Ver = 2.0.7 (XPClient.010817-1148) | Size = 6656 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(CmdMon) Comodo Application Engine [Kernel | System | Running] -> %SystemRoot%\system32\drivers\cmdmon.sys -> MD5 = 7399B62C07D2340826CCAD5B4D661D35 | Comodo Research Lab., Inc. [Ver = 2.3.035 built by: WinDDK | Size = 75520 bytes | Modified Date = 2007-02-07 10:25:20 | Attr = ]
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dac2w2k.sys -> MD5 = E550E7418984B65A78299D248F0A7F36 | Mylex Corporation [Ver = 6.00-21 (XPClient.010817-1148) | Size = 179584 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLABOIOM.SYS -> MD5 = E2D0DE31442390C35E3163C87CB6A9EB | Sonic Solutions [Ver = 5.20.08a | Size = 25628 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLACDBHM) DLACDBHM [File_System | System | Running] -> %SystemRoot%\system32\drivers\DLACDBHM.SYS -> MD5 = D979BEBCF7EDCC9C9EE1857D1A68C67B | Sonic Solutions [Ver = 5.20.01a | Size = 5628 bytes | Modified Date = 2005-08-25 10:16:52 | Attr = ]
(DLADResN) DLADResN [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLADResN.SYS -> MD5 = 83545593E297F50A8E2524B4C071A153 | Sonic Solutions [Ver = 5.20.08a | Size = 2496 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAIFS_M.SYS -> MD5 = 96E01D901CDC98C7817155CC057001BF | Sonic Solutions [Ver = 5.20.08a | Size = 86524 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAOPIOM.SYS -> MD5 = 0A60A39CC5E767980A31CA5D7238DFA9 | Sonic Solutions [Ver = 5.20.08a | Size = 14684 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAPoolM.SYS -> MD5 = 9FE2B72558FC808357F427FD83314375 | Sonic Solutions [Ver = 5.20.08a | Size = 6364 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLARTL_N) DLARTL_N [File_System | System | Running] -> %SystemRoot%\system32\drivers\DLARTL_N.SYS -> MD5 = 7EE0852AE8907689DF25049DCD2342E8 | Sonic Solutions [Ver = 5.20.01a | Size = 22684 bytes | Modified Date = 2005-08-25 10:16:16 | Attr = ]
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAUDFAM.SYS -> MD5 = F08E1DAFAC457893399E03430A6A1397 | Sonic Solutions [Ver = 5.20.08a | Size = 94332 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> %SystemRoot%\system32\DLA\DLAUDF_M.SYS -> MD5 = E7D105ED1E694449D444A9933DF8E060 | Sonic Solutions [Ver = 5.20.08a | Size = 87036 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> MD5 = C0FBB516E06E243F0CF31F597E7EBF7D | Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> MD5 = F5E7B358A732D09F4BCF2824B88B9E28 | Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> MD5 = E9317282A63CA4D188C0DF5E09C6AC5F | Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(DRVMCDB) DRVMCDB [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\DRVMCDB.SYS -> MD5 = FD0F95981FEF9073659D8EC58E40AA3C | Sonic Solutions [Ver = 3.30.04a | Size = 89264 bytes | Modified Date = 2005-09-12 01:30:00 | Attr = ]
(DRVNDDM) DRVNDDM [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\DRVNDDM.SYS -> MD5 = B4869D320428CDC5EC4D7F5E808E99B5 | Sonic Solutions [Ver = 5.20.00a | Size = 40544 bytes | Modified Date = 2005-08-12 03:20:00 | Attr = ]
(DSproct) DSproct [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Dell Support\GTAction\triggers\DSproct.sys -> MD5 = 2AC2372FFAD9ADC85672CC8E8AE14BE9 | GTek Technologies Ltd. [Ver = 1, 0, 0, 28 | Size = 4864 bytes | Modified Date = 2006-01-10 10:07:58 | Attr = ]
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\e100b325.sys -> MD5 = 3FCA03CBCA11269F973B70FA483C88EF | Intel Corporation [Ver = 5.41.22.0000 built by: WinDDK | Size = 117760 bytes | Modified Date = 2001-08-17 10:12:10 | Attr = ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Hdaudbus.sys -> MD5 = E31363D186B3E1D7C4E9117884A6AEE5 | Windows (R) Server 2003 DDK provider [Ver = 5.10.00.5011 built by: WinDDK | Size = 137728 bytes | Modified Date = 2004-08-12 15:45:54 | Attr = ]
(Inspect) Comodo Network Engine [Kernel | Boot | Stopped] -> %SystemRoot%\System32\DRIVERS\inspect.sys -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\mraid35x.sys -> MD5 = 3F4BB95E5A44F3BE34824E8E7CAF0737 | American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(NaiAvFilter1) NaiAvFilter1 [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\naiavf5x.sys -> MD5 = 93941B922810F9DFA68DFFFC6AD67A77 | Network Associates, Inc. [Ver = 7.1.0.111 | Size = 83008 bytes | Modified Date = 2003-09-29 07:10:00 | Attr = ]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> MD5 = BA1B732C1A70CFEA0C1B64F2850BF44F | NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 3994624 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\pfc.sys -> MD5 = 2C1EB94C24A6A1D3434481B0A5FA9C08 | Padus, Inc. [Ver = 2, 5, 0, 201 | Size = 9856 bytes | Modified Date = 2003-11-11 19:55:00 | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> MD5 = 80D317BD1C3DBC5D4FE7B1678C60CADD | Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> MD5 = 86724469CD077901706854974CD13C3E | Sonic Solutions [Ver = 2.03.32a | Size = 20640 bytes | Modified Date = 2005-04-25 00:03:00 | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql1080.sys -> MD5 = 0A63FB54039EB5662433CABA3B26DBA7 | QLogic Corporation [Ver = 3.04 | Size = 40320 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql12160.sys -> MD5 = 156ED0EF20C15114CA097A34A30D8A01 | QLogic Corporation [Ver = 7.13.02 (W64) | Size = 45312 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql1280.sys -> MD5 = 907F0AEEA6BC451011611E732BD31FCF | QLogic Corporation [Ver = 7.13.01 (W2K) | Size = 49024 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(SASDIFSV) SASDIFSV [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\sasdifsv.sys -> MD5 = D96686FCA1F9F6B06F7490553CBDA6DE | [Ver = 1, 0, 0, 1006 | Size = 5632 bytes | Modified Date = 2006-10-10 13:53:48 | Attr = ]
(SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS -> MD5 = 7F1085895E499907F68DF7731924122B | SuperAdBlocker, Inc. [Ver = 1, 0, 0, 1002 | Size = 4096 bytes | Modified Date = 2006-02-16 17:51:08 | Attr = R ]
(SASKUTIL) SASKUTIL [Kernel | System | Running] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.SYS -> MD5 = 16251201EFB144DEE6525C0CB26B86C1 | [Ver = 1, 0, 0, 1024 | Size = 29184 bytes | Modified Date = 2006-09-19 16:06:52 | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> MD5 = D26E26EA516450AF9D072635C60387F4 | [Ver = | Size = 27440 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\SISAGP.SYS -> MD5 = 732D859B286DA692119F286B21A2A114 | Silicon Integrated Systems Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 2004-08-03 21:07:44 | Attr = ]
(snapman) Acronis Snapshots Manager [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\snapman.sys -> MD5 = 90257773F4B4065BD0C6CC2164FD52E5 | Acronis [Ver = 1.09 build 158 | Size = 96320 bytes | Modified Date = 2007-01-12 18:08:33 | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sparrow.sys -> MD5 = 83C0F71F86D3BDAF915685F3D568B20E | Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sthda.sys -> MD5 = 8990440E4B2A7CA5A56A1833B03741FD | SigmaTel, Inc. [Ver = 5.10.5143.0 nd491 cp1 | Size = 1171464 bytes | Modified Date = 2006-08-15 07:38:14 | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\symc810.sys -> MD5 = 1FF3217614018630D0A6758630FC698C | Symbios Logic Inc. [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 16256 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\symc8xx.sys -> MD5 = 070E001D95CF725186EF8B20335F933C | LSI Logic [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 32640 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sym_hi.sys -> MD5 = 80AC1C4ABBE2DF3B738BF15517A51F2C | LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 28384 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sym_u3.sys -> MD5 = BF4FAB949A382A8E105F46EBB4937058 | LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 30688 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]
(tifsfilter) Acronis TrueImage FS Filter [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\tifsfilt.sys -> MD5 = 7369F74DD9172C6527A8ACEB010E28F1 | Acronis [Ver = 1.1 build 327 | Size = 30688 bytes | Modified Date = 2007-01-12 18:08:36 | Attr = ]
(timounter) Acronis TrueImage Backup Archive Explorer [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\timntr.sys -> MD5 = 53FEC95B844C46489F6683DC0A606E01 | Acronis [Ver = 1.1 build 327 | Size = 249152 bytes | Modified Date = 2007-01-12 18:08:36 | Attr = ]
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ultra.sys -> MD5 = 1B698A51CD528D8DA4FFAED66DFC51B9 | Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 2004-08-04 03:00:00 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Acronis Scheduler2 Service -> %CommonProgramFiles%\Acronis\Schedule2\schedhlp.exe ["C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"] -> MD5 = B1423F4A808192F09026375AEA25952B | Acronis [Ver = 1,0,0,214 | Size = 118784 bytes | Modified Date = 2005-11-28 15:02:54 | Attr = ]
Comodo Firewall -> %ProgramFiles%\Comodo\Firewall\cpf.exe ["C:\Program Files\Comodo\Firewall\CPF.exe" /background] -> MD5 = 1F5882037BAD07E9926F47A3A32F0931 | COMODO [Ver = 2.4.0.58 | Size = 1115728 bytes | Modified Date = 2007-02-07 10:24:22 | Attr = ]
DLA -> %SystemRoot%\system32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> MD5 = CEFD0E35B35AFD9D1C2FEC9AF81AFDB8 | Sonic Solutions [Ver = 5.20.08a | Size = 122940 bytes | Modified Date = 2005-09-08 03:20:00 | Attr = ]
DMXLauncher -> %ProgramFiles%\Dell\Media Experience\DMXLauncher.exe [C:\Program Files\Dell\Media Experience\DMXLauncher.exe] -> MD5 = 906B35ED797CDE6A59D5798118CC225D | [Ver = | Size = 98304 bytes | Modified Date = 2006-05-03 03:12:00 | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuSchd2.exe ["c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"] -> MD5 = E558CDE2913DAA077D4E25732D1AA176 | Hewlett-Packard Company [Ver = 5, 0, 0, 0 | Size = 49152 bytes | Modified Date = 2004-09-13 16:49:00 | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> MD5 = 9E109B03018763FDCB075CE74547BE22 | InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 249856 bytes | Modified Date = 2005-06-10 08:44:02 | Attr = ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> MD5 = 583B7D111304BE63D7D9CB65482D2187 | InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 2005-06-10 08:44:02 | Attr = ]
McAfeeUpdaterUI -> %ProgramFiles%\Network Associates\Common Framework\UpdaterUI.exe ["C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey] -> MD5 = 9451DBB2652E814E9B8C93C019183568 | Network Associates, Inc. [Ver = 3.1.2.266 | Size = 135224 bytes | Modified Date = 2008-04-10 19:08:30 | Attr = ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> MD5 = C1EA489DD8B5E57B03E2FD5A1500621B | NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> MD5 = 1FF171FBAF6E5A29C07B1F8D318B607A | NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 86016 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
nwiz -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> MD5 = 0294E2A5E89BF786F24A9CC2FD753191 | [Ver = | Size = 1622016 bytes | Modified Date = 2006-10-22 13:22:00 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> MD5 = C74C7963EEC07AF49DCE44D64819B2BF | Apple Computer, Inc. [Ver = 7.0.4 | Size = 155648 bytes | Modified Date = 2007-12-14 15:03:21 | Attr = ]
ShStatEXE -> %ProgramFiles%\Network Associates\VirusScan\shstat.exe ["C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE] -> MD5 = 270A26E0F3C08944A9E91BBE5B5CABCE | Network Associates, Inc. [Ver = 7.1.0.187 | Size = 81990 bytes | Modified Date = 2008-04-10 19:08:30 | Attr = ]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe [stsystra.exe] -> MD5 = 289BDC9E5681BD1BE0FB871C460BD254 | SigmaTel, Inc. [Ver = 1.0.5143.0 nd491 cp1 | Size = 282624 bytes | Modified Date = 2006-08-15 07:38:14 | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"] -> MD5 = 836DC47E6CAD975304D1D3EB2F516A1C | Sun Microsystems, Inc. [Ver = 6.0.50.13 | Size = 144784 bytes | Modified Date = 2008-02-22 05:25:21 | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot] -> MD5 = 8A71139A5CD86AC55CF0E4383AB4AE33 | RealNetworks, Inc. [Ver = 0.1.0.3725 | Size = 185784 bytes | Modified Date = 2006-10-07 06:53:47 | Attr = ]
TrueImageMonitor.exe -> %ProgramFiles%\Acronis\TrueImage\TrueImageMonitor.exe [C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe] -> Unable to obtain MD5 | Acronis [Ver = 9,0,0,2323 | Size = 988701 bytes | Modified Date = 2005-11-28 15:02:56 | Attr = ]
UnlockerAssistant -> %ProgramFiles%\Unlocker\UnlockerAssistant.exe ["C:\Program Files\Unlocker\UnlockerAssistant.exe"] -> MD5 = 3FFE8752B77382C5050006C31781D05A | [Ver = | Size = 15872 bytes | Modified Date = 2006-09-07 10:19:27 | Attr = ]
UserFaultCheck -> [%systemroot%\system32\dumprep 0 -u] -> File not found
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
DellSupport -> %ProgramFiles%\Dell Support\DSAgnt.exe ["C:\Program Files\Dell Support\DSAgnt.exe" /startup] -> MD5 = 04361EE0F0D95CDE6432D0A2B23ABAC1 | Gteko Ltd. [Ver = 2, 1, 3, 173 | Size = 389120 bytes | Modified Date = 2006-07-16 19:29:54 | Attr = ]
IDriveE Startup -> %ProgramFiles%\IDrive\IDrvieEStartup.exe ["C:\Program Files\IDrive\IDrvieEStartup.exe" Hide] -> MD5 = B1D733B903951D010A3C8E89005D6699 | Pro Softnet Corporation [Ver = 1.00.0007 | Size = 194000 bytes | Modified Date = 2007-11-29 18:02:40 | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> MD5 = B1E3C1282DF184C22DCD3D2CE4214EE8 | [Ver = | Size = 688128 bytes | Modified Date = 2006-05-26 02:01:00 | Attr = H ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ["C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1] -> MD5 = 43F3F6D33C793089A7C32B45DA16094B | Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 2006-03-30 17:45:08 | Attr = R ]
< Run [HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\] > -> HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
DellSupport -> %ProgramFiles%\Dell Support\DSAgnt.exe ["C:\Program Files\Dell Support\DSAgnt.exe" /startup] -> MD5 = 04361EE0F0D95CDE6432D0A2B23ABAC1 | Gteko Ltd. [Ver = 2, 1, 3, 173 | Size = 389120 bytes | Modified Date = 2006-07-16 19:29:54 | Attr = ]
IDriveE Startup -> %ProgramFiles%\IDrive\IDrvieEStartup.exe ["C:\Program Files\IDrive\IDrvieEStartup.exe" Hide] -> MD5 = B1D733B903951D010A3C8E89005D6699 | Pro Softnet Corporation [Ver = 1.00.0007 | Size = 194000 bytes | Modified Date = 2007-11-29 18:02:40 | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> MD5 = B1E3C1282DF184C22DCD3D2CE4214EE8 | [Ver = | Size = 688128 bytes | Modified Date = 2006-05-26 02:01:00 | Attr = H ]
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ["C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1] -> MD5 = 43F3F6D33C793089A7C32B45DA16094B | Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 2006-03-30 17:45:08 | Attr = R ]
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> MD5 = C2FF17734176CD15221C10044EF0BA1A | Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 2004-10-04 01:12:18 | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> MD5 = 43362B96870CE8649F4F2EC893DA93F0 | Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 2005-09-23 23:05:26 | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk -> %ProgramFiles%\HP\Digital Imaging\bin\hpqtra08.exe -> MD5 = C519CEC624CF9BCBA3059F32266C8FFF | Hewlett-Packard Co. [Ver = 45.4.157.000 | Size = 258048 bytes | Modified Date = 2004-11-04 20:28:24 | Attr = ]
< David Olsson Startup Folder > -> C:\Documents and Settings\David Olsson\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\Adobe Gamma.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> MD5 = C2FF17734176CD15221C10044EF0BA1A | Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 2004-10-04 01:12:18 | Attr = ]
%UserProfile%\Start Menu\Programs\Startup\E-mail.lnk -> -> File not found
%UserProfile%\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> MD5 = E00DE20F0F6BED5CD2160247DDC9443B | [Ver = | Size = 38912 bytes | Modified Date = 2005-10-20 13:04:08 | Attr = ]
%UserProfile%\Start Menu\Programs\Startup\Password Safe.lnk -> %ProgramFiles%\Password Safe\pwsafe.exe -> MD5 = D10654679F54D0736CF8A8B9466010F2 | SourceForge.net [Ver = 3, 7, 0, 1332 | Size = 1032192 bytes | Modified Date = 2007-03-29 14:06:22 | Attr = ]
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< QBDataServiceUser Startup Folder > -> C:\Documents and Settings\QBDataServiceUser\Start Menu\Programs\Startup ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> MD5 = 4C7F099B3FFDE9805AE290DE3E593397 | Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 2006-09-28 07:13:28 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> MD5 = 4C8C7AB29C2447E1906A4D9A87468C15 | SuperAdBlocker.com [Ver = 1, 0, 0, 1006 | Size = 77824 bytes | Modified Date = 2006-09-28 12:22:36 | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006] > -> HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007] > -> HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> MD5 = 878BD80FDC51F6074D7B664C253EDE4C | SUPERAntiSpyware.com [Ver = 1, 0, 0, 1028 | Size = 258048 bytes | Modified Date = 2006-10-19 10:12:20 | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\EnableLUA -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006] > -> HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 1 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007] > -> HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_USERS\S-1-5-21-1976711761-373712229-1087412766-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SU

Edited by d_Oregon, 11 April 2008 - 04:08 PM.

  • 0

Advertisements


#26
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, David,

There is some discussion going on behind the scenes about this form of bagle. So I would like you to try something on your Work Computer:

Boot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

When in Safe Mode, go to Start, then Run and type in sc delete srosa

Then hit OK


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\WINDOWS\system32\drivers\downld

Note: Only delete the folder I have highlighted in Red.

Using Windows Explorer still, please delete these files (if present):

C:\autorun.inf
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\mdelk.exe


After that, Reboot and run DSS again, then post me the results.

Regards,
RatHat
  • 0

#27
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I am following your directions, but I'm suprised to find no C:\WINDOWS\system32\drivers folder at all. And I found none of the noted files. So I ran the command as instructed but did not delete any files or folders. Do you still want a DSS log?

Edited by d_Oregon, 11 April 2008 - 04:23 PM.

  • 0

#28
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
David,

Make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.

Then see if you can carry out the fix in safe mode again, and locate those folders and files.

Let me know how it goes, and if successful, post me the DSS log.

Regards,
RatHat
  • 0

#29
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
EDIT: wait, I might have failed to do something on the hidden files...

Okay. I did this:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.

But I could not do this:
Under the Hidden files and folders heading SELECT Show hidden files and folders.
No such choice appears on the machine.

I did do this:
UNCHECK the Hide protected operating system files (recommended) option.
UNCHECK the Hide extensions for known file types option.
Click Yes to confirm.
Click OK.

But I still got no drivers folder in C:\WINDOWS\system32

Sorry,
d

Update: the same options do/don't exist on my laptop, but I can see the C:\WINDOWS\system32\drivers folder just fine on that machine

Edited by d_Oregon, 11 April 2008 - 05:53 PM.

  • 0

#30
d_Oregon

d_Oregon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hoo, boy, I'm feeling frustrated with this. Maybe I should just restore my last backup of the C drive on the workPC. It's about a week old, but I can first do new backups of my accounting and email files. Then, assuming the restore goes right, I'll probably be back where I started. As it is, I don't know how long this will take and whether there will be any lingering problems afterward.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP