Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rundll error, hijack log [RESOLVED]


  • This topic is locked This topic is locked

#1
chickneedshelp

chickneedshelp

    Member

  • Member
  • PipPip
  • 31 posts
I have been trying to rid a friends machine of trojans and malware and I'm having no success.

Upon initial load I receive the following 'rundll' error:
Error loading c:\windows\system32\euiibm89.dll
specified module could not be found

After that I get:
C:\windows\downloaded program files\oa6b.dll
specified module could not be found

And 'vchelp.exe' error:
windows cannot find 'vchelp.exe'. etc...
(upon research I found this to be a good error as the file may have been cleaned up...yes?)

I have tried a paid version of Spyware Doctor, no luck, currently waiting on a refund.
I have tried CCleaner, no luck.
They have Trend Micro PC-cillin Internet Security with annoying pop-ups everytime a bad file runs, however, I don't think it's a full version since it won't quarantine, clean or delete the file.
I have tried Windows Defender and the Windows Malicious Software Removal Tool, no luck.
I have even tried a Windows repair install, still no luck.

I am ready to pull my hair out!!!!
What will work or what can I do manually to get rid of this crap?
And since it's not my machine I really don't want to pay much for an expensive product.

Can anyone help? :)
Thanks a bunch!!!
KB

Here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:59 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\vcplay.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\cac81.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\HPZinw12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zhaodao123.com/?h
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe vchelp.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Invoke Class - {77929B3F-50EB-449b-9982-CAD99180EC0F} - C:\WINDOWS\system32\9ca1.dll
O2 - BHO: Browser Enhanced Objects - {986488AF-13D5-9DDF-4FEF-9FB88698CFC1} - C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_2026.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FFB3D068-F8DA-4370-A71E-83B1C959CDD6} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKLM\..\Policies\Explorer\Run: [oa6b] rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [d86a] C:\WINDOWS\system32\d86a.exe
O4 - HKLM\..\Policies\Explorer\Run: [b71] rundll32 C:\WINDOWS\system32\291.dll,Always
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 易趣购物 - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: 知识库 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - http://blank.la/?h (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 一起来音乐社区 - {7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF} - http://www.yiqilai.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: 易趣购物 - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://www.dayofday.cn/cl/?b (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {EE60714F-AC17-427e-861A-FD60CBDF119A} - http://www.dayofday.cn/cl/?b (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O23 - Service: 2D9FF877 - Unknown owner - C:\WINDOWS\system32\DFE31251.EXE (file missing)
O23 - Service: 959AE - Unknown owner - C:\WINDOWS\system32\959AE.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FEE5B96 - Unknown owner - C:\WINDOWS\system32\82856473.EXE (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServicevcHelp - Unknown owner - C:\WINDOWS\system32\vcplay.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12341 bytes

Edited by chickneedshelp, 16 May 2008 - 01:21 PM.

  • 0

Advertisements


#2
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello chickneedshelp and Welcome to Geeks To Go!

Sorry for the delay, it has been a busy week.

After checking your log, I did find signs of malware on your system. Please stick with me until we get you cleaned up.
Read this post completely before proceeding with the fix. If you have questions, please don't hesitate to ask. :)

Let's begin.

First,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Finally,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please post back with the following logs.

- Malwarebytes log
- SuperAntispyware log
- DSS log ->> Main and Extra
  • 0

#3
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hey KoKo - I'm jumping for joy!!! :) Thanks for the much needed help! Let's fix this baby~


Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Quick Scan
Objects scanned: 60010
Time elapsed: 12 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 80
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 20
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\common files\CPUSH\cpush.dll (Adware.Sogou) -> Unloaded module successfully.
C:\WINDOWS\system32\9ca1.dll (Adware.BHO) -> Unloaded module successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_2026.dll (Adware.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\sysloader.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{11f09afd-75ad-4e51-ab43-e09e9351ce16} (Adware.Sogou) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11f09afd-75ad-4e51-ab43-e09e9351ce16} (Adware.Sogou) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{34a12a06-48c0-420d-8f11-73552ee9631a} (Adware.Sogou) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cde9eb54-a08e-4570-b748-13f5ddb5781c} (Adware.Sogou) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48ab4355-243e-45d6-8e95-8623a8bd8503} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50796047-4be9-4d51-ae4d-647bc2b24ddc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iehpr.invoke (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77929b3f-50eb-449b-9982-cad99180ec0f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77929b3f-50eb-449b-9982-cad99180ec0f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iehpr.invoke.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7dbc6adb-5788-4fb9-aec3-b40a58ac11df} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{7dbc6adb-5788-4fb9-aec3-b40a58ac11df} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3342887-aab1-428c-90c6-642be0b6cffe} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e6bec792-a39d-4512-aa44-41627908dc2e} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webbrowser.browser (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{986488af-13d5-9ddf-4fef-9fb88698cfc1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{986488af-13d5-9ddf-4fef-9fb88698cfc1} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webbrowser.browser.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffb3d068-f8da-4370-a71e-83b1c959cdd6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1003154e-bc6e-42e6-b92b-d7db20195a81} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{134b9dcf-255b-44b5-ba77-93a185d8b159} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06926b30-424e-4f1c-8ee3-543cd96573dc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ee60714f-ac17-427e-861a-fd60cbdf119a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0ad3ab16-6d0e-4f04-8660-fb1f36bc2dc0} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2f685b36-c53a-4653-9231-1dae5736de45} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50c4cdd9-22d7-49ff-ac6d-7d4d528a3ab2} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{de2267bd-b163-407f-9e8d-6adec771e7ab} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediaspop.popcoco (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediaspop.popcoco.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediazpop.popcoco (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newcocomediazpop.popcoco.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadpopup.toolbardetector (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadpopup.toolbardetector.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nevzpuopopzad.allogc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nevzpuopopzad.allogc.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nevzpuopupzad.amlogc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nevzpuopupzad.amlogc.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadspushor.bslogic (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadspushor.bslogic.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadvertpup.bvlogic (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadvertpup.bvlogic.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadvspup.btlogic (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newadvspup.btlogic.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newdpoupopsad.aologc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newdpoupopsad.aologc.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newsadvpusher.brlogic (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newsadvpusher.brlogic.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newzpoupopsad.ajlogc (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\newzpoupopsad.ajlogc.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9ba1aa9-cad4-4c14-bde6-922dff5f6f38} (Adware.Cinmus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\contentmatch (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apcdli (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntptdb (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewAdPopup.ToolbarDetector.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewCocoMediazPop.PopCoco (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewCocoMediazPop.PopCoco.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewdPoupopsAd.AOLogc (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NewdPoupopsAd.AOLogc.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webbrowser.browser (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Webbrowser.browser.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Yiqilai (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\apcdli (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\apcdli (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBI0S (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NetBI0S (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\newpush (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\cpush (Adware.CPush) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MicroPlugins (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ntptdb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ntptdb (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{7dbc6adb-5788-4fb9-aec3-b40a58ac11df} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{06926b30-424e-4f1c-8ee3-543cd96573dc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{ee60714f-ac17-427e-861a-fd60cbdf119a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\CPUSH (Adware.CPush) -> Delete on reboot.
C:\Program Files\Yiqilai (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\foobar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\html (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\lib (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\realplayer (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\Temp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\tools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad\d11148f4ab (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad\d3a97f257ff (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad\d682de4ab (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad\ddef2388a (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\common files\CPUSH\cpush.dll (Adware.Sogou) -> Delete on reboot.
C:\WINDOWS\system32\9ca1.dll (Adware.BHO) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_2026.dll (Adware.Agent) -> Delete on reboot.
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\CPUSH\Uninst.exe (Adware.CPush) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\foobar\foo_vis_yqllyrics.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\lib\YQL_Lyrics_Common.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\realplayer\real_vis_yqllyrics.rpv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\Temp\foo_vis_yqllyrics.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\Temp\gen_yqllyrics.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\Temp\vis_yqllyrics.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Yiqilai\tools\YiqilaiLyrics.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\a1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\b1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\k1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\p1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\r1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysloader.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\tempaq (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\euiibm89.dllmmc.pkm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system\LVL (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lori\Favorites\一起来音乐社区.url (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\ntptdb.sys (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\2026.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.dat (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



Here is the superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/18/2008 at 02:22 PM

Application Version : 4.0.1154

Core Rules Database Version : 3463
Trace Rules Database Version: 1454

Scan type : Complete Scan
Total Scan Time : 00:52:34

Memory items scanned : 673
Memory threats detected : 1
Registry items scanned : 6131
Registry threats detected : 8
File items scanned : 74787
File threats detected : 9

Trojan.Unclassified/VCPlay
C:\WINDOWS\SYSTEM32\VCPLAY.EXE
C:\WINDOWS\SYSTEM32\VCPLAY.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}
HKCR\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}
HKCR\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}\ProgID
HKCR\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}\Programmable
HKCR\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}\TypeLib
HKCR\CLSID\{C86488AF-13D5-4FEF-9DDF-9FB88698CFC1}\VersionIndependentProgID

Adware.MyWebSearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Trojan.Unclassified/QQLogin-A
C:\WINDOWS\SYSTEM32\BNUJMV.DLL
C:\WINDOWS\SYSTEM32\BZOTEJ.DLL
C:\WINDOWS\SYSTEM32\EGAQXX.DLL
C:\WINDOWS\SYSTEM32\JHNHML.DLL
C:\WINDOWS\SYSTEM32\OIAOMH.DLL
C:\WINDOWS\SYSTEM32\RVTVJG.DLL
C:\WINDOWS\SYSTEM32\THKVWO.DLL
C:\WINDOWS\SYSTEM32\XNXQVO.DLL

Finally here are the DSS logs:
Main.txt:

Deckard's System Scanner v20071014.68
Run by Lori on 2008-05-18 14:34:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-05-18 19:34:23 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-05-18 18:25:53 UTC - RP5 - Installed SUPERAntiSpyware Free Edition
4: 2008-05-18 18:22:07 UTC - RP4 - Software Distribution Service 3.0
3: 2008-05-18 01:45:35 UTC - RP3 - System Checkpoint
2: 2008-05-17 01:21:40 UTC - RP2 - System Checkpoint


-- First Restore Point --
1: 2008-05-16 01:13:53 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Lori.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:54 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\cac81.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\YFC7JU0M\dss[1].exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lori.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://7255.com/?g
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Invoke Class - {77929B3F-50EB-449b-9982-CAD99180EC0F} - C:\WINDOWS\system32\9ca1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [oa6b] rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [d86a] C:\WINDOWS\system32\d86a.exe
O4 - HKLM\..\Policies\Explorer\Run: [b71] rundll32 C:\WINDOWS\system32\291.dll,Always
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 易趣购物 - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 2D9FF877 - Unknown owner - C:\WINDOWS\system32\DFE31251.EXE (file missing)
O23 - Service: 959AE - Unknown owner - C:\WINDOWS\system32\959AE.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FEE5B96 - Unknown owner - C:\WINDOWS\system32\82856473.EXE (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServicevcHelp - Unknown owner - C:\WINDOWS\system32\vcplay.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11366 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 0z9m (0z9) - c:\windows\system32\drivers\0z9m.sys
R0 euiibm89 (euiibm8) - c:\windows\system32\drivers\euiibm89.sys
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 mxdispdr - c:\windows\system32\drivers\mxdispdr.sys
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S0 n1d8tmvsz - c:\windows\system32\drivers\n1d8tmvsz.sys
S1 OMCI - c:\windows\system32\drivers\omci.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 NetBI0S - c:\windows\system32\cac81.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>
R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 2D9FF877 - c:\windows\system32\dfe31251.exe -k (file missing)
S2 959AE - c:\windows\system32\959ae.exe
S2 FEE5B96 - c:\windows\system32\82856473.exe -g (file missing)
S2 ServicevcHelp - c:\windows\system32\vcplay.exe (file missing)
S2 sysloader (System Event loader) - "c:\documents and settings\all users\application data\microsoft\office\system\sysloader.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-18 13:27:47 244 --a------ C:\WINDOWS\Tasks\b71.job
2008-05-18 10:10:09 208 --a------ C:\WINDOWS\Tasks\740.job
2008-05-17 10:05:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-16 20:00:00 406 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job


-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 14:28:31 0 d-------- C:\WINDOWS\LastGood
2008-05-18 14:28:13 0 dr-h----- C:\Documents and Settings\Lori\Recent
2008-05-18 13:27:52 0 d-------- C:\Documents and Settings\All Users\Application Data\t
2008-05-18 13:27:42 53248 -ra------ C:\WINDOWS\system32\9ca1.dll <Not Verified; ; DLL Module>
2008-05-18 13:26:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:25:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:25:54 0 d-------- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
2008-05-18 13:24:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 10:03:15 0 d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-05-18 10:03:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 10:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 20:15:46 47616 -----n--- C:\WINDOWS\system32\cac81.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-15 20:06:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-15 18:54:13 0 d-------- C:\Program Files\CCleaner
2008-05-13 18:12:31 0 d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-05-13 17:59:02 53248 -ra------ C:\WINDOWS\0b71.exe <Not Verified; ; DLL Module>
2008-05-13 17:58:44 860160 -r------- C:\WINDOWS\system32\291.dll <Not Verified; ; Player ?????>
2008-05-12 19:11:52 0 d-------- C:\Documents and Settings\Lori\Application Data\Lavasoft
2008-05-12 19:11:41 0 d-------- C:\Program Files\Lavasoft
2008-05-07 12:54:54 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-07 12:54:47 0 d-------- C:\Documents and Settings\Lori\Application Data\PC Tools
2008-05-07 12:54:47 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-07 12:54:46 0 d-------- C:\Program Files\Spyware Doctor
2008-05-05 20:21:58 0 d-------- C:\Documents and Settings\Lori\Application Data\Talkback
2008-05-05 20:21:28 0 d-------- C:\Documents and Settings\Lori\Application Data\Mozilla
2008-05-05 18:56:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-05 18:55:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-04 16:14:42 0 d-------- C:\Program Files\Picasa2
2008-05-04 16:13:35 0 d-------- C:\WINDOWS\system32\runtime
2008-05-04 16:12:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 15:41:06 0 d-------- C:\Documents and Settings\Lori\Application Data\Uniblue
2008-05-04 15:41:01 0 d-------- C:\Program Files\Uniblue
2008-05-01 12:56:09 0 d-------- C:\WINDOWS\pss
2008-04-30 16:26:12 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-30 14:13:04 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 20:10:13 0 d-------- C:\Program Files\Windows Defender
2008-04-28 19:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-05-18 14:27:38 94208 ---h----- C:\WINDOWS\system32\AF86F.exe
2008-05-18 14:27:18 29 --a------ C:\WINDOWS\system32\22101-6132
2008-05-18 14:25:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 13:24:41 0 d-------- C:\Program Files\Common Files
2008-05-16 18:00:00 0 d-------- C:\Program Files\Norton Security Scan
2008-05-16 13:36:51 0 d-------- C:\Program Files\Trend Micro
2008-05-15 19:52:01 34344 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-15 19:10:31 69 --a------ C:\WINDOWS\system32\RYFLSZGMT.DLL
2008-05-15 19:08:10 40 --a------ C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL
2008-05-13 17:57:57 1279 --a------ C:\WINDOWS\system32\iFF1ugX7.dll
2008-05-07 10:11:09 81 --a------ C:\WINDOWS\-19101-6132
2008-05-05 18:41:21 0 d-------- C:\Program Files\Google
2008-05-04 16:22:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-30 06:59:34 131072 -ra------ C:\WINDOWS\system32\d86a.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77929B3F-50EB-449b-9982-CAD99180EC0F}]
05/16/2008 07:43 PM 53248 -ra------ C:\WINDOWS\system32\9ca1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 11:39 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [11/07/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [11/01/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/22/2005 10:21 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 04:30 PM]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [09/09/2005 08:09 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/13/2004 04:49 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 02:03 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/04/2008 04:13 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [03/09/2005 08:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 02:11 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Ad-Aware"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" [09/17/2004 02:51 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/20/2006 05:00 PM C:\WINDOWS\stsystra.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/16/2006 10:29 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/18/2007 10:31 AM]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [04/23/2008 11:19 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/4/2008 4:12:22 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 8:50:52 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"oa6b"=rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
"d86a"=C:\WINDOWS\system32\d86a.exe
"b71"=rundll32 C:\WINDOWS\system32\291.dll,Always

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)




-- Hosts -----------------------------------------------------------------------

192.168.1.4 HP000D9D11B876


-- End of Deckard's System Scanner: finished at 2008-05-18 14:36:34 ------------





Extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 1022.42 MiB / 304.48 MiB
Pagefile Memory (total/avail): 2460.79 MiB / 1880.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 107.08 GiB total, 89.08 GiB free.
D: is Fixed (Unformatted) - 0 GiB total, 0 GiB free.
E: is Fixed (NTFS) - 37.24 GiB total, 0.33 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - SAMSUNG HD160JJ/P - 149.01 GiB - 1 partition
\PARTITION0 - Installable File System - 149 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD1600JS-75NCB2 - 149.01 GiB - 4 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 107.08 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 37.24 GiB - E:
\PARTITION3 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Spyware Doctor with AntiVirus v (PC Tools) Disabled
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:HP Digital Imaging Monitor"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lori\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RICHARD-6CA2A79
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lori
LOGONSERVER=\\RICHARD-6CA2A79
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lori\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lori\LOCALS~1\Temp
USERDOMAIN=RICHARD-6CA2A79
USERNAME=Lori
USERPROFILE=C:\Documents and Settings\Lori
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Kaitlyn (admin)
Jessica (admin)
Jake (admin)
Rick
Lori (admin)
Eric
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Photoshop Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Battlefield 1942: Secret Weapons of WWII --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.exe" -l0x9
Battlefield 1942: The Road To Rome --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.exe" -l0x9
Battlefield Vietnam™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x9
Battlefield Vietnam: WW2 Mod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.exe" -l0x9
Bejeweled 2 Deluxe --> "C:\Program Files\Dell Games\Bejeweled 2 Deluxe\Uninstall.exe"
Blasterball 2 Holidays (Free with Dell Game Console) --> "C:\Program Files\Dell Games\Blasterball 2 Holidays\Uninstall.exe"
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Cake Mania --> "C:\Program Files\MSN Games\Cake Mania\Uninstall.exe" "C:\Program Files\MSN Games\Cake Mania\install.log"
Carmen Sandiego Math Detective --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Carmen Math Detective\DeIsL1.isu"
Carrie the Caregiver --> "C:\Program Files\MSN Games\Carrie the Caregiver\Uninstall.exe" "C:\Program Files\MSN Games\Carrie the Caregiver\install.log"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Cradle of Rome --> "C:\Program Files\MSN Games\Cradle of Rome\Uninstall.exe" "C:\Program Files\MSN Games\Cradle of Rome\install.log"
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4

Edited by chickneedshelp, 18 May 2008 - 01:42 PM.

  • 0

#4
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
After multiple scans I think I got it cleaner but not quite yet. I need help cleaning the registry as that is where I believe they keep reinventing.

Here is the latest log I ran:

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Quick Scan
Objects scanned: 59186
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\291.dll (Adware.BHO) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48ab4355-243e-45d6-8e95-8623a8bd8503} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50796047-4be9-4d51-ae4d-647bc2b24ddc} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iehpr.invoke (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77929b3f-50eb-449b-9982-cad99180ec0f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77929b3f-50eb-449b-9982-cad99180ec0f} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iehpr.invoke.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBI0S (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NetBI0S (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\b71 (Adware.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\t (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\ad (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\291.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\system32\9ca1.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\0b71.exe (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\WINDOWS\101.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\a1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\b1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\k1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\p1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\t\r1710.dat (Trojan.Agent) -> Quarantined and deleted successfully.


Another one:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/18/2008 at 07:19 PM

Application Version : 4.0.1154

Core Rules Database Version : 3463
Trace Rules Database Version: 1454

Scan type : Complete Scan
Total Scan Time : 00:50:45

Memory items scanned : 647
Memory threats detected : 0
Registry items scanned : 6127
Registry threats detected : 0
File items scanned : 74956
File threats detected : 8

Trojan.Unclassified/QQLogin-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000275.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000276.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000277.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000278.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000279.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000280.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000281.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{016C2626-D43F-4C6F-9141-A47E3AE79449}\RP5\A0000282.DLL


Main.txt
Deckard's System Scanner v20071014.68
Run by Lori on 2008-05-18 21:28:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Lori.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:24 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\cac81.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lori\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Lori.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [oa6b] rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [d86a] C:\WINDOWS\system32\d86a.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 易趣购物 - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: 2D9FF877 - Unknown owner - C:\WINDOWS\system32\DFE31251.EXE (file missing)
O23 - Service: 959AE - Unknown owner - C:\WINDOWS\system32\959AE.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FEE5B96 - Unknown owner - C:\WINDOWS\system32\82856473.EXE (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServicevcHelp - Unknown owner - C:\WINDOWS\system32\vcplay.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10973 bytes

-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 21:08:02 0 dr-h----- C:\Documents and Settings\Lori\Recent
2008-05-18 21:07:50 860160 -----n--- C:\WINDOWS\system32\291.dll <Not Verified; ; Player ?????>
2008-05-18 13:26:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:25:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:25:54 0 d-------- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
2008-05-18 13:24:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 10:03:15 0 d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-05-18 10:03:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 10:03:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 20:06:33 0 d-------- C:\WINDOWS\Prefetch
2008-05-15 18:54:13 0 d-------- C:\Program Files\CCleaner
2008-05-15 04:07:38 47616 -r------- C:\WINDOWS\system32\cac81.exe <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2008-05-13 18:12:31 0 d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-05-12 19:11:52 0 d-------- C:\Documents and Settings\Lori\Application Data\Lavasoft
2008-05-12 19:11:41 0 d-------- C:\Program Files\Lavasoft
2008-05-07 12:54:54 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-07 12:54:47 0 d-------- C:\Documents and Settings\Lori\Application Data\PC Tools
2008-05-07 12:54:47 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-07 12:54:46 0 d-------- C:\Program Files\Spyware Doctor
2008-05-05 20:21:58 0 d-------- C:\Documents and Settings\Lori\Application Data\Talkback
2008-05-05 20:21:28 0 d-------- C:\Documents and Settings\Lori\Application Data\Mozilla
2008-05-05 18:56:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-05 18:55:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-04 16:14:42 0 d-------- C:\Program Files\Picasa2
2008-05-04 16:13:35 0 d-------- C:\WINDOWS\system32\runtime
2008-05-04 16:12:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 15:41:06 0 d-------- C:\Documents and Settings\Lori\Application Data\Uniblue
2008-05-04 15:41:01 0 d-------- C:\Program Files\Uniblue
2008-05-01 12:56:09 0 d-------- C:\WINDOWS\pss
2008-04-30 16:26:12 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-30 14:13:04 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 20:10:13 0 d-------- C:\Program Files\Windows Defender
2008-04-28 19:43:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-05-18 21:08:40 29 --a------ C:\WINDOWS\system32\22101-6132
2008-05-18 21:07:53 94208 ---h----- C:\WINDOWS\system32\AF86F.exe
2008-05-18 18:00:02 0 d-------- C:\Program Files\Norton Security Scan
2008-05-18 14:25:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-18 13:24:41 0 d-------- C:\Program Files\Common Files
2008-05-16 13:36:51 0 d-------- C:\Program Files\Trend Micro
2008-05-15 19:52:01 34344 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-15 19:10:31 69 --a------ C:\WINDOWS\system32\RYFLSZGMT.DLL
2008-05-15 19:08:10 40 --a------ C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL
2008-05-13 17:57:57 1279 --a------ C:\WINDOWS\system32\iFF1ugX7.dll
2008-05-07 10:11:09 81 --a------ C:\WINDOWS\-19101-6132
2008-05-05 18:41:21 0 d-------- C:\Program Files\Google
2008-05-04 16:22:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-30 06:59:34 131072 -ra------ C:\WINDOWS\system32\d86a.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 11:39 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [11/07/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [11/01/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/22/2005 10:21 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 04:30 PM]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [09/09/2005 08:09 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/13/2004 04:49 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 02:03 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/04/2008 04:13 PM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [03/09/2005 08:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/15/2007 12:43 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 02:11 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/20/2006 05:00 PM C:\WINDOWS\stsystra.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/10/2004 06:00 AM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [05/05/2008 08:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [07/16/2006 10:29 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/18/2007 10:31 AM]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [04/23/2008 11:19 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/4/2008 4:12:22 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"oa6b"=rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
"d86a"=C:\WINDOWS\system32\d86a.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

*Newly Created Service* - SASDIFSV



-- End of Deckard's System Scanner: finished at 2008-05-18 21:28:48 ------------

Edited by chickneedshelp, 19 May 2008 - 05:43 AM.

  • 0

#5
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hey chickneedshelp,

Your extra.txt log got cut off. Could you post again please. You'll be able to find the log in C:\Deckard.
thanks
  • 0

#6
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
DSS did not launch another extra.txt file, it's the same, even after running the executable again.
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 1022.42 MiB / 304.48 MiB
Pagefile Memory (total/avail): 2460.79 MiB / 1880.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 107.08 GiB total, 89.08 GiB free.
D: is Fixed (Unformatted) - 0 GiB total, 0 GiB free.
E: is Fixed (NTFS) - 37.24 GiB total, 0.33 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - SAMSUNG HD160JJ/P - 149.01 GiB - 1 partition
\PARTITION0 - Installable File System - 149 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD1600JS-75NCB2 - 149.01 GiB - 4 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 107.08 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 37.24 GiB - E:
\PARTITION3 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Spyware Doctor with AntiVirus v (PC Tools) Disabled
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:HP Digital Imaging Monitor"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lori\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RICHARD-6CA2A79
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lori
LOGONSERVER=\\RICHARD-6CA2A79
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lori\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lori\LOCALS~1\Temp
USERDOMAIN=RICHARD-6CA2A79
USERNAME=Lori
USERPROFILE=C:\Documents and Settings\Lori
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Kaitlyn (admin)
Jessica (admin)
Jake (admin)
Rick
Lori (admin)
Eric
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Photoshop Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Battlefield 1942: Secret Weapons of WWII --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.exe" -l0x9
Battlefield 1942: The Road To Rome --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.exe" -l0x9
Battlefield Vietnam™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x9
Battlefield Vietnam: WW2 Mod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.exe" -l0x9
Bejeweled 2 Deluxe --> "C:\Program Files\Dell Games\Bejeweled 2 Deluxe\Uninstall.exe"
Blasterball 2 Holidays (Free with Dell Game Console) --> "C:\Program Files\Dell Games\Blasterball 2 Holidays\Uninstall.exe"
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
Cake Mania --> "C:\Program Files\MSN Games\Cake Mania\Uninstall.exe" "C:\Program Files\MSN Games\Cake Mania\install.log"
Carmen Sandiego Math Detective --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Carmen Math Detective\DeIsL1.isu"
Carrie the Caregiver --> "C:\Program Files\MSN Games\Carrie the Caregiver\Uninstall.exe" "C:\Program Files\MSN Games\Carrie the Caregiver\install.log"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Cradle of Rome --> "C:\Program Files\MSN Games\Cradle of Rome\Uninstall.exe" "C:\Program Files\MSN Games\Cradle of Rome\install.log"
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Game Console --> "C:\Program Files\Dell Games\Dell Game Console\Uninstall.exe"
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
Dell Support 3.2 --> MsiExec.exe /X{3846E811-639D-4DE1-844B-30491C0A6C0C}
DellConnect --> MsiExec.exe /X{D22B50A0-DD4E-4E33-9971-891C328677C8}
Diego`s Wolf Pup Rescue (remove only) --> C:\Program Files\Diego`s Wolf Pup Rescue\Uninstall.exe
Diner Dash Flo on the Go --> "C:\Program Files\MSN Games\Diner Dash Flo on the Go\Uninstall.exe" "C:\Program Files\MSN Games\Diner Dash Flo on the Go\install.log"
Dora's Carnival Adventure --> "C:\Program Files\Dell Games\Dora's Carnival Adventure\Uninstall.exe"
Dream Day Wedding --> "C:\Program Files\MSN Games\Dream Day Wedding\Uninstall.exe" "C:\Program Files\MSN Games\Dream Day Wedding\install.log"
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
FATE --> "C:\Program Files\Dell Games\FATE\Uninstall.exe"
Frogger v1.0 --> C:\WINDOWS\SCEEunin.exe C:\WINDOWS\Froggersetup.ini
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hidden Expedition Titanic --> "C:\Program Files\MSN Games\Hidden Expedition Titanic\Uninstall.exe" "C:\Program Files\MSN Games\Hidden Expedition Titanic\install.log"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
Intel RSX 3D --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\system32\DeIsL1.isu
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Jungle Games --> C:\Disney\Jungle\uninstal.exe
LEGO Digital Designer --> "C:\Program Files\LEGO Software\LEGO Digital Designer\uninstall.exe"
LEGO Star Wars Demo Disc --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{F7D1D93A-B17A-41F8-9070-0B2A544C6165} /l1033
LimeWire 4.14.10 --> "C:\Documents and Settings\Eric\My Documents\My Music\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Outlook 2003 with Business Contact Manager Update --> MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Musicmatch Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Mystery Case Files - Huntsville --> "C:\Program Files\MSN Games\Mystery Case Files - Huntsville\Uninstall.exe" "C:\Program Files\MSN Games\Mystery Case Files - Huntsville\install.log"
Mystery Case Files Ravenhearst --> "C:\Program Files\MSN Games\Mystery Case Files Ravenhearst\Uninstall.exe" "C:\Program Files\MSN Games\Mystery Case Files Ravenhearst\install.log"
Norton Ghost 10.0 --> MsiExec.exe /X{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}
Norton Security Scan --> MsiExec.exe /I{48B82226-75E3-4E90-92CC-D30F79EA6380}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Pharaohs Mystery --> "C:\Program Files\MSN Games\Pharaohs Mystery\Uninstall.exe" "C:\Program Files\MSN Games\Pharaohs Mystery\install.log"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PunkBuster for Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{127B684B-A002-44C8-99A7-6CF8F1E26873}\setup.exe" -l0x9
PunkBuster for Battlefield Vietnam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roller Rush --> "C:\Program Files\MSN Games\Roller Rush\Uninstall.exe" "C:\Program Files\MSN Games\Roller Rush\install.log"
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
SCRABBLE --> "C:\Program Files\Dell Games\SCRABBLE\Uninstall.exe"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SpongeBob Diner Dash --> "C:\Program Files\MSN Games\SpongeBob Diner Dash\Uninstall.exe" "C:\Program Files\MSN Games\SpongeBob Diner Dash\install.log"
SpongeBob SquarePants Krabby Quest --> "C:\Program Files\Dell Games\SpongeBob SquarePants Krabby Quest\Uninstall.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Teddy Factory --> "C:\Program Files\Dell Games\Teddy Factory\Uninstall.exe"
Teddy Factory --> "C:\Program Files\MSN Games\Teddy Factory\Uninstall.exe" "C:\Program Files\MSN Games\Teddy Factory\install.log"
Tornado Jockey --> "C:\Program Files\Dell Games\Tornado Jockey\Uninstall.exe"
Trend Micro PC-cillin Internet Security 12 --> MsiExec.exe /X{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Virtual Villagers The Lost Children --> "C:\Program Files\MSN Games\Virtual Villagers The Lost Children\Uninstall.exe" "C:\Program Files\MSN Games\Virtual Villagers The Lost Children\install.log"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows XP Media Center Edition 2005 KB908250 --> "C:\WINDOWS\$NtUninstallKB908250$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2415 / Warning
Event Submitted/Written: 05/18/2008 02:29:42 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{646A65DD-23FC-418E-B9F0-E0500FB42CB1}', feature 'GalleryFramework' failed during request for component '{ECD95215-CDCE-4AAB-AFC2-717ECCB8DA52}'

Event Record #/Type2414 / Warning
Event Submitted/Written: 05/18/2008 02:29:42 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{646A65DD-23FC-418E-B9F0-E0500FB42CB1}', feature 'GalleryFramework', component '{3B694B1F-4410-11D5-A54A-0090278A1BB8}' failed. The resource 'C:\WINDOWS\system32\gdiplus.dll' does not exist.

Event Record #/Type2411 / Warning
Event Submitted/Written: 05/18/2008 02:29:40 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{646A65DD-23FC-418E-B9F0-E0500FB42CB1}', feature 'GalleryFramework' failed during request for component '{ECD95215-CDCE-4AAB-AFC2-717ECCB8DA52}'

Event Record #/Type2410 / Warning
Event Submitted/Written: 05/18/2008 02:29:40 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{646A65DD-23FC-418E-B9F0-E0500FB42CB1}', feature 'GalleryFramework', component '{3B694B1F-4410-11D5-A54A-0090278A1BB8}' failed. The resource 'C:\WINDOWS\system32\gdiplus.dll' does not exist.

Event Record #/Type2408 / Warning
Event Submitted/Written: 05/18/2008 02:29:28 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{646A65DD-23FC-418E-B9F0-E0500FB42CB1}', feature 'GalleryFramework' failed during request for component '{ECD95215-CDCE-4AAB-AFC2-717ECCB8DA52}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type54492 / Warning
Event Submitted/Written: 05/15/2008 02:54:23 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type52740 / Warning
Event Submitted/Written: 05/14/2008 07:36:02 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type52553 / Error
Event Submitted/Written: 05/13/2008 06:02:19 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register with DCOM within the required timeout.

Event Record #/Type52552 / Error
Event Submitted/Written: 05/13/2008 06:02:11 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type52539 / Error
Event Submitted/Written: 05/13/2008 05:59:55 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}



-- End of Deckard's System Scanner: finished at 2008-05-18 14:36:34 ------------

Edited by chickneedshelp, 19 May 2008 - 05:44 AM.

  • 0

#7
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
No problem. The log you posted is actually the one I needed. Thanks... :)

Moving on,

I noticed you have Windows Firewall enabled. Since you already have TrendMicro Firewall installed and running, please Disable Windows Firewall . This not only takes up system resources but also cause conflicts which leads to system crash and hang ups.

Next,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Policies\Explorer\Run: [oa6b] rundll32 "C:\WINDOWS\Downlo~1\oa6b.dll",start
O4 - HKLM\..\Policies\Explorer\Run: [d86a] C:\WINDOWS\system32\d86a.exe
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: 2D9FF877 - Unknown owner - C:\WINDOWS\system32\DFE31251.EXE (file missing)
O23 - Service: 959AE - Unknown owner - C:\WINDOWS\system32\959AE.exe
O23 - Service: FEE5B96 - Unknown owner - C:\WINDOWS\system32\82856473.EXE (file missing)
O23 - Service: ServicevcHelp - Unknown owner - C:\WINDOWS\system32\vcplay.exe (file missing)
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Then,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Downlo~1\oa6b.dll
    C:\WINDOWS\system32\d86a.exe
    C:\WINDOWS\system32\DFE31251.EXE
    C:\WINDOWS\system32\959AE.exe
    C:\WINDOWS\system32\82856473.EXE
    C:\WINDOWS\system32\vcplay.exe
    C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe
    C:\WINDOWS\system32\291.dll
    C:\WINDOWS\system32\AF86F.exe
    C:\WINDOWS\system32\RYFLSZGMT.DLL
    C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL
    C:\WINDOWS\system32\iFF1ugX7.dll
    C:\WINDOWS\-19101-6132
    C:\WINDOWS\system32\22101-6132
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2D9FF877]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\959AE]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FEE5B96]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServicevcHelp]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysloader]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Finally,

Reboot computer then post back with the following logs.

- New HiajckThis log
- OTMoveit2 log
  • 0

#8
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
The following errors occured with Moveit:

---------------------------
OTMoveIt2: OTMoveIt2.exe - Bad Image
---------------------------
The application or DLL C:\WINDOWS\system32\RYFLSZGMT.DLL is not a valid Windows image. Please check this against your installation diskette.
---------------------------
OK
---------------------------

---------------------------
OTMoveIt2: OTMoveIt2.exe - Bad Image
---------------------------
The application or DLL C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL is not a valid Windows image. Please check this against your installation diskette.
---------------------------
OK
---------------------------

---------------------------
OTMoveIt2: OTMoveIt2.exe - Bad Image
---------------------------
The application or DLL C:\WINDOWS\system32\iFF1ugX7.dll is not a valid Windows image. Please check this against your installation diskette.
---------------------------
OK
---------------------------

Here is the Moveit log:
File/Folder C:\WINDOWS\Downlo~1\oa6b.dll not found.
C:\WINDOWS\system32\d86a.exe moved successfully.
File/Folder C:\WINDOWS\system32\DFE31251.EXE not found.
C:\WINDOWS\system32\959AE.exe moved successfully.
File/Folder C:\WINDOWS\system32\82856473.EXE not found.
File/Folder C:\WINDOWS\system32\vcplay.exe not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe not found.
File/Folder C:\WINDOWS\system32\291.dll not found.
C:\WINDOWS\system32\AF86F.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\RYFLSZGMT.DLL
C:\WINDOWS\system32\RYFLSZGMT.DLL NOT unregistered.
C:\WINDOWS\system32\RYFLSZGMT.DLL moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL
C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL NOT unregistered.
C:\WINDOWS\system32\GMTAJQWDJQWDJQW.DLL moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\iFF1ugX7.dll
C:\WINDOWS\system32\iFF1ugX7.dll NOT unregistered.
C:\WINDOWS\system32\iFF1ugX7.dll moved successfully.
C:\WINDOWS\-19101-6132 moved successfully.
C:\WINDOWS\system32\22101-6132 moved successfully.
File/Folder not found.
< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2D9FF877] >
File/Folder [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2D9FF877] not found.
< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\959AE] >
File/Folder [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\959AE] not found.
< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FEE5B96] >
File/Folder [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FEE5B96] not found.
< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServicevcHelp] >
File/Folder [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServicevcHelp] not found.
< [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysloader] >
File/Folder [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysloader] not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05192008_141500


Here is the Hijack log before the reboot:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:52 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 易趣购物 - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9968 bytes


Here is the log after the reboot:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:20 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 易趣购物 - C:\Program Files\AD4All\link1\ebaylink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: System Event loader (sysloader) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\sysloader.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9907 bytes


Does it matter if you restart or turn off w/out updates or with updates?

Edited by chickneedshelp, 19 May 2008 - 01:32 PM.

  • 0

#9
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

Does it matter if you restart or turn off w/out updates or with updates?


You should turn on Automatic update. This ensures that your system has the latest patches and fixes improving overall security and performance of your computer. :)

Looking good.

Next,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#10
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Well, I didn't get any .dll errors when the machine rebooted - woohoo! Does that mean it's clean?

Here is a new Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:17 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9945 bytes


Here is the Combofix log:

ComboFix 08-05-19.4 - Lori 2008-05-20 6:47:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\finder.dll
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\_keepfile
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\Af8w3oXeYJ_2026
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\vscan.dat
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\9H36WXZX\www.inter-focus.cn
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\#SharedObjects\9H36WXZX\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Eric\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\Eric\Favorites\找到123网址导航.url
C:\Documents and Settings\Kaitlyn\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\LocalService\Favorites\找到123网址导航.url
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\__utipkdzbjipgk
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_checkloader
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_inifid
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_inifiletime3
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_inimac
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_loaderfiletime2
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\_rtiwcitljgh3
C:\Documents and Settings\Lori\Favorites\找到123网址导航.url
C:\Program Files\ad4all
C:\Program Files\ad4all\Install.exe
C:\Program Files\ad4all\install.ini
C:\Program Files\ad4all\link1\eachlink.htm
C:\Program Files\ad4all\link1\eachlink.ico
C:\Program Files\ad4all\link1\ebaylink.htm
C:\Program Files\ad4all\link1\ebaylink.ico
C:\Program Files\ad4all\link1\install.ini
C:\Program Files\ad4all\link1\Thumbs.db
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\Incesoft\XiaoiAlerts
C:\Program Files\Incesoft\XiaoiAlerts\MSNMessengerLib.dll
C:\WINDOWS\system32\drivers\0z9m.sys
C:\WINDOWS\system32\drivers\euiibm89.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\k11965631972.exe
C:\WINDOWS\system32\k119760054115.exe
C:\WINDOWS\system32\llk1196392283.h
C:\WINDOWS\system32\mhsha1.dat
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\SHQ.DLL
C:\WINDOWS\system32\SHQMANGR.DLL
C:\WINDOWS\system32\wbem\WDJRXELSZGM.MDA
C:\WINDOWS\TEMP\~my1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APCDLI
-------\Legacy_EUIIBM89
-------\Legacy_MXDISPDR
-------\Legacy_NETBI0S
-------\Legacy_SERVICEVCHELP
-------\Legacy_SYSLOADER
-------\Legacy_YIQILAI
-------\Service_euiibm89
-------\Service_mxdispdr
-------\Service_ServicevcHelp
-------\Service_sysloader
-------\Legacy_0z9m
-------\Service_0z9m


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 06:55 . 2008-05-20 06:55 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-19 14:15 . 2008-05-19 14:15 <DIR> d-------- C:\_OTMoveIt
2008-05-18 14:33 . 2008-05-18 14:33 <DIR> d-------- C:\Deckard
2008-05-18 13:26 . 2008-05-18 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:25 . 2008-05-18 18:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:25 . 2008-05-18 13:25 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
2008-05-18 13:24 . 2008-05-18 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 10:03 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:04 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-05-15 20:04 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-05-15 20:02 . 2004-08-10 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-15 20:01 . 2004-08-10 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-15 18:54 . 2008-05-15 19:13 <DIR> d-------- C:\Program Files\CCleaner
2008-05-13 18:12 . 2008-05-15 19:21 <DIR> d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Lavasoft
2008-05-11 15:19 . 2008-05-20 06:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 15:19 . 2008-05-11 15:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 12:54 . 2008-05-12 19:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-07 12:54 . 2008-05-07 12:55 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-07 12:54 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-05-07 12:54 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-07 12:54 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-07 12:54 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-07 12:54 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-05 20:21 . 2008-05-05 20:21 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Talkback
2008-05-04 16:14 . 2008-05-04 16:14 <DIR> d-------- C:\Program Files\Picasa2
2008-05-04 16:14 . 2006-10-04 21:42 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-04 16:14 . 2006-10-04 21:42 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-04 16:13 . 2008-05-04 16:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-05-04 16:12 . 2008-05-17 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Program Files\Uniblue
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Uniblue
2008-04-30 14:13 . 2008-05-01 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 20:10 . 2008-04-28 20:10 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-28 19:43 . 2008-04-28 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 11:47 --------- d-----w C:\Program Files\Incesoft
2008-05-18 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-18 19:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 18:36 --------- d-----w C:\Program Files\Trend Micro
2008-05-13 00:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 23:41 --------- d-----w C:\Program Files\Google
2008-05-04 21:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 00:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 00:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 23:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 22:29 389120]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 10:31 68856]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-04-23 11:19 1189104]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 11:39 7323648]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 22:21 823362]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 20:09 1537648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13 29744]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 20:10 11776]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-04 16:12:22 124400]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S0 n1d8tmvsz;n1d8tmvsz;C:\WINDOWS\system32\drivers\n1d8tmvsz.sys [2004-08-10 06:00]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13]
S4 2D9FF877;2D9FF877;C:\WINDOWS\system32\DFE31251.EXE []
S4 959AE;959AE;C:\WINDOWS\system32\959AE.exe []
S4 FEE5B96;FEE5B96;C:\WINDOWS\system32\82856473.EXE []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-19 15:10:00 C:\WINDOWS\Tasks\740.job"
- C:\WINDOWS\Downlo~1\740.exe
"2008-05-17 15:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-19 19:11:46 C:\WINDOWS\Tasks\b71.job"
- C:\WINDOWS\system32\291.dll,Always
"2008-05-18 23:01:17 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 06:58:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-20 7:04:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 12:04:04

Pre-Run: 95,671,554,048 bytes free
Post-Run: 95,800,827,904 bytes free

259 --- E O F --- 2008-05-18 21:05:04


If the machine is clean, can I uninstall all the tools/utilities we used? Which anti-virus/spyware program do you recommend I leave on?

Thanks for all your assistance!!!

Edited by chickneedshelp, 20 May 2008 - 05:22 PM.

  • 0

Advertisements


#11
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Nice to hear that you no longer receive error but we're not done yet.
We still have to do some more cleanup and an online scan later on. :)

Please stick we me until we get you all cleaned up.

Next,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
n1d8tmvsz

File::
C:\WINDOWS\system32\drivers\n1d8tmvsz.sys
C:\WINDOWS\Tasks\740.job
C:\WINDOWS\Downlo~1\740.exe
C:\WINDOWS\Tasks\b71.job
C:\WINDOWS\system32\291.dll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2D9FF877]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\959AE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FEE5B96]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\n1d8tmvsz]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_euiibm89]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_mxdispdr]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_ServicevcHelp]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_sysloader]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_0z9m]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_APCDLI]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_EUIIBM89]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_MXDISPDR]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_NETBI0S]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SERVICEVCHELP]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SYSLOADER]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_YIQILAI]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_0z9m]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by koko_crunch, 22 May 2008 - 01:00 PM.

  • 0

#12
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
You are right, after logging in this morn I did get another '291.dll' error.

Here is the new combofix log:


ComboFix 08-05-19.4 - Lori 2008-05-21 11:55:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.545 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Downlo~1\740.exe
C:\WINDOWS\system32\291.dll
C:\WINDOWS\system32\drivers\n1d8tmvsz.sys
C:\WINDOWS\Tasks\740.job
C:\WINDOWS\Tasks\b71.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\n1d8tmvsz.sys
C:\WINDOWS\Tasks\740.job
C:\WINDOWS\Tasks\b71.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_n1d8tmvsz


((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 18:57 . 2008-05-20 19:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-19 14:15 . 2008-05-19 14:15 <DIR> d-------- C:\_OTMoveIt
2008-05-18 14:33 . 2008-05-18 14:33 <DIR> d-------- C:\Deckard
2008-05-18 13:26 . 2008-05-18 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:25 . 2008-05-18 18:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:25 . 2008-05-18 13:25 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
2008-05-18 13:24 . 2008-05-18 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 10:03 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:04 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-05-15 20:04 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-05-15 20:02 . 2004-08-10 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-15 20:01 . 2004-08-10 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-15 18:54 . 2008-05-15 19:13 <DIR> d-------- C:\Program Files\CCleaner
2008-05-13 18:12 . 2008-05-15 19:21 <DIR> d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-05-12 19:11 . 2008-05-20 18:38 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Lavasoft
2008-05-11 15:19 . 2008-05-20 18:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 15:19 . 2008-05-11 15:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 12:54 . 2008-05-12 19:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-07 12:54 . 2008-05-07 12:55 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-07 12:54 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-05-07 12:54 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-07 12:54 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-07 12:54 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-07 12:54 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-05 20:21 . 2008-05-05 20:21 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Talkback
2008-05-04 16:14 . 2008-05-04 16:14 <DIR> d-------- C:\Program Files\Picasa2
2008-05-04 16:14 . 2006-10-04 21:42 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-04 16:14 . 2006-10-04 21:42 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-04 16:13 . 2008-05-04 16:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-05-04 16:12 . 2008-05-21 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Program Files\Uniblue
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Uniblue
2008-04-30 14:13 . 2008-05-01 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 20:10 . 2008-04-28 20:10 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-28 19:43 . 2008-04-28 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 11:47 --------- d-----w C:\Program Files\Incesoft
2008-05-18 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-18 19:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 18:36 --------- d-----w C:\Program Files\Trend Micro
2008-05-13 00:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 23:41 --------- d-----w C:\Program Files\Google
2008-05-04 21:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 00:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 00:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 23:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
.

((((((((((((((((((((((((((((( [email protected]_ 7.03.52.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 11:53:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:01:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:01:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
+ 2008-05-21 17:01:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 22:29 389120]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 10:31 68856]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-04-23 11:19 1189104]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 11:39 7323648]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 22:21 823362]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 20:09 1537648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13 29744]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 20:10 11776]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-04 16:12:22 124400]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13]
S4 2D9FF877;2D9FF877;C:\WINDOWS\system32\DFE31251.EXE []
S4 959AE;959AE;C:\WINDOWS\system32\959AE.exe []
S4 FEE5B96;FEE5B96;C:\WINDOWS\system32\82856473.EXE []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 23:54:29 C:\WINDOWS\Tasks\Backup.job"
- C:\WINDOWS\system32\ntbackup.exe
"2008-05-18 23:01:17 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 12:02:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


Here is a new Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:05 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10104 bytes
  • 0

#13
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Still some leftovers...

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\DFE31251.EXE
C:\WINDOWS\system32\959AE.exe
C:\WINDOWS\system32\82856473.EXE

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2D9FF877]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\959AE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FEE5B96]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service_n1d8tmvsz]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Edited by koko_crunch, 22 May 2008 - 12:58 PM.

  • 0

#14
chickneedshelp

chickneedshelp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Combo log:

ComboFix 08-05-19.4 - Lori 2008-05-22 18:19:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -5:00]
Running from: C:\Documents and Settings\Lori\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lori\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\82856473.EXE
C:\WINDOWS\system32\959AE.exe
C:\WINDOWS\system32\DFE31251.EXE
.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-21 12:06 . 2008-05-21 12:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-20 18:57 . 2008-05-20 19:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-19 14:15 . 2008-05-19 14:15 <DIR> d-------- C:\_OTMoveIt
2008-05-18 14:33 . 2008-05-18 14:33 <DIR> d-------- C:\Deckard
2008-05-18 13:26 . 2008-05-18 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 13:25 . 2008-05-18 18:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-18 13:25 . 2008-05-18 13:25 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
2008-05-18 13:24 . 2008-05-18 13:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-18 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-18 10:03 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-18 10:03 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-15 20:04 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-05-15 20:04 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-05-15 20:04 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-05-15 20:02 . 2004-08-10 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-15 20:01 . 2004-08-10 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-15 19:53 . 2008-05-15 19:53 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-15 18:54 . 2008-05-15 19:13 <DIR> d-------- C:\Program Files\CCleaner
2008-05-13 18:12 . 2008-05-15 19:21 <DIR> d-------- C:\Documents and Settings\Lori\.housecall6.6
2008-05-12 19:11 . 2008-05-20 18:38 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Lavasoft
2008-05-11 15:19 . 2008-05-21 12:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 15:19 . 2008-05-11 15:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 12:54 . 2008-05-12 19:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-07 12:54 . 2008-05-07 12:55 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\PC Tools
2008-05-07 12:54 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-07 12:54 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-05-07 12:54 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-07 12:54 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-07 12:54 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-07 12:54 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-05 20:21 . 2008-05-05 20:21 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Talkback
2008-05-04 16:14 . 2008-05-04 16:14 <DIR> d-------- C:\Program Files\Picasa2
2008-05-04 16:14 . 2006-10-04 21:42 2,560 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-04 16:14 . 2006-10-04 21:42 2,432 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-04 16:13 . 2008-05-04 16:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-05-04 16:12 . 2008-05-22 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Program Files\Uniblue
2008-05-04 15:41 . 2008-05-04 15:41 <DIR> d-------- C:\Documents and Settings\Lori\Application Data\Uniblue
2008-04-30 14:13 . 2008-05-01 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 20:10 . 2008-04-28 20:10 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-28 19:43 . 2008-04-28 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 23:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-05-21 23:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 11:47 --------- d-----w C:\Program Files\Incesoft
2008-05-16 18:36 --------- d-----w C:\Program Files\Trend Micro
2008-05-13 00:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 23:41 --------- d-----w C:\Program Files\Google
2008-05-04 21:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-31 00:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 00:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 23:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
.

((((((((((((((((((((((((((((( [email protected]_ 7.03.52.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 11:53:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:01:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:01:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
+ 2008-05-21 17:01:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 22:29 389120]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 10:31 68856]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [2008-04-23 11:19 1189104]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 11:39 7323648]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-22 22:21 823362]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 20:09 1537648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13 29744]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 20:10 11776]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 17:00 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-04 16:12:22 124400]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-04 16:13]

*Newly Created Service* - ERASERUTILDRV10741
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 23:54:29 C:\WINDOWS\Tasks\Backup.job"
- C:\WINDOWS\system32\ntbackup.exe
"2008-05-22 01:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 18:22:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\2D9FF877]
"ImagePath"="C:\WINDOWS\system32\DFE31251.EXE -k"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\959AE]
"ImagePath"="C:\WINDOWS\system32\959AE.exe"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FEE5B96]
"ImagePath"="C:\WINDOWS\system32\82856473.EXE -g"
.
Completion time: 2008-05-22 18:23:48
ComboFix-quarantined-files.txt 2008-05-22 23:23:29
ComboFix2.txt 2008-05-21 17:08:53
ComboFix3.txt 2008-05-20 12:04:09

Pre-Run: 95,789,395,968 bytes free
Post-Run: 95,797,186,560 bytes free

181 --- E O F --- 2008-05-18 21:05:04
  • 0

#15
koko_crunch

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Much better...

Now to run some housekeeping and an online scan to make sure we didn't miss any... :)

First,

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Then,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Finally,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP