Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Darksma downloader, vundo(s)? [RESOLVED]


  • This topic is locked This topic is locked

#1
Ball Tripper

Ball Tripper

    New Member

  • Member
  • Pip
  • 9 posts
My computer has been terribly sluggish lately, when I get online I encounter an unbareable ammount of pop up adds and internet explorer crashes. Sometimes my computer does wierd things like turn off automatic windows updates and doesn't allow me to turn them back on, sometimes it tells me task manager has been disabled by the administrator when I press ctrl+alt+delete. My user account is the only one on the computer and it has administrator access. I run CA Security Center and it is suposed to protect me from viruses and spyware, but it can't seem to take care of this one. Every now and then the little alert will pop up in the bottom right of the screen and tell me that 1758 threats were detected and eliminated. A number that big scares me, and it keeps coming back.

When I run CA's virus scan it typically gives me something that looks like this

Filename Infection
C:\Documents and Settings\jordan herrick\Local Settings\Temporary Internet Files\Content.IE5\5E595VBT\kb713501[1] Win32/SecDrop.QX
C:\Program Files\backups\backup-20080513-185542-177.dll Win32/Vundo.ZE
C:\Program Files\backups\backup-20080513-185542-707.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-191806-802.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-192437-548.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-193858-852.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-193935-795.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-194354-710.dll Win32/Vundo.YU
C:\Program Files\backups\backup-20080513-194511-648.dll Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094148.EXE Win32/Muotrso.A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096468.EXE Win32/Matcash.DO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096501.EXE Win32/Matcash.DR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096502.EXE Win32/Matcash.DR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096504.EXE Win32/Matcash.D
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096548.DLL Win32/Vundo.ZF
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096550.DLL Win32/Vundo.ZF
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP139\A0097653.DLL Win32/Vundo.ZE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108057.EXE Win32/Matcash.DN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108203.DLL Win32/Vundo.ZE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108204.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108205.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108206.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108207.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108208.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108209.DLL Win32/Vundo.YU
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP152\A0108210.DLL Win32/Vundo.YU

CA Anti-Virus then tells me that all files were successfully deleted, and if I scan again immediatly afterward(even after a reboot) the scan will come up clean. It takes a few hours or some surfing on the net to get infected again.

When I run CA Anti-Spyware it tells me that I have a downloader called Darksma. The only option is to quarantine it and reboot so I do so. It has failed to remove it every time, my uneducated guess is that this is what is causing all the other files to appear.


I have gone through the "You Must Read This Before Posting a Hijackthis Log" thread and all of the resources I was instructed to utilize also failed to remove the infection. So I've got a series of logs that will hopefully let somebody figure out how to get rid of it. I also scanned my computer with Atribune's VundoFix and it said it did not find any infected files.


<<<<<<<<<<< First up is Malwarebytes' log.>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.14
Database version: 807

11:52:03 PM 5/30/2008
mbam-log-5-30-2008 (23-52-03).txt

Scan type: Quick Scan
Objects scanned: 37579
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spcron (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.




<<<<<<<<<<< Now SUPERAntiSpyware's log >>>>>>>>>>>>>>

SUPERAntiSpyware Scan Log
Generated 05/31/2008 at 01:29 AM

Application Version : 3.6.1000

Core Rules Database Version : 3472
Trace Rules Database Version: 1463

Scan type : Complete Scan
Total Scan Time : 01:30:36

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 5274
Registry threats detected : 0
File items scanned : 60231
File threats detected : 64

Adware.Tracking Cookie
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][3].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected]a.yahoo[1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][3].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092027.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092028.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092042.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092044.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP135\A0095453.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP135\A0095463.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096462.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096465.EXE

Trojan.Unclassified/BrowserDriver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092062.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094132.EXE

Adware.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092063.CFG

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094125.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096505.EXE

Adware.DeeWoo/ThinkAdz
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094130.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP




<<<<<<<<<<<< next is Panda Activescan's log >>>>>>>>>>>>>
Edit: Panda Activescan's log doesn't look right because they insisted on making a table out of asterisks and crap so i'm attaching the .txt file. It is readable in notepad.

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-05-31 02:59:57
PROTECTIONS: 1
MALWARE: 30
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
CA Anti-Virus 9.0.0.170 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
01343387 Generic Trojan Virus/Trojan No 0 Yes No C:\WINDOWS\Installer\58479.msi[unk_0029]
02164907 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096541.exe
02634745 Application/Playmp3z HackTools No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP64\A0028796.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094123.exe
02891362 Adware/Yazzle Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108062.exe
02913339 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096470.exe
02913341 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096489.exe
02936016 Adware/Insider Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP122\A0092061.exe
02936016 Adware/Insider Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094128.exe
02936016 Adware/Insider Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094126.exe
02936956 Adware/SideSearch Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096471.dll
02938171 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094129.dll
02938171 Spyware/Virtumonde Spyware No 1 No No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094131.exe[■%%\²¬Ç]
02938552 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096472.exe
02938563 Adware/PurityScan Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094124.exe
02938823 Spyware/AdClicker Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096500.exe
02938979 Adware/JavaCore Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096503.exe
02939362 Adware/AccesMembre Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094134.exe
02941829 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094195.dll
02942191 Adware/WebSearch Adware No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP136\A0096506.exe
02942192 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108056.exe
02952450 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\nmcvvmfk.dll
02952450 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\endicuqn.dll
02952450 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\elmmcoqr.dll
02952450 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\uhfmrdfe.dll
02952971 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108058.dll
02952971 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108059.dll
02952971 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108060.dll
02952971 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108061.dll
02952973 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096547.dll
02952973 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096549.dll
02952973 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP138\A0096566.dll
02952973 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP137\A0096551.dll
02960420 Adware/GoodSearchNow Adware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP126\A0094145.sys
02992298 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\bpqvahme.dll
02992299 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\kgvqiqya.dll
02992299 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\mriijagk.dll
02992299 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\esxpqpum.dll
02992300 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ufibgppm.dll
02992301 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP138\A0096588.dll
02992301 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP138\A0096586.dll
02992302 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\tncavnyt.dll
02992302 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\aecgyxik.dll
02992302 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\iuemnjng.dll
02992716 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\uexjdtks.dll
02992716 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\gggcvcxw.dll
02995628 Spyware/Virtumonde Spyware No 1 Yes No C:\VundoFix Backups\dggpsdjj.dll.bad
02995628 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP147\A0108021.dll
02995630 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\tnjfaafb.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
108742 MEDIUM MS06-006
;===============================================================================
================================================================================
=
===================




<<<<<<<<<<<<< And finally a HijackThis log >>>>>>>>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:08 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {66eca6dc-482a-be58-eb84-ccc5362772ce} - {ec277263-5ccc-48be-85eb-a284cd6ace66} - C:\WINDOWS\system32\shxtyivo.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7893 bytes




<<<<<<<<<<<<< also an uninstall list >>>>>>>>>>>

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
AIM 6
Broadcom 440x 10/100 Integrated Controller
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Pest Patrol Realtime Protection
CDBurnerXP
Conexant HDA D110 MDC V.92 Modem
DAEMON Tools
Dell Resource CD
GemMaster Mystic
GoToAssist 8.0.0.480
Hellgate: London
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel® PROSet/Wireless Software
iPod for Windows 2005-09-23
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSCfg
MSN
mSSO
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Neverwinter Nights
Neverwinter Nights 2
NVIDIA Drivers
Otto
Panda ActiveScan 2.0
PeerGuardian 2.0
Pharaoh
QuickTime
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Sierra Utilities
SigmaTel Audio
Sins of a Solar Empire
Sins of a Solar Empire
Sonic Encoders
StarSonata (remove only)
SUPERAntiSpyware Free Edition
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Ventrilo Client
VeohTV BETA
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft




Well thats it. I imagine it would be tough to go through all that stuff. Thanks in advance to whoever is willing to take this one.

Attached Files


Edited by Ball Tripper, 31 May 2008 - 03:03 PM.

  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello Ball Tripper,

I am analysing your log and will get back to you in a bit. :)
  • 0

#3
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you emeraldnzl <3
  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again Ball Tripper,

Welcome to Geeks to go.

Lets see if we can nail your problem. :)

I think it possible you have a Smitfraud infection as well as Vundo so we will take a multi level approach at attacking the infections.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

-----Step 2-----

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

So when you come back please post:
  • Combofix log
  • report from the Smitfraud scan
  • and a new HijackThis log

It may be that the reports will not fit on one post when you reply. If so, it's ok to use more than one post.
  • 0

#5
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here they are. Interestingly after this my CA Anti-Spyware tells me that Darksma is gone which I have never been able to get rid of for even a small period of time. But it now tells me I have KaZaA, which I have never used, and a backdoor it calls Bifrost.
Edit: After rebooting a few times and doing stuff my normal protection software seems to have gotten rid of kazaa and bifrost. Internet explorer isn't acting up anymore either, no pop-ups so far. The only thing any one of the malware removal programs i've accumulated finds now is a bunch of adware tracking cookies, which kind of makes me worry something might be left to download a bunch of stuff again. It happened the first time I thought I had cleaned my system.
Also combofix made the clock on my taskbar turn to military time or some crap. 10:15PM is now 22:15. Know how I can change it back?
Edit2: Although much much less frequently, I am still having IE crash and be redirected to false adware scans and [bleep] pop ups like that. :)


<<<<<<<<<<< New HJT log >>>>>>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:23, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8992 bytes




<<<<<<<<<<<<< ComboFix Log >>>>>>>>>>>>>>>>

ComboFix 08-06-01.3 - jordan herrick 2008-06-01 19:49:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1502 [GMT -4:00]
Running from: C:\Documents and Settings\jordan herrick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jordan herrick\Application Data\.#
C:\Temp\1cb
C:\WINDOWS\BM8bb914f6.xml
C:\WINDOWS\index.html
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acngbvun.dll
C:\WINDOWS\system32\aecgyxik.dll
C:\WINDOWS\system32\awtfbevk.ini
C:\WINDOWS\system32\axlsfvvv.dll
C:\WINDOWS\system32\bpqvahme.dll
C:\WINDOWS\system32\bxekxlxu.ini
C:\WINDOWS\system32\cluyebel.ini
C:\WINDOWS\system32\elmmcoqr.dll
C:\WINDOWS\system32\endicuqn.dll
C:\WINDOWS\system32\esxpqpum.dll
C:\WINDOWS\system32\gggcvcxw.dll
C:\WINDOWS\system32\gsibcsew.ini
C:\WINDOWS\system32\hcccwnxm.ini
C:\WINDOWS\system32\iuemnjng.dll
C:\WINDOWS\system32\jpnutivm.dll
C:\WINDOWS\system32\kgvqiqya.dll
C:\WINDOWS\system32\kswhacii.dll
C:\WINDOWS\system32\kxbkfpmu.dll
C:\WINDOWS\system32\lmrmonii.ini
C:\WINDOWS\system32\mriijagk.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nmcvvmfk.dll
C:\WINDOWS\system32\nogaolym.dll
C:\WINDOWS\system32\pchcnimh.dll
C:\WINDOWS\system32\puolsldt.dll
C:\WINDOWS\system32\pxxtbihi.dll
C:\WINDOWS\system32\qdvrngoe.ini
C:\WINDOWS\system32\qhirytqc.dll
C:\WINDOWS\system32\qltsrpyp.ini
C:\WINDOWS\system32\qvmebceu.dll
C:\WINDOWS\system32\QWDfMnnn.ini
C:\WINDOWS\system32\QWDfMnnn.ini2
C:\WINDOWS\system32\rCMVvyay.ini
C:\WINDOWS\system32\rCMVvyay.ini2
C:\WINDOWS\system32\redqmacq.dll
C:\WINDOWS\system32\sgianojv.ini
C:\WINDOWS\system32\sihysbbw.ini
C:\WINDOWS\system32\tktmwcnl.ini
C:\WINDOWS\system32\tncavnyt.dll
C:\WINDOWS\system32\tnjfaafb.dll
C:\WINDOWS\system32\uexjdtks.dll
C:\WINDOWS\system32\ufibgppm.dll
C:\WINDOWS\system32\uhfmrdfe.dll
C:\WINDOWS\system32\ukbqyqeu.dll
C:\WINDOWS\system32\urxomtan.ini
C:\WINDOWS\system32\uyindtqv.dll
C:\WINDOWS\system32\weiohsrp.ini
C:\WINDOWS\system32\xivnnlgu.ini
C:\WINDOWS\system32\ydbljbjh.ini
C:\WINDOWS\system32\ytgmfilh.dll
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 10:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-01 10:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-01 10:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-01 10:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-01 10:39 . 2008-06-01 17:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-01 10:39 . 2008-06-01 10:39 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\PC Tools
2008-06-01 10:29 . 2008-06-01 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-01 10:28 . 2008-06-01 10:34 <DIR> d-------- C:\Program Files\Google
2008-06-01 10:17 . 2008-06-01 19:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 09:20 . 2008-06-01 09:21 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-01 07:52 . 2008-06-01 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Outspark
2008-06-01 07:47 . 2008-06-01 07:52 <DIR> d-------- C:\Program Files\Outspark
2008-05-31 01:46 . 2008-05-31 01:47 <DIR> d-------- C:\Program Files\Panda Security
2008-05-27 16:37 . 2008-05-27 16:37 <DIR> d-------- C:\Program Files\Veoh Networks
2008-05-25 19:04 . 2008-05-25 19:04 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-25 19:00 . 2008-06-01 12:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 19:00 . 2008-05-25 19:00 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\SUPERAntiSpyware.com
2008-05-25 19:00 . 2008-05-25 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 02:05 . 2008-05-30 23:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 02:05 . 2008-05-25 02:05 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\Malwarebytes
2008-05-25 02:05 . 2008-05-25 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 02:05 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 02:05 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 02:04 . 2008-05-25 02:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 00:31 . 2008-05-25 00:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 01:45 . 2008-05-24 01:45 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-24 01:44 . 2008-05-24 01:44 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-24 01:42 . 2008-05-24 01:42 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-24 01:41 . 2008-05-24 01:41 <DIR> dr-h----- C:\MSOCache
2008-05-24 01:41 . 2008-05-31 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-18 15:57 . 2008-05-18 15:57 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-05-18 15:57 . 2008-05-18 15:57 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\CDBurnerXP_Soft
2008-05-16 16:34 . 2008-05-16 16:34 <DIR> d-------- C:\qrnt
2008-05-16 16:34 . 2008-05-16 16:34 <DIR> d-------- C:\CA
2008-05-14 15:47 . 2008-05-25 00:01 <DIR> d-------- C:\VundoFix Backups
2008-05-12 02:06 . 2008-05-30 17:35 <DIR> d-------- C:\Program Files\backups
2008-05-05 00:48 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-05 00:48 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 23:37 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-27 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 23:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-15 02:23 880,432 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-05-15 02:23 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-13 23:35 8,160 ----a-w C:\Program Files\hijackthis.log
2008-04-29 22:43 --------- d--h--r C:\Documents and Settings\jordan herrick\Application Data\SecuROM
2008-04-29 00:43 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-28 04:00 --------- d-----w C:\Program Files\MSBuild
2008-04-28 03:57 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-26 06:57 --------- d-----w C:\Documents and Settings\jordan herrick\Application Data\LimeWire
2008-04-25 00:19 --------- d-----w C:\Program Files\Flagship Studios
2008-04-24 01:52 --------- d-----w C:\Program Files\Warcraft III
2008-04-22 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-21 00:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-16 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-16 04:10 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-16 04:07 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-04-16 04:07 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-16 04:07 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-04-16 04:07 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-16 04:07 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-16 04:07 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-16 04:07 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-16 04:05 --------- d-----w C:\Program Files\CA
2008-04-16 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 03:55 --------- d-----w C:\Program Files\Lavasoft
2008-04-08 18:15 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-05 01:13 --------- d-----w C:\Program Files\Java
2008-04-02 11:01 --------- d-----w C:\Documents and Settings\jordan herrick\Application Data\Leadertech
2008-04-02 10:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 06:31 5,846 ----a-w C:\Program Files\install.log
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2005-02-16 15:06 218,112 ----a-w C:\Program Files\spy[bleep]er.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-01 10:29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 20:05 8429568]
"nwiz"="nwiz.exe" [2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 20:05 81920 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43 274432]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-27 21:58 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-21 17:15 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-16 00:07 234760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-16 03:46:06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-19 21:17 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-16 00:06]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Acclaim\2Moons\bin\GameGuard\dump_wmimmc.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 o1394bul;o1394bul;C:\DOCUME~1\JORDAN~1\LOCALS~1\Temp\o1394bul.sys []
S3 XDva143;XDva143;C:\WINDOWS\system32\XDva143.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 20:33:29 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as jordan herrick at 12 05 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 19:54:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2008-06-01 19:59:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 23:59:36

Pre-Run: 38,778,728,448 bytes free
Post-Run: 38,675,304,448 bytes free

264 --- E O F --- 2008-05-31 05:47:57







<<<<<<<<<<<< and SmitFraud log >>>>>>>>>>>>>>

SmitFraudFix v2.323

Scan done at 20:01:28.51, Sun 06/01/2008
Run from C:\Documents and Settings\jordan herrick\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jordan herrick


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\jordan herrick\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JORDAN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by Ball Tripper, 02 June 2008 - 09:03 AM.

  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again Ball Tripper,

Looking better now. There is the Kazaa related one and you have a P2P program that very likely was involved in you getting infected in the first place.

Lets get rid of them first and after that run a check to make sure it's all gone. As you know they can come back.

We can look at your clock problem once we have got your machine clean.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\spyer.exe

Folder::
C:\Program Files\PeerGuardian2

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. When finished, it will produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



Next


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Start scanning at the foot of the page
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

So when you come back please post:
  • Combofix text
  • F-Secure scan results
  • a new HijackThis log

  • 0

#7
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry it took a couple days to respond, i've been a bit busy. :)
Edit: after I did all that CA-Anti Spyware once again told me that I had Kazaa and Bifrost. And a bunch of tracking cookies. I'm thinking maybe combo fix kills something that is hiding kazaa and bifrost and I can only see them immediatly after running combofix? I don't know.


<<<<<<<<<<<<Combo Fix log>>>>>>>>>>>>>>>>>>>

ComboFix 08-06-01.3 - jordan herrick 2008-06-05 8:20:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1524 [GMT -4:00]
Running from: C:\Documents and Settings\jordan herrick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jordan herrick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\spyer.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jordan herrick\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\PeerGuardian2
C:\Program Files\PeerGuardian2\cache.p2b
C:\Program Files\PeerGuardian2\history.db
C:\Program Files\PeerGuardian2\license.txt
C:\Program Files\PeerGuardian2\lists\2102257263.list
C:\Program Files\PeerGuardian2\lists\2379512856.list
C:\Program Files\PeerGuardian2\lists\3803011300.list
C:\Program Files\PeerGuardian2\lists\4129269688.list
C:\Program Files\PeerGuardian2\lists\560054545.list
C:\Program Files\PeerGuardian2\lists\permallow.p2b
C:\Program Files\PeerGuardian2\lists\permblock.p2b
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PeerGuardian2\pg2.url
C:\Program Files\PeerGuardian2\pgfilter.sys
C:\Program Files\PeerGuardian2\pgfix.exe
C:\Program Files\PeerGuardian2\readme.txt
C:\Program Files\PeerGuardian2\unins000.dat
C:\Program Files\PeerGuardian2\unins000.exe
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 08:16 . 2008-06-05 08:16 268 --ah----- C:\sqmdata00.sqm
2008-06-05 08:16 . 2008-06-05 08:16 244 --ah----- C:\sqmnoopt00.sqm
2008-06-01 20:01 . 2008-06-01 20:02 2,832 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-01 20:00 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-01 20:00 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-01 20:00 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-01 20:00 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-01 20:00 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-01 20:00 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-01 20:00 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-01 20:00 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-01 10:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-01 10:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-01 10:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-01 10:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-01 10:39 . 2008-06-01 17:56 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-01 10:39 . 2008-06-01 10:39 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\PC Tools
2008-06-01 10:28 . 2008-06-02 01:46 <DIR> d-------- C:\Program Files\Google
2008-06-01 10:17 . 2008-06-01 19:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 09:20 . 2008-06-01 09:21 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-01 07:52 . 2008-06-01 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Outspark
2008-06-01 07:47 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Outspark
2008-05-31 01:46 . 2008-05-31 01:47 <DIR> d-------- C:\Program Files\Panda Security
2008-05-27 16:37 . 2008-05-27 16:37 <DIR> d-------- C:\Program Files\Veoh Networks
2008-05-25 19:00 . 2008-06-01 12:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 19:00 . 2008-05-25 19:00 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\SUPERAntiSpyware.com
2008-05-25 19:00 . 2008-05-25 19:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 02:05 . 2008-05-30 23:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 02:05 . 2008-05-25 02:05 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\Malwarebytes
2008-05-25 02:05 . 2008-05-25 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 02:05 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 02:05 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 02:04 . 2008-05-25 02:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 00:31 . 2008-05-25 00:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 01:45 . 2008-05-24 01:45 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-24 01:44 . 2008-05-24 01:44 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-24 01:42 . 2008-05-24 01:42 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-24 01:41 . 2008-05-24 01:41 <DIR> dr-h----- C:\MSOCache
2008-05-24 01:41 . 2008-05-31 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-18 15:57 . 2008-05-18 15:57 <DIR> d-------- C:\Documents and Settings\jordan herrick\Application Data\CDBurnerXP_Soft
2008-05-16 16:34 . 2008-05-16 16:34 <DIR> d-------- C:\qrnt
2008-05-16 16:34 . 2008-05-16 16:34 <DIR> d-------- C:\CA
2008-05-14 15:47 . 2008-05-25 00:01 <DIR> d-------- C:\VundoFix Backups
2008-05-12 02:06 . 2008-05-30 17:35 <DIR> d-------- C:\Program Files\backups
2008-05-05 00:48 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-05 00:48 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 11:41 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 11:41 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-05-27 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 23:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 23:35 8,160 ----a-w C:\Program Files\hijackthis.log
2008-04-29 22:43 --------- d--h--r C:\Documents and Settings\jordan herrick\Application Data\SecuROM
2008-04-29 00:43 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-28 04:00 --------- d-----w C:\Program Files\MSBuild
2008-04-28 03:57 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-26 06:57 --------- d-----w C:\Documents and Settings\jordan herrick\Application Data\LimeWire
2008-04-25 00:19 --------- d-----w C:\Program Files\Flagship Studios
2008-04-24 01:52 --------- d-----w C:\Program Files\Warcraft III
2008-04-22 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-21 00:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-16 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-16 04:10 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-16 04:07 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-04-16 04:07 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-04-16 04:07 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-04-16 04:07 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-04-16 04:07 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-04-16 04:07 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-04-16 04:07 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-04-16 04:05 --------- d-----w C:\Program Files\CA
2008-04-16 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-16 03:55 --------- d-----w C:\Program Files\Lavasoft
2008-04-08 18:15 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-05 01:13 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 06:31 5,846 ----a-w C:\Program Files\install.log
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 20:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2005-02-16 15:06 218,112 ----a-w C:\Program Files\spy[bleep]er.exe
.

((((((((((((((((((((((((((((( [email protected]_19.59.26.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 23:53:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 12:26:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-26 15:28:50 35,712 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-06-05 05:09:20 35,712 ----a-w C:\WINDOWS\system32\nvModes.dat
- 2008-06-01 21:44:47 73,072 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-05 12:20:21 73,072 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-01 21:44:47 445,972 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-05 12:20:21 445,972 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 07:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 20:05 8429568]
"nwiz"="nwiz.exe" [2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 20:05 81920 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43 274432]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-27 21:58 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-05-21 17:15 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-16 00:07 234760]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-16 03:46:06 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-12-19 21:17 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-16 00:06]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Acclaim\2Moons\bin\GameGuard\dump_wmimmc.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 o1394bul;o1394bul;C:\DOCUME~1\JORDAN~1\LOCALS~1\Temp\o1394bul.sys []
S3 XDva143;XDva143;C:\WINDOWS\system32\XDva143.sys []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 20:33:29 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as jordan herrick at 12 05 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 08:28:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\cappactiveprotection.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-05 8:32:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 12:32:10

Pre-Run: 38,407,659,520 bytes free
Post-Run: 38,558,752,768 bytes free

238 --- E O F --- 2008-05-31 05:47:57






<<<<<<<<<<<<<<<<<F-Secure Online scanner report>>>>>>>>>>>>>>>>>>>>>>>>

Scanning Report
Thursday, June 05, 2008 08:40:50 - 11:32:24
Computer name: JORDAN-7225A28C
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 5 malware found
RiskTool.Win32.Reboot (spyware)
System
Tracking Cookie (spyware)
System
Vundo.gen148 (virus)
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193858-229.DLL (Submitted)
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193935-346.DLL (Submitted)
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-194354-701.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 33934
System: 4409
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 5
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{F32B0E7E-BD01-4B70-A561-960ECB6A3DC0}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-06-05
F-Secure Pegasus: 1.20.0, 2008-04-14
F-Secure AVP: 7.0.171, 2008-06-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics






<<<<<<<<<<<<<<<<<<<<<<<New HJT Log>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:20, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8236 bytes

Edited by Ball Tripper, 05 June 2008 - 09:53 PM.

  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again Ball Tripper,

The forum software is censoring part of the name of a bad file that we are trying to remove from your machine.

Please right click Start, select Explore and navigate to the program shown in bold.

C:\Program Files\spy[bleep]er.exe

The letters covered by the [bleep] are what we need to know.

To enable it to get through the forum filtering you will need to insert a space between each letter of the file name.

We will attack it again when you report back. :)

Next

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\tmp.reg
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PeerGuardian
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

So when you come back please
  • tell me the name of that file
  • post contents of OTMoveIt2 report

  • 0

#9
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I really don't think either of those are the problem. The one file is spy f u c k e r.exe.... When I was trying to fix this on my own I read somewhere that certain malware files actually hide from HJT and I should rename the exe. So I renamed it that, sorry for the confusion. :)

PeerGuardian2 is an IP blocker program, meant for anonymity while using p2p programs. It's from http://phoenixlabs.org/pg2/ it's also an open source program so I doubt it's bundled with malware. I heard all it does is provide a false sense of security anyway so I tried what you said to get rid of it anyway. The problem is my administrator password has been changed.

I am the only person who ever used this computer and my single account had administrator access so I never set a password for windows' special Adminsitrator account. When this whole thing started and I discovered that "task manager has been disabled by the administrator"(which has been fixed) I tried logging on the administrator account in safe mode to try and figure out how to change it back only to discover that it requires a password that I have no knowledge of. I should have mentioned this before, it completly slipped my mind.

I ran it OTMoveIt2 but without running it as Administrator and tried anyway, here is the log.



C:\WINDOWS\system32\tmp.reg moved successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PeerGuardian >
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PeerGuardian\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06062008_025040
  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello Ball Tripper,

I really don't think either of those are the problem.


PeerGuardian2. Yep it can be used for either, I typically see it used in combination with p2p. My mistake I should have checked with you. :)

Thank you for the info about the suspect file. No need to pursue that either in view of your explanation.

I think now you are close to clean.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

----Step 2----

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

----Step 3----

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----Step 4----

Kaspersky only works if you are using Internet Explorer.

As an final check please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)

  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    * Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post. Please also tell me how your computer is running.
  • 0

Advertisements


#11
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My computer is running a lot better now. Everytime I check, CA is still telling my i've got a bunch of tracking cookies for advertising sites. They aren't causing any practical problems though so I'm content to ignore them, haven't had any pop ups recently. Kaspersky seems to have found something though, here is the log.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 17:47:46
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 834859
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62759
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:54:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Temp\~DF1102.tmp Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Temp\~DF40D.tmp Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Temp\~DF569.tmp Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jordan herrick\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jordan herrick\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\SharedComponents\PPRT\logs\2008-06-06.csv Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C0264762-F0B9-4098-BD50-1ED171FC9AB3}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88B6F493-518B-4F2F-856A-036EE983DDD3}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DMF8NQF\1[1].exe Infected: not-a-virus:FraudTool.Win32.AntiSpySpider.c skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello Ball Tripper,

Not completely clean yet then. The cookies should not be a problem but the one found by Kaspersky... I think we ought to attack that one.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DMF8NQF\1[1].exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

So when you come back please post
  • OTMoveIt report
  • Scan results from SuperAntiSpyware

  • 0

#13
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
<<<<<<<<<<<<<<<MoveIt log>>>>>>>>>>>>>>>>

< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DMF8NQF\1[1].exe >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DMF8NQF\1[1].exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06072008_004325



<<<<<<<<<<<<<<<<<SUPERAntiSpyware Scan Log>>>>>>>>>>>>>>>


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2008 at 01:47 AM

Application Version : 4.15.1000

Core Rules Database Version : 3477
Trace Rules Database Version: 1468

Scan type : Complete Scan
Total Scan Time : 00:56:55

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 4973
Registry threats detected : 0
File items scanned : 62982
File threats detected : 16

Adware.Tracking Cookie
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][2].txt
C:\Documents and Settings\jordan herrick\Cookies\[email protected][1].txt

Adware.Vundo-Variant
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193858-229.DLL
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193935-346.DLL
C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-194354-701.DLL
  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again Ball Tripper,

Still some infection there. Pesky fellow this.

  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193858-229.DLL
    C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193935-346.DLL
    C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-194354-701.DLL
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

Now a deeper look to check what might be left.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

When you come back
  • OTMoveIt2 results
  • DSS report

  • 0

#15
Ball Tripper

Ball Tripper

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here are those logs. Is MoveIt not able to find those files because I can't run it as Administrator?
Edit: is it possible for a virus or malware or whatever to change my Administrator password? I never set one so my password should just be blank, i always thought that it had to be this infection that set a password in order to protect it self.


<<<<<<<<<<<<<Move It log>>>>>>>>>>>>>>>>>>>>

File/Folder C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193858-229.DLL not found.
File/Folder C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-193935-346.DLL not found.
File/Folder C:\PROGRAM FILES\BACKUPS\BACKUP-20080513-194354-701.DLL not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06082008_191634


<<<<<<<<<<<<<main.tx.>>>>>>>>>>>>>>>>>>>>>>>>>

Deckard's System Scanner v20071014.68
Run by jordan herrick on 2008-06-08 19:18:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-06-08 23:18:48 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-06-08 21:13:06 UTC - RP3 - System Checkpoint
2: 2008-06-07 20:53:22 UTC - RP2 - System Checkpoint
1: 2008-06-06 20:19:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jordan herrick.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:35, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\jordan herrick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jordan herrick.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8497 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080525-003228-685 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe (file missing)
backup-20080601-161248-615 O2 - BHO: {66eca6dc-482a-be58-eb84-ccc5362772ce} - {ec277263-5ccc-48be-85eb-a284cd6ace66} - C:\WINDOWS\system32\shxtyivo.dll
backup-20080601-170041-452 O2 - BHO: {66eca6dc-482a-be58-eb84-ccc5362772ce} - {ec277263-5ccc-48be-85eb-a284cd6ace66} - C:\WINDOWS\system32\shxtyivo.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 OMCI - c:\windows\system32\drivers\omci.sys (file missing)
S3 dump_wmimmc - c:\program files\acclaim\2moons\bin\gameguard\dump_wmimmc.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 o1394bul - c:\docume~1\jordan~1\locals~1\temp\o1394bul.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 XDva143 - c:\windows\system32\xdva143.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel Corporation; SSO Service>

S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-16 16:33:29 532 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as jordan herrick at 12 05 AM.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-06 16:30:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-06 16:30:41 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-05 08:35:46 0 d-------- C:\fsaua.data
2008-06-01 20:00:57 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-01 20:00:57 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-01 10:39:58 0 d-------- C:\Program Files\Spyware Doctor
2008-06-01 10:39:58 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\PC Tools
2008-06-01 10:31:21 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\Google
2008-06-01 10:28:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-06-01 10:28:22 0 d-------- C:\Program Files\Google
2008-06-01 10:17:49 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 09:20:52 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-06-01 07:52:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Outspark
2008-06-01 07:47:35 0 d-------- C:\Program Files\Outspark
2008-05-31 10:00:43 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-05-31 01:46:33 0 d-------- C:\Program Files\Panda Security
2008-05-27 16:37:24 0 d-------- C:\Program Files\Veoh Networks
2008-05-25 19:00:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 19:00:40 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 19:00:40 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\SUPERAntiSpyware.com
2008-05-25 02:05:13 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\Malwarebytes
2008-05-25 02:05:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 02:05:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 02:04:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 00:31:56 0 d-------- C:\Program Files\Trend Micro
2008-05-24 01:45:15 0 d-------- C:\Program Files\Microsoft Works
2008-05-24 01:44:04 0 d-------- C:\Program Files\Microsoft.NET
2008-05-24 01:42:11 0 d-------- C:\WINDOWS\SHELLNEW
2008-05-24 01:41:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-24 01:41:13 0 dr-h----- C:\MSOCache
2008-05-18 15:57:36 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\CDBurnerXP_Soft
2008-05-16 16:34:15 0 d-------- C:\qrnt
2008-05-16 16:34:15 0 d-------- C:\CA
2008-05-13 18:48:53 0 d-------- C:\WINDOWS\pss
2008-05-13 18:04:01 0 d-------- C:\WINDOWS\CSC
2008-05-12 02:06:51 0 d-------- C:\Program Files\backups


-- Find3M Report ---------------------------------------------------------------

2008-06-05 01:09:20 35712 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-27 16:38:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-25 19:00:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 02:15:06 0 d-------- C:\Program Files\Common Files
2008-05-13 19:35:06 8160 --a------ C:\Program Files\hijackthis.log
2008-04-29 18:43:09 0 dr-h----- C:\Documents and Settings\jordan herrick\Application Data\SecuROM
2008-04-28 20:43:58 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-28 14:50:30 1695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-28 00:00:08 0 d-------- C:\Program Files\MSBuild
2008-04-27 23:57:16 0 d-------- C:\Program Files\Reference Assemblies
2008-04-26 02:57:50 0 d-------- C:\Documents and Settings\jordan herrick\Application Data\LimeWire
2008-04-24 20:19:42 0 d-------- C:\Program Files\Flagship Studios
2008-04-23 21:52:23 0 d-------- C:\Program Files\Warcraft III
2008-04-20 20:31:45 0 d-------- C:\Program Files\World of Warcraft
2008-04-16 00:10:40 0 d-------- C:\Program Files\Common Files\Scanner
2008-04-16 00:05:34 0 d-------- C:\Program Files\CA
2008-04-15 23:55:56 0 d-------- C:\Program Files\Lavasoft
2008-04-02 06:51:29 0 --a------ C:\WINDOWS\PowerReg.dat
2008-03-26 02:31:10 5846 --a------ C:\Program Files\install.log
2008-03-14 23:45:14 122 --a------ C:\WINDOWS\tmpdelis.bat
2008-03-14 23:45:14 222 --a------ C:\WINDOWS\tmpcpyis.bat
2008-03-14 23:44:56 26 --a------ C:\WINDOWS\winstart.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 07:00 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/28/2007 20:05]
"nwiz"="nwiz.exe" [04/28/2007 19:05 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [04/28/2007 19:05 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [04/28/2007 20:05 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 11:22]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [10/08/2007 15:18]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/08/2007 15:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/16/2005 09:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/27/2007 21:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [05/21/2008 17:15]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [04/16/2008 00:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/16/2008 3:46:06 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/07/2008 00:47 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/07/2008 00:47 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 12/19/2007 21:17 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-06-08 19:20:23 ------------





<<<<<<<<<<<<<<<<Extra.txt>>>>>>>>>>>>>>>>>>>>>>>>>>>


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2600 @ 2.16GHz
CPU 1: Genuine Intel® CPU T2600 @ 2.16GHz
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2046.37 MiB / 1487.52 MiB
Pagefile Memory (total/avail): 3939.52 MiB / 3479.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.97 MiB

C: is Fixed (NTFS) - 91.75 GiB total, 42.24 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST9100824AS - 91.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 91.75 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: CA Anti-Virus v9.0.0.170 (CA, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"="C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe:*:Enabled:Hellgate: London"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jordan herrick\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JORDAN-7225A28C
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HellgateEnv=C:\Program Files\Flagship Studios\Hellgate London\
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jordan herrick
LOGONSERVER=\\JORDAN-7225A28C
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JORDAN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JORDAN~1\LOCALS~1\Temp
USERDOMAIN=JORDAN-7225A28C
USERNAME=jordan herrick
USERPROFILE=C:\Documents and Settings\jordan herrick
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jordan herrick (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
CA Anti-Spyware --> "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\setup\ccinstaller.exe" /u /silent /module="pp"
CA Anti-Virus --> C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\unvet32.exe
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
CA Pest Patrol Realtime Protection --> MsiExec.exe /X{F05A5232-CE5E-4274-AB27-44EB8105898D}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028k.inf
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
Fiesta --> C:\Program Files\Outspark\Fiesta\uninstall.exe
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
GoToAssist 8.0.0.480 --> C:\Program Files\Citrix\GoToAssist\480\G2AUninstaller.exe /uninstall
Hellgate: London --> MsiExec.exe /X{A2B4455D-1046-4732-BFBC-0821BEFC07BC}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard 2007 --> MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Neverwinter Nights --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}\Setup.exe" -l0x9
Neverwinter Nights 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Outspark Launcher --> C:\Program Files\Outspark\Launcher\uninstall.exe
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Pharaoh --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Pharaoh\Uninst.isu -cC:\SIERRA\Pharaoh\customuninstall.dll
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sins of a Solar Empire --> "C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire --> C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\dpinst.exe /us C:\PROGRA~1\DIFX\UninstallScripts\4569969E1360D2854474C661EF9B4D54F143EB16
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4350 / Success
Event Submitted/Written: 06/08/2008 04:31:34 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4329 / Success
Event Submitted/Written: 06/07/2008 09:16:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4310 / Success
Event Submitted/Written: 06/06/2008 10:58:20 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4288 / Error
Event Submitted/Written: 06/06/2008 04:19:31 PM
Event ID/Source: 1511 / Userenv
Event Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Event Record #/Type4287 / Error
Event Submitted/Written: 06/06/2008 04:19:24 PM
Event ID/Source: 1515 / Userenv
Event Description:
Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15620 / Error
Event Submitted/Written: 06/08/2008 04:25:49 PM
Event ID/Source: 20106 / RemoteAccess
Event Description:
Unable to add the interface {E4BBD7FE-1295-4864-B2FB-5573FC88D2C4} with the Router Manager for the IP protocol. The
following error occurred: Cannot complete this function.

Event Record #/Type15618 / Warning
Event Submitted/Written: 06/08/2008 04:25:49 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.0.229 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type15617 / Warning
Event Submitted/Written: 06/08/2008 04:25:22 PM / 06/08/2008 04:25:48 PM
Event ID/Source: 18 / BTHUSB
Event Description:
Windows cannot store Bluetooth link keys on the local transceiver because it cannot determine whether proper security is enabled for the device.

Event Record #/Type15600 / Warning
Event Submitted/Written: 06/07/2008 11:39:12 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type15592 / Error
Event Submitted/Written: 06/07/2008 06:49:51 AM
Event ID/Source: 20106 / RemoteAccess
Event Description:
Unable to add the interface {E4BBD7FE-1295-4864-B2FB-5573FC88D2C4} with the Router Manager for the IP protocol. The
following error occurred: Cannot complete this function.



-- End of Deckard's System Scanner: finished at 2008-06-08 19:20:23 ------------

Edited by Ball Tripper, 08 June 2008 - 08:10 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP