Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32.trojandownloader.Agent

Started by K Galli , May 22 2008 09:37 PM

  • Please log in to reply

#1
K Galli
Posted 22 May 2008 - 09:37 PM

K Galli

    Member

  • Member
  • PipPip
  • 24 posts
A few days ago, I found my computer had gone to the lockout screen that can come up when it goes to a screen saver, the only thing is I've never turned that feature on. It also mentioned something about remote desktop being active and the account name that initially came up when I went to type in my password was "ts$". Once I logged back in my computer warned me that my firewall was not on and that my Symantec antivirus was off. I wasn't able to re-activate either at the time but since then I have followed steps on Microsoft's site and managed to get my firewall back up. Thanks in advance for any help, the requested logs are below or attached (SUPERantispyware isn't included because it didn't find anything).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:44 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gallikem\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://udportal.udayton.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [initwbdh] C:\WINDOWS\system32\inf\svchowb.exe C:\WINDOWS\system32\fdwbdhd16_080521.dll wbdhdlllsm
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200405845875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120147927171
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://udayton.webe...ing/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetMeeting system (NetMeeting winsoshsi) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11891 bytes

Attached Files


  • 0

Advertisements

#2
Tal
Posted 30 May 2008 - 03:43 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi :)

Welcome to GeeksToGo, I also see that you have applied to GeekU - good luck. Let's proceed with the fix :)

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask! :)

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

Step1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKLM\..\Policies\Explorer\Run: [initwbdh] C:\WINDOWS\system32\inf\svchowb.exe C:\WINDOWS\system32\fdwbdhd16_080521.dll wbdhdlllsm


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step2 : OTMoveIt

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\inf\svchowb.exe
C:\WINDOWS\system32\fdwbdhd16_080521.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step3 : Updating Java

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Step4 : DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

Summary

In your next reply, please include the following:
  • OTMoveIt log;
  • DSS logs;
  • A report on how the computer is running now.

Regards,

Tal :)
  • 0

#3
K Galli
Posted 30 May 2008 - 05:12 PM

K Galli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
in step three you say to scroll down to "The J2SE Runtime Environment (JRE) allows end-users to run Java applications" and click download to the right... I can't find that on the site should I just download the one titled "Java Runtime Environment (JRE) 6 Update 6"
  • 0

#4
Tal
Posted 30 May 2008 - 05:28 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Yes :)
  • 0

#5
K Galli
Posted 31 May 2008 - 01:08 AM

K Galli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here are the requested files


OTmoveit log

C:\WINDOWS\system32\inf\svchowb.exe moved successfully.
File/Folder C:\WINDOWS\system32\fdwbdhd16_080521.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05302008_185953


main.txt

Deckard's System Scanner v20071014.68
Run by gallikem on 2008-05-31 02:54:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2008-05-31 06:54:26 UTC - RP164 - Deckard's System Scanner Restore Point
81: 2008-05-31 06:50:52 UTC - RP163 - Installed Java™ 6 Update 6
80: 2008-05-31 06:40:51 UTC - RP162 - Removed Java™ 6 Update 5
79: 2008-05-31 06:40:04 UTC - RP161 - Removed J2SE Runtime Environment 5.0 Update 4
78: 2008-05-30 22:48:55 UTC - RP160 - System Checkpoint


-- First Restore Point --
1: 2008-03-03 05:16:07 UTC - RP83 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as gallikem.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:29 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\gallikem\Desktop\dss.exe
C:\DOCUME~1\gallikem\Desktop\gallikem.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://udportal.udayton.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [mscheck] rundll32.exe "C:\WINDOWS\system32\wicheck080526.dll" wbdhjkl (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [mscheck] rundll32.exe "C:\WINDOWS\system32\wicheck080526.dll" wbdhjkl (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200405845875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120147927171
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://udayton.webe...ing/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetMeeting system (NetMeeting winsoshsi) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11963 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\gallikem\Desktop\backups\) ------------

backup-20080530-182028-527 O4 - HKLM\..\Policies\Explorer\Run: [initwbdh] C:\WINDOWS\system32\inf\svchowb.exe C:\WINDOWS\system32\fdwbdhd16_080529.dll wbdhdlllsm

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NICM (Novell InterService Communication Driver) - c:\windows\system32\drivers\nicm.sys <Not Verified; Novell, Inc.; Novell XTier for Windows>
R0 NWFILTER (Novell UNC Path Filter) - c:\windows\system32\netware\nwfilter.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R1 nipplpt2 (Novell iCapture Lpt Redirector 2) - c:\windows\system32\drivers\nipplpt.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 BlankScr (HBDevice) - c:\windows\system32\drivers\blankscr.sys <Not Verified; Novell Inc.; ZENworks Remote Management>
R2 NetwareWorkstation (Novell Client for Windows) - c:\windows\system32\netware\nwfs.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 NWDHCP (Novell DHCP Inform Client) - c:\windows\system32\netware\nwdhcp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 RESMGR (Novell NetWare Resource Manager) - c:\windows\system32\netware\resmgr.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 SRVLOC (Novell Service Location) - c:\windows\system32\netware\srvloc.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWDNS (Novell DNS Name Space Service Provider) - c:\windows\system32\netware\nwdns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWHOST (Novell Host File Name Space Service Provider) - c:\windows\system32\netware\nwhost.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSLP (Novell SLP Name Space Service Provider) - c:\windows\system32\netware\nwslp.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 NWSNS (Novell Simple Naming Services) - c:\windows\system32\netware\nwsns.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S2 NWSIPX32 (Novell NetWare IPX/SPX Transport Interface) - c:\windows\system32\netware\nwsipx32.sys <Not Verified; Novell, Inc.; Novell Client for Windows>
S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 NWSAP (Novell SAP Name Space Provider) - c:\windows\system32\netware\nwsap.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Multi-user Cleanup Service - "c:\program files\lotus\notes\ntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 NALNTSERVICE (Novell Application Launcher) - c:\program files\novell\zenworks\nalntsrv.exe <Not Verified; Novell, Inc.; >
R2 OwnershipProtocol - c:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 Remote Management Agent (Novell ZENworks Remote Management Agent) - c:\program files\novell\zenworks\remotemanagement\rmagent\zenrem32.exe <Not Verified; Novell, Inc.; ZENworks Remote Management>
R2 XTAgent (Novell XTier Agent Services) - c:\windows\system32\novell\xtagent.exe <Not Verified; Novell, Inc.; NetIdentity>
R2 ZFDWM (Workstation Manager) - c:\program files\novell\zenworks\wm.exe <Not Verified; Novell, Inc.; ZENworks Desktop Management>

S2 Creative Service for CDROM Access - c:\windows\system32\ctsvccda.exe (file missing)
S2 NetMeeting winsoshsi (NetMeeting system) - c:\program files\netmeeting\netmeetingsysw
S3 cusrvc (Client Update Service for Novell) - c:\windows\system32\cusrvc.exe <Not Verified; Novell, Inc.; Novell Client for Windows>
S4 RSX (Restart Service X) - c:\windows\system32\srvany.exe
S4 urtclientservice (URT Client Service) - c:\windows\system32\urtclsvc.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-28 14:12:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-04-19 09:51:38 570 --a------ C:\WINDOWS\Tasks\18AUG2007.job


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 02:51:01 0 d-------- C:\Program Files\Common Files\Java
2008-05-29 21:53:13 51 --a------ C:\mycjjk.bat
2008-05-29 05:31:53 29696 --a------ C:\WINDOWS\system32\fdwbdhd16_080529.dll
2008-05-27 22:01:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-27 22:00:18 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-27 21:07:01 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-27 21:06:53 0 d-------- C:\Documents and Settings\gallikem\Application Data\SystemRequirementsLab
2008-05-27 20:50:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-27 20:35:35 27036 -r-hs---- C:\WINDOWS\system32\wicheck080526.exe
2008-05-27 20:35:35 28672 -r-hs---- C:\WINDOWS\system32\wicheck080526.dll
2008-05-21 23:09:37 0 d-------- C:\Program Files\Panda Security
2008-05-21 19:27:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 19:27:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 19:27:11 0 d-------- C:\Documents and Settings\gallikem\Application Data\SUPERAntiSpyware.com
2008-05-21 18:50:33 0 d-------- C:\Documents and Settings\gallikem\Application Data\Malwarebytes
2008-05-21 18:50:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 18:50:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 18:48:37 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-20 22:20:48 0 d-------- C:\Documents and Settings\gallikem\Application Data\Uniblue
2008-05-20 19:48:14 381286 --a------ C:\WINDOWS\system32\xiaoji_hgz.exe
2008-05-20 04:02:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-20 04:02:33 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-20 04:02:09 0 d-------- C:\WINDOWS\system32\inf
2008-05-20 00:29:57 400 --a------ C:\Program Files\33891126.reg
2008-05-06 11:43:11 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-05-06 11:43:11 75976 --a------ C:\WINDOWS\War3Unin.dat
2008-05-06 11:43:10 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-05-06 11:38:28 0 d-------- C:\Program Files\Warcraft III


-- Find3M Report ---------------------------------------------------------------

2008-05-31 02:51:57 0 d-------- C:\Program Files\Java
2008-05-31 02:51:01 0 d-------- C:\Program Files\Common Files
2008-05-27 20:48:23 0 d-------- C:\Documents and Settings\gallikem\Application Data\Mozilla
2008-05-21 19:25:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 22:37:40 0 d-------- C:\Program Files\Symantec
2008-05-20 17:47:35 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-17 13:12:53 0 d-------- C:\Documents and Settings\gallikem\Application Data\goombah
2008-04-17 12:23:53 0 d-------- C:\Documents and Settings\gallikem\Application Data\Ruckus Network
2008-04-14 14:07:47 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-04-14 14:07:46 0 d-------- C:\Program Files\Oberon Media
2008-04-12 16:13:32 0 d-------- C:\Documents and Settings\gallikem\Application Data\My Battle for Middle-earth™ II Files
2008-04-12 15:36:34 0 d-------- C:\Program Files\Electronic Arts
2008-04-10 11:33:55 0 d-------- C:\Program Files\Xvid
2008-04-10 10:53:30 0 d-------- C:\Program Files\Emergent Music LLC
2008-04-10 10:34:07 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-16 00:59:48 2549 -----n--- C:\WINDOWS\unins000.dat
2008-03-16 00:57:22 691545 -----n--- C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/01/2004 10:03 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/01/2004 08:59 PM]
"AGRSMMSG"="AGRSMMSG.exe" [07/22/2004 01:38 AM C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [04/28/2003 03:08 AM]
"@"="" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/15/2004 11:27 AM]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [10/15/2004 11:31 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06/18/2003 02:44 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/15/2004 01:07 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/30/2005 11:26 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 07:27 PM]
"HP Software Update"="C:\Program Files\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/11/2004 12:15 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"SoundMan"="SOUNDMAN.EXE" [08/30/2004 01:48 AM C:\WINDOWS\SOUNDMAN.EXE]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [05/17/2004 02:27 PM]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 10:37 AM C:\WINDOWS\system32\nwtray.exe]
"ZENRC Tray Icon"="zentray.exe" [05/18/2005 06:04 PM C:\WINDOWS\system32\zentray.exe]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [01/03/2005 12:21 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 04:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 04:22 AM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [10/18/2006 04:14 PM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [10/18/2006 04:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [6/13/2006 8:51:52 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoDevMgrUpdate"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"mscheck"=rundll32.exe "C:\WINDOWS\system32\wicheck080526.dll" wbdhjkl

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [06/28/2006 03:00 PM 446464]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 10/15/2004 11:27 AM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 05/02/2006 10:17 AM 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
C:\WINDOWS\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZENRC Tray Icon]
zentray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"urtclientservice"=2 (0x2)
"RSX"=2 (0x2)
"Remote Management Agent"=2 (0x2)
"cusrvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fee15ee-a55a-11da-b50d-000fb07d2017}]
AutoRun\command- G:\JDSecure\Windows\JDSecure31.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
127.0.0.1 www.wazzupnet.com
127.0.0.1 gueb.com
127.0.0.1 kabex.com

8576 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-31 02:57:07 ------------


extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 2.00GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 1015.42 MiB / 495.76 MiB
Pagefile Memory (total/avail): 2445.59 MiB / 2023.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.14 MiB

C: is Fixed (NTFS) - 74.41 GiB total, 21.13 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8025GAS - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 74.41 GiB - C:
\PARTITION1 - Unknown - 101.98 MiB



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dpmw32.exe"="C:\\WINDOWS\\system32\\dpmw32.exe:*:Disabled:NDPS RPM & Notification Listener"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\gallikem\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GALLIKEM-WS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\GALLIKEM-WS
NUMBER_OF_PROCESSORS=1
OMP_NUM_THREADS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\program files\common files\autodesk shared\;f:\the gimp\2.0\bin;C:\WINDOWS\system32\nls;C:\WINDOWS\system32\nls\english;c:\program files\novell\zenworks\;C:\Program Files\MATLAB\R2007a\bin;C:\Program Files\MATLAB\R2007a\bin\win32;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\gallikem\LOCALS~1\Temp
TMP=C:\DOCUME~1\gallikem\LOCALS~1\Temp
UDManufacturer=Tangent
UDModel=PowerNotebook
UDSerial=5072071ws151396
UDTerm=Aug
UDYear=2005
USERDOMAIN=GALLIKEM-WS
USERNAME=gallikem
USERPROFILE=C:\Documents and Settings\gallikem
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

gallikem (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\DOCUME~1\gallikem\MYDOCU~1\Ruckus\RUCKUS~1\UNWISE.EXE /a C:\DOCUME~1\gallikem\MYDOCU~1\Ruckus\RUCKUS~1\INSTALL.LOG
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Age of Mythology --> "C:\games\AOM\UNINSTAL.EXE" /runtemp /addremove
Agere Systems AC'97 Modem --> agrsmdel
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Anvil Studio --> C:\WINDOWS\ST5UNST.EXE -n "f:\anvil\ST5UNST.LOG"
AOEMView 2008 --> C:\Program Files\AOEMView 2008\Setup\Setup.exe /P {6F411DB4-EC41-482B-AD46-384957928F69} /M AOEM
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AutoCAD 2005 - English --> MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
AutoCAD 2008 - English --> C:\Program Files\AutoCAD 2008\Setup\Setup.exe /P {5783F2D7-6001-0409-0002-0060B0CE6BBA} /M ACAD
Autodesk Design Review 2008 --> MsiExec.exe /I{FACF203E-0F4D-489A-B80C-D185253C8FCB}
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
Autodesk Inventor Professional 2008 --> MsiExec.exe /I{7F4DD591-1200-0409-0000-7107D70F3DB4}
Battle.net --> C:\WINDOWS\bnetunin.exe
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Bonjour Core for Windows --> MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
Catan - The Computer Game --> "C:\Program Files\Oberon Media\Catan - The Computer Game\Uninstall.exe" "C:\Program Files\Oberon Media\Catan - The Computer Game\install.log"
Civilization III Complete Edition --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2157961D-0507-44A8-BCF2-1EE2D439E8DF}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DesertCombat 0.7 --> C:\WINDOWS\iun6002.exe "C:\Games\Battlefield 1942\DesertCombat.ini"
DWG TrueView 2007 --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
Easy Button --> C:\WINDOWS\UnInst32.exe EzButton.UNI
Goombah Partner COM Server --> MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
GTK+ 2.8.9 runtime environment --> "F:\The Gimp\2.0\unins000.exe"
Heroes of Might and Magic® III --> C:\WINDOWS\IsUninst.exe -fc:\games\Heroes3\Uninst.isu -c"c:\games\Heroes3\uninst.dll
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Documents and Settings\gallikem\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone 4.2 --> C:\Program Files\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
HP Unload DLL Patch --> MsiExec.exe /X{595D0DE8-C38A-4432-B851-47DECC1A99BD}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Lotus Notes 6.5.3 --> MsiExec.exe /I{897891A6-6F93-49E0-B7D9-74FAF2AA862D}
Macromedia Authorware Web Player --> C:\WINDOWS\system32\Macromed\AUTHORWA\UNWISE.EXE C:\WINDOWS\system32\Macromed\AUTHORWA\Install.log
Macromedia Shockwave Player --> MsiExec.exe /X{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MATLAB R2007a --> C:\Program Files\MATLAB\R2007a\uninstall\uninstall.exe C:\Program Files\MATLAB\R2007a\
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Age of Empires II --> "C:\Games\AOE\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft WSE 3.0 Runtime --> MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
NMAS Challenge Response Method --> MsiExec.exe /X{B9A5A789-D491-49FB-958C-BFEC2C11BB1D}
NMAS Client --> MsiExec.exe /I{9B427732-573E-4E78-B6FA-AC3E5A218BA2}
Novell Client for Windows --> %SystemRoot%\system32\rundll32 nwsetup.dll NWUninstallClient
Novell iPrint Client v04.26.00 --> C:\WINDOWS\system32\iprint\setupipp.exe /uninstall
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Pyware 3D Java Interactive Viewer --> "F:\drill\UninstallerData\Uninstall installer.exe"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer Enterprise --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealOneEnt|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Rise of Nations --> "C:\Program Files\Microsoft Games\Rise of Nations\Uninstal.exe" /runtemp /uninstall
Roxio Backup MyPC Deluxe --> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Ruckus Player --> C:\DOCUME~1\gallikem\MYDOCU~1\Ruckus\RUCKUS~1\UNWISE.EXE C:\DOCUME~1\gallikem\MYDOCU~1\Ruckus\RUCKUS~1\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 2.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster v3.4 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Battle for Middle-earth ™ II --> C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\EAUninstall.exe
Unreal Tournament 2004 --> C:\Games\UT2004\System\Setup.exe uninstall "UT2004"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WebEx Recorder and Player --> MsiExec.exe /I{1D243F00-1389-4C63-A7E9-B17E967D1901}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Write-N-Cite --> C:\PROGRA~1\Refworks\UNWISE.EXE C:\PROGRA~1\Refworks\INSTALL.LOG
XML Paper Specification Shared Components Pack 1.0 -->
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
ZENworks Desktop Management Agent --> MsiExec.exe /I{7878B1D4-B2CB-4EA8-9A0A-7E0575D23B96}


-- Application Event Log -------------------------------------------------------

Event Record #/Type16414 / Warning
Event Submitted/Written: 05/31/2008 02:47:57 AM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type16400 / Warning
Event Submitted/Written: 05/30/2008 11:32:22 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type16388 / Warning
Event Submitted/Written: 05/30/2008 06:25:16 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type16373 / Warning
Event Submitted/Written: 05/30/2008 05:57:01 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type16358 / Warning
Event Submitted/Written: 05/29/2008 09:59:19 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42677 / Error
Event Submitted/Written: 05/31/2008 02:47:57 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SAVRT service failed to start due to the following error:
%%31

Event Record #/Type42676 / Error
Event Submitted/Written: 05/31/2008 02:47:57 AM
Event ID/Source: 6 / SAVRT
Event Description:
Incompatible version of SYMEVENT.SYS is loaded.

Event Record #/Type42675 / Error
Event Submitted/Written: 05/31/2008 02:47:52 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SAVRT service failed to start due to the following error:
%%31

Event Record #/Type42674 / Error
Event Submitted/Written: 05/31/2008 02:47:52 AM
Event ID/Source: 6 / SAVRT
Event Description:
Incompatible version of SYMEVENT.SYS is loaded.

Event Record #/Type42666 / Error
Event Submitted/Written: 05/31/2008 02:47:11 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NetMeeting system service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-05-31 02:57:07 ------------




As far as I can tell the computer is running fine. I have yet to see a random popup but I still can't enable autoprotect on Symantic Antivirus, and my computer gives me warnings about that. Also my computer started playing random bits of songs and people talking(like in a news report) before I recieved these instructions... is that part of a virus or just my system somehow picking up radio or such?

Thanks for the help. I really appreciate the time you have given to solving my problem.
  • 0

#6
Tal
Posted 01 June 2008 - 07:37 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi again, sorry for the delay.

You still have some infections present on your PC which may disable Norton. Let's see if removing them helps.

Step1 : Registry Fix

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)


  • Please go to Start > Run
  • Paste in the following line: regedit /e c:\registrybackup.reg
  • Click OK. It won't appear to be doing anything, that's normal.
  • Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"mscheck"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Step2 : OTMoveIt

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\wicheck080526.dll
C:\Windows\system32\ziswin.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

In your next reply, please include the OTMoveIt log and a new DSS log.

Regards,

Tal.
  • 0

#7
K Galli
Posted 02 June 2008 - 05:21 PM

K Galli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Don't worry about the delay, you're volunteering your time to help me.



OTMoveIt log

File/Folder C:\WINDOWS\system32\wicheck080526.dll not found.
C:\Windows\system32\ziswin.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06022008_191504



DSS log

Deckard's System Scanner v20071014.68
Run by gallikem on 2008-06-02 19:19:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as gallikem.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:53 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gallikem\My Documents\Ruckus\RUCKUS~1\Ruckus.exe
C:\Program Files\Emergent Music LLC\Goombah Partner COM Server\dist\goombahcom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\gallikem\Desktop\Malware Removal Files\dss.exe
C:\DOCUME~1\gallikem\Desktop\MALWAR~2\gallikem.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://udportal.udayton.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200405845875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120147927171
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://udayton.webe...ing/ieatgpc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NetMeeting system (NetMeeting winsoshsi) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 12189 bytes

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 19:09:32 118813086 --a------ C:\registrybackup.reg
2008-06-01 03:20:47 0 d-------- C:\Program Files\Windows Defender
2008-05-31 02:51:01 0 d-------- C:\Program Files\Common Files\Java
2008-05-29 21:53:13 51 --a------ C:\mycjjk.bat
2008-05-27 22:01:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-27 22:00:18 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-27 21:07:01 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-27 21:06:53 0 d-------- C:\Documents and Settings\gallikem\Application Data\SystemRequirementsLab
2008-05-27 20:50:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-21 23:09:37 0 d-------- C:\Program Files\Panda Security
2008-05-21 19:27:28 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 19:27:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 19:27:11 0 d-------- C:\Documents and Settings\gallikem\Application Data\SUPERAntiSpyware.com
2008-05-21 18:50:33 0 d-------- C:\Documents and Settings\gallikem\Application Data\Malwarebytes
2008-05-21 18:50:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 18:50:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 18:48:37 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-20 22:20:48 0 d-------- C:\Documents and Settings\gallikem\Application Data\Uniblue
2008-05-20 19:48:14 381286 --a------ C:\WINDOWS\system32\xiaoji_hgz.exe
2008-05-20 04:02:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-20 04:02:33 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-20 04:02:09 0 d-------- C:\WINDOWS\system32\inf
2008-05-20 00:29:57 400 --a------ C:\Program Files\33891126.reg
2008-05-06 11:43:11 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-05-06 11:43:11 75976 --a------ C:\WINDOWS\War3Unin.dat
2008-05-06 11:43:10 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-05-06 11:38:28 0 d-------- C:\Program Files\Warcraft III


-- Find3M Report ---------------------------------------------------------------

2008-06-02 19:01:51 0 d-------- C:\Documents and Settings\gallikem\Application Data\Ruckus Network
2008-06-01 02:45:55 0 d-------- C:\Documents and Settings\gallikem\Application Data\goombah
2008-05-31 02:51:57 0 d-------- C:\Program Files\Java
2008-05-31 02:51:01 0 d-------- C:\Program Files\Common Files
2008-05-27 20:48:23 0 d-------- C:\Documents and Settings\gallikem\Application Data\Mozilla
2008-05-21 19:25:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 22:37:40 0 d-------- C:\Program Files\Symantec
2008-05-20 17:47:35 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-14 14:07:47 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-04-14 14:07:46 0 d-------- C:\Program Files\Oberon Media
2008-04-12 16:13:32 0 d-------- C:\Documents and Settings\gallikem\Application Data\My Battle for Middle-earth™ II Files
2008-04-12 15:36:34 0 d-------- C:\Program Files\Electronic Arts
2008-04-10 11:33:55 0 d-------- C:\Program Files\Xvid
2008-04-10 10:53:30 0 d-------- C:\Program Files\Emergent Music LLC
2008-04-10 10:34:07 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-16 00:59:48 2549 -----n--- C:\WINDOWS\unins000.dat
2008-03-16 00:57:22 691545 -----n--- C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [11/01/2004 10:03 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [11/01/2004 08:59 PM]
"AGRSMMSG"="AGRSMMSG.exe" [07/22/2004 01:38 AM C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [04/28/2003 03:08 AM]
"@"="" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/15/2004 11:27 AM]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [10/15/2004 11:31 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06/18/2003 02:44 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [07/15/2004 01:07 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/30/2005 11:26 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 07:27 PM]
"HP Software Update"="C:\Program Files\HP Software Update\HPWuSchd2.exe" [02/12/2004 01:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 03:18 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/11/2004 12:15 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"SoundMan"="SOUNDMAN.EXE" [08/30/2004 01:48 AM C:\WINDOWS\SOUNDMAN.EXE]
"NDPS"="C:\WINDOWS\system32\dpmw32.exe" [05/17/2004 02:27 PM]
"NWTRAY"="NWTRAY.EXE" [03/12/2002 10:37 AM C:\WINDOWS\system32\nwtray.exe]
"ZENRC Tray Icon"="zentray.exe" [05/18/2005 06:04 PM C:\WINDOWS\system32\zentray.exe]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [01/03/2005 12:21 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 04:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 04:22 AM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [10/18/2006 04:14 PM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [10/18/2006 04:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [6/13/2006 8:51:52 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"CompatibleRUPSecurity"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoDevMgrUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [06/28/2006 03:00 PM 446464]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 10/15/2004 11:27 AM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 05/02/2006 10:17 AM 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
C:\WINDOWS\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZENRC Tray Icon]
zentray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"urtclientservice"=2 (0x2)
"RSX"=2 (0x2)
"Remote Management Agent"=2 (0x2)
"cusrvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fee15ee-a55a-11da-b50d-000fb07d2017}]
AutoRun\command- G:\JDSecure\Windows\JDSecure31.exe




-- End of Deckard's System Scanner: finished at 2008-06-02 19:20:23 ------------

many thanks,

K Galli
  • 0

#8
Tal
Posted 03 June 2008 - 02:14 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Other than a few bad files - I think you're clean :) After finishing the fix, let me know if you still experience any of the mentioned symptoms, and try to re-enable Symantec again.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\mycjjk.bat
C:\WINDOWS\system32\xiaoji_hgz.exe
C:\Program Files\33891126.reg
C:\WINDOWS\unins000.dat
C:\WINDOWS\unins000.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Tal
  • 0

#9
K Galli
Posted 04 June 2008 - 09:05 PM

K Galli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Tal, do you work with Airplanes or the like? Anyways here's my OTMoveit2 log


C:\mycjjk.bat moved successfully.
C:\WINDOWS\system32\xiaoji_hgz.exe moved successfully.
C:\Program Files\33891126.reg moved successfully.
C:\WINDOWS\unins000.dat moved successfully.
C:\WINDOWS\unins000.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06032008_191327

I still can't enable Symantec but I have spywareblaster and added spywareguard for auto protect and both run fine. Should those with a firewall be enough to keep me generally safe?

Thanks again for all the help.

K Galli
  • 0

#10
Tal
Posted 06 June 2008 - 12:52 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi K Galli,

I don't work with airplanes as I'm still in high school, but it's one of my hobbies :) If I remember correctly, you are studying to be an aviation engineer? Anyway - try re-installing Symantec. I'm not sure on why it's not enabling - you do need active anti virus protection. Perhaps it has expired? There are free (and better than Symantec, to be honest) solutions on the market: AVG Free, Avast!, Anti-Vir.

Let me know what happens if you reinstall Symantec.

Regards,

Tal.
  • 0

#11
K Galli
Posted 13 June 2008 - 10:20 PM

K Galli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I'm going to ditch symantec and go with one of the programs you've suggested, when I have some free time and can get on the computer for more than 5 minutes. Thanks for all the help, As far as I know my computer runs fine and other than getting a new anti virus program I'm good to go. As far as I know this topic can be closed.

As for the engineer thing, yeah, somewhat. I'm studying to be a mechanical engineer but I'm focusing on the aviation side of mechanical design.
  • 0

#12
Tal
Posted 16 June 2008 - 08:47 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
You're welcome. It's an interesting profession - I keep thinking of Joe Sutter as an example of an aviation engineer :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP