Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VUNDO and others [RESOLVED]

Started by GrapleIRIS , Jul 01 2008 04:08 PM

  • This topic is locked This topic is locked

#1
GrapleIRIS
Posted 01 July 2008 - 04:08 PM

GrapleIRIS

    Member

  • Member
  • PipPip
  • 16 posts
I run Windows XP.
My computer has been infected with Vundo, as well as a host of other malware/spyware issues. This resulted in multiple pop ups and my Auto Updates being turned off. I have scanned using Antivir, Spybot, Adaware, BitDefender, and Micro Trend Housecall without successful disinfection

I have followed the instructions listed on the site and have run Vundofix and VirtumundBgone to no avail.

I then followed through with your suggestions and have run ATF cleaner, created a restore point, scanned with Malwarebytes, scanned with SuperAntiSpyware, and then with Panda. THe Panda scan bombed out on me: I'm not sure if it's the infection or my connection or???

I'm posting all of the results I have.

Could someone please help me with this issue? I've been working on it for days and am really quite frustrated. Thank you in advance.

VundoFix V7.0.6

Scan started at 2:53:13 PM 7/1/2008

Listing files found while scanning....

C:\Windows\system32\pmnljICs.dll
C:\Windows\system32\sCIjlnmp.ini
C:\Windows\system32\sCIjlnmp.ini2

Beginning removal...

Attempting to delete C:\Windows\system32\pmnljICs.dll
C:\Windows\system32\pmnljICs.dll Could not be deleted.

Attempting to delete C:\Windows\system32\sCIjlnmp.ini
C:\Windows\system32\sCIjlnmp.ini Has been deleted!

Attempting to delete C:\Windows\system32\sCIjlnmp.ini2
C:\Windows\system32\sCIjlnmp.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\Windows\system32\pmnljICs.dll
C:\Windows\system32\pmnljICs.dll Has been deleted!

Attempting to delete C:\Windows\system32\sCIjlnmp.ini
C:\Windows\system32\sCIjlnmp.ini Has been deleted!

Attempting to delete C:\Windows\system32\sCIjlnmp.ini2
C:\Windows\system32\sCIjlnmp.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.6

Scan started at 3:22:37 PM 7/1/2008

Listing files found while scanning....

C:\Windows\system32\JjkQWyxx.ini
C:\Windows\system32\JjkQWyxx.ini2
C:\Windows\system32\xxyWQkjJ.dll




[07/01/2008, 15:12:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jack\Desktop\VirtumundoBeGone.exe" )
[07/01/2008, 15:12:59] - Detected System Information:
[07/01/2008, 15:12:59] - Windows Version: 5.1.2600, Service Pack 2
[07/01/2008, 15:12:59] - Current Username: Jack (Admin)
[07/01/2008, 15:12:59] - Windows is in NORMAL mode.
[07/01/2008, 15:12:59] - Searching for Browser Helper Objects:
[07/01/2008, 15:12:59] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/01/2008, 15:12:59] - BHO 2: {1BEBAF8A-2BB8-4AAD-A7D8-4C126F991317} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\pmnljICs
[07/01/2008, 15:12:59] - Key not found: HKLM\...\Winlogon\Notify\pmnljICs, continuing.
[07/01/2008, 15:12:59] - BHO 3: {3A34559B-BA5B-4815-B90A-8CA324331961} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\mlJYqPjh
[07/01/2008, 15:12:59] - Key not found: HKLM\...\Winlogon\Notify\mlJYqPjh, continuing.
[07/01/2008, 15:12:59] - BHO 4: {41B93EB1-608A-465B-A1F0-EA1DFEC3E247} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\urqOHAPh
[07/01/2008, 15:12:59] - Found: HKLM\...\Winlogon\Notify\urqOHAPh - This is probably Virtumundo.
[07/01/2008, 15:12:59] - Assigning {41B93EB1-608A-465B-A1F0-EA1DFEC3E247} MSEvents Object
[07/01/2008, 15:12:59] - BHO list has been changed! Starting over...
[07/01/2008, 15:12:59] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/01/2008, 15:12:59] - BHO 2: {1BEBAF8A-2BB8-4AAD-A7D8-4C126F991317} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\pmnljICs
[07/01/2008, 15:12:59] - Key not found: HKLM\...\Winlogon\Notify\pmnljICs, continuing.
[07/01/2008, 15:12:59] - BHO 3: {3A34559B-BA5B-4815-B90A-8CA324331961} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\mlJYqPjh
[07/01/2008, 15:12:59] - Key not found: HKLM\...\Winlogon\Notify\mlJYqPjh, continuing.
[07/01/2008, 15:12:59] - BHO 4: {41B93EB1-608A-465B-A1F0-EA1DFEC3E247} (MSEvents Object)
[07/01/2008, 15:12:59] - ALERT: Found MSEvents Object!
[07/01/2008, 15:12:59] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[07/01/2008, 15:12:59] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/01/2008, 15:12:59] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/01/2008, 15:12:59] - BHO 8: {966FBE09-02AC-4778-A1A8-881D1D78DAF6} ()
[07/01/2008, 15:12:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:12:59] - Checking for HKLM\...\Winlogon\Notify\xxyWQkjJ
[07/01/2008, 15:12:59] - Key not found: HKLM\...\Winlogon\Notify\xxyWQkjJ, continuing.
[07/01/2008, 15:12:59] - Finished Searching Browser Helper Objects
[07/01/2008, 15:12:59] - *** Detected MSEvents Object
[07/01/2008, 15:12:59] - Trying to remove MSEvents Object...
[07/01/2008, 15:13:00] - Terminating Process: IEXPLORE.EXE
[07/01/2008, 15:13:01] - Terminating Process: RUNDLL32.EXE
[07/01/2008, 15:13:01] - Disabling Automatic Shell Restart
[07/01/2008, 15:13:01] - Terminating Process: EXPLORER.EXE
[07/01/2008, 15:13:01] - Suspending the NT Session Manager System Service
[07/01/2008, 15:13:01] - Terminating Windows NT Logon/Logoff Manager
[07/01/2008, 15:13:02] - Re-enabling Automatic Shell Restart
[07/01/2008, 15:13:02] - File to disable: C:\WINDOWS\system32\urqOHAPh.dll
[07/01/2008, 15:13:02] - Renaming C:\WINDOWS\system32\urqOHAPh.dll -> C:\WINDOWS\system32\urqOHAPh.dll.vir
[07/01/2008, 15:13:02] - File successfully renamed!
[07/01/2008, 15:13:02] - Removing HKLM\...\Browser Helper Objects\{41B93EB1-608A-465B-A1F0-EA1DFEC3E247}
[07/01/2008, 15:13:02] - Removing HKCR\CLSID\{41B93EB1-608A-465B-A1F0-EA1DFEC3E247}
[07/01/2008, 15:13:02] - Adding Kill Bit for ActiveX for GUID: {41B93EB1-608A-465B-A1F0-EA1DFEC3E247}
[07/01/2008, 15:13:02] - Deleting ATLEvents/MSEvents Registry entries
[07/01/2008, 15:13:02] - Removing HKLM\...\Winlogon\Notify\urqOHAPh
[07/01/2008, 15:13:02] - Searching for Browser Helper Objects:
[07/01/2008, 15:13:02] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/01/2008, 15:13:02] - BHO 2: {1BEBAF8A-2BB8-4AAD-A7D8-4C126F991317} ()
[07/01/2008, 15:13:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:13:02] - Checking for HKLM\...\Winlogon\Notify\pmnljICs
[07/01/2008, 15:13:02] - Key not found: HKLM\...\Winlogon\Notify\pmnljICs, continuing.
[07/01/2008, 15:13:02] - BHO 3: {3A34559B-BA5B-4815-B90A-8CA324331961} ()
[07/01/2008, 15:13:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:13:02] - Checking for HKLM\...\Winlogon\Notify\mlJYqPjh
[07/01/2008, 15:13:02] - Key not found: HKLM\...\Winlogon\Notify\mlJYqPjh, continuing.
[07/01/2008, 15:13:02] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[07/01/2008, 15:13:02] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/01/2008, 15:13:02] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/01/2008, 15:13:02] - BHO 7: {966FBE09-02AC-4778-A1A8-881D1D78DAF6} ()
[07/01/2008, 15:13:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/01/2008, 15:13:02] - Checking for HKLM\...\Winlogon\Notify\xxyWQkjJ
[07/01/2008, 15:13:02] - Key not found: HKLM\...\Winlogon\Notify\xxyWQkjJ, continuing.
[07/01/2008, 15:13:02] - Finished Searching Browser Helper Objects
[07/01/2008, 15:13:02] - Finishing up...
[07/01/2008, 15:13:02] - A restart is needed.
[07/01/2008, 15:13:02] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[07/01/2008, 15:13:29] - Attempting to Restart via STOP error (Blue Screen!)





Malwarebytes' Anti-Malware 1.19
Database version: 912
Windows 5.1.2600 Service Pack 2

3:50:23 PM 7/1/2008
mbam-log-7-1-2008 (15-50-23).txt

Scan type: Quick Scan
Objects scanned: 44919
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sftnxdad.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41b93eb1-608a-465b-a1f0-ea1dfec3e247} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7cf3c19f-131a-411a-8983-f5df7c7b8efa} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d6cb182b-1211-426b-8e68-1757f04dbe63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a707b81b-1cb7-419e-9389-2f2e38a5c479} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c3bd3eac-9c71-45c9-b7a7-3ce52487bc61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8d193878-b80b-4617-91ac-294c1212e8fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.btgx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gxvpsafm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{41b93eb1-608a-465b-a1f0-ea1dfec3e247} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68c51179 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bxmyjsej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jesjymxb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sftnxdad.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dadxntfs.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqOHAPh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.





SUPERAntiSpyware Scan Log
Generated 07/01/2008 at 04:50 PM

Application Version : 3.6.1000

Core Rules Database Version : 3494
Trace Rules Database Version: 1485

Scan type : Complete Scan
Total Scan Time : 00:43:28

Memory items scanned : 390
Memory threats detected : 0
Registry items scanned : 5920
Registry threats detected : 9
File items scanned : 41782
File threats detected : 3

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\InprocServer32
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\InprocServer32#ThreadingModel
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\ProgID
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\Programmable
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\TypeLib
HKCR\CLSID\{A60C6234-48AB-4295-B542-24F8679FA15C}\VersionIndependentProgID
C:\WINDOWS\GXVPSAFM.DLL

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP44\A0006499.DLL

Trojan.Net-MSV/VPS-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0007477.DLL






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53:15, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jack\Desktop\spyware\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BEBAF8A-2BB8-4AAD-A7D8-4C126F991317} - C:\WINDOWS\system32\pmnljICs.dll (file missing)
O2 - BHO: (no name) - {3A34559B-BA5B-4815-B90A-8CA324331961} - C:\WINDOWS\system32\mlJYqPjh.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FE674F8F-6974-443B-8A9C-590B79A9E7B0} - C:\WINDOWS\system32\xxyWQkjJ.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 6468 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 02 July 2008 - 08:02 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
  • 0

#3
GrapleIRIS
Posted 02 July 2008 - 10:48 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thank you so much for getting back to me so quickly!

Please understand that I am working IT around here (involuntarily, might add--my degree is in psychology!) and that I only have access to this machine 3 days per week...so I may be slower to respond than you'd like.

A note of interest: my automatic updates have remained turned on, however Antivir reports a detection as follows:

Virus or unwanted program 'TR/Vapsup.hgm [trojan]'
detected in file 'C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP47\A0006766.exe.
Action performed: Deny access

I have followed your instructions. The zipped file you wanted is attatched.

Thanks again

Brenda

Attached Files


  • 0

#4
Rorschach112
Posted 03 July 2008 - 12:18 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You need to post the .run file, not the log file

It should be around 100kb, zip it as well
  • 0

#5
GrapleIRIS
Posted 04 July 2008 - 03:40 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok here is a second try at getting you the run file.

Thank you for your help.

Brenda

Attached Files


  • 0

#6
Rorschach112
Posted 04 July 2008 - 03:56 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download the zipped attachment at the end of this post (this will be your runscanner file fixed by me)

  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • You will notice several entries in red.
  • Click the button at the top called Fix selected items
  • Accept the warning(s) and repeat until they are all gone.
  • Reboot your PC




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#7
GrapleIRIS
Posted 04 July 2008 - 10:46 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK Done:

Main.txt:

Deckard's System Scanner v20071014.68
Run by Jack on 2008-07-05 00:39:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2008-07-05 04:39:50 UTC - RP56 - Deckard's System Scanner Restore Point
55: 2008-07-04 05:02:03 UTC - RP55 - System Checkpoint
54: 2008-07-03 04:36:48 UTC - RP54 - Installed WinZip 11.2
53: 2008-07-02 23:38:13 UTC - RP53 - System Checkpoint
52: 2008-07-01 21:42:07 UTC - RP52 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-01 05:10:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:40:24, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jack\Desktop\dss.exe
C:\DOCUME~1\Jack\Desktop\spyware\Jack.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 6170 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Jack\Desktop\spyware\backups\) --------

backup-20080701-055636-168 O2 - BHO: (no name) - {3A34559B-BA5B-4815-B90A-8CA324331961} - C:\WINDOWS\system32\mlJYqPjh.dll (file missing)
backup-20080701-055636-271 O2 - BHO: (no name) - {CD0E0A82-D31E-4AFF-9735-3CA4F3DB800C} - C:\WINDOWS\system32\urqPgHaB.dll (file missing)
backup-20080701-055636-524 O2 - BHO: (no name) - {325C8E49-876D-4C28-BA59-EF82B0F2D227} - C:\WINDOWS\system32\fccaBuUM.dll (file missing)
backup-20080701-055636-744 O2 - BHO: (no name) - {1DA6E8ED-1F9C-4FA8-BA60-42F40A19DD16} - C:\WINDOWS\system32\xxyYRlIY.dll (file missing)
backup-20080701-055636-805 O2 - BHO: (no name) - {80B3BA31-2937-43AC-B555-B135D73B5BAE} - C:\WINDOWS\system32\urqPhgGx.dll (file missing)
backup-20080701-055636-827 O2 - BHO: (no name) - {07AEC47F-ECD8-4E6E-B9FA-2FB76595FF3B} - (no file)
backup-20080701-055636-933 O20 - Winlogon Notify: urqOHAPh - C:\WINDOWS\SYSTEM32\urqOHAPh.dll
backup-20080701-055636-937 O21 - SSODL: qegbdmwf - {909155E9-5E98-435C-A674-184659F682F9} - C:\WINDOWS\qegbdmwf.dll (file missing)
backup-20080701-055636-940 O2 - BHO: (no name) - {E83A3DA2-218D-4656-BD83-FF3E1292E80F} - C:\WINDOWS\system32\urqPfCVL.dll (file missing)
backup-20080701-055636-983 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080701-055937-380 O2 - BHO: (no name) - {41B93EB1-608A-465B-A1F0-EA1DFEC3E247} - C:\WINDOWS\system32\urqOHAPh.dll
backup-20080701-055937-857 O2 - BHO: (no name) - {3A34559B-BA5B-4815-B90A-8CA324331961} - C:\WINDOWS\system32\mlJYqPjh.dll (file missing)
backup-20080701-063900-677 O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
backup-20080701-063900-760 O4 - HKLM\..\Run: [68c51179] rundll32.exe "C:\WINDOWS\system32\bxmyjsej.dll",b

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&BB29FA6&0&00F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&BB29FA6&0&00F0
Service:


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-03 00:36:51 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-01 17:43:08 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-01 17:42:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-01 16:56:44 0 d-------- C:\Program Files\Panda Security
2008-07-01 15:59:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-01 15:59:36 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-01 15:59:36 0 d-------- C:\Documents and Settings\Jack\Application Data\SUPERAntiSpyware.com
2008-07-01 15:44:56 0 d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-07-01 15:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-01 15:44:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-01 15:43:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-01 14:53:13 0 d-------- C:\VundoFix Backups
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Templates
2008-07-01 06:23:46 0 dr------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Start Menu
2008-07-01 06:23:46 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\SendTo
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Recent
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\PrintHood
2008-07-01 06:23:46 229376 --ah----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\NTUSER.DAT
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\NetHood
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\My Documents
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Local Settings
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Favorites
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Desktop
2008-07-01 06:23:46 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Cookies
2008-07-01 06:23:46 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Application Data
2008-07-01 06:23:46 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Application Data\Microsoft
2008-07-01 05:15:30 238815 --ahs---- C:\WINDOWS\system32\hjPqYJlm.ini2
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Templates
2008-07-01 04:29:05 0 dr------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Start Menu
2008-07-01 04:29:05 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\SendTo
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Recent
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\PrintHood
2008-07-01 04:29:05 229376 --ah----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\NTUSER.DAT
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\NetHood
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\My Documents
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Local Settings
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Favorites
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Desktop
2008-07-01 04:29:05 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Cookies
2008-07-01 04:29:05 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Application Data
2008-07-01 04:29:05 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Application Data\Microsoft
2008-07-01 03:52:28 238040 --ahs---- C:\WINDOWS\system32\xGghPqru.ini2
2008-07-01 02:52:57 0 d-------- C:\Documents and Settings\Jack\Application Data\HouseCall 6.6
2008-07-01 02:35:36 0 d-------- C:\Documents and Settings\Jack\.housecall6.6
2008-07-01 02:34:37 0 d-------- C:\WINDOWS\Sun
2008-07-01 02:34:37 0 d-------- C:\Documents and Settings\Jack\Application Data\Sun
2008-07-01 01:10:23 254156 --ahs---- C:\WINDOWS\system32\MUuBaccf.ini2
2008-06-28 01:37:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-28 01:00:12 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-28 00:33:34 0 d-------- C:\WINDOWS\pss
2008-06-27 23:16:55 0 d-------- C:\Documents and Settings\Jack\Application Data\Symantec
2008-06-27 23:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 23:06:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-27 19:28:01 239395 --ahs---- C:\WINDOWS\system32\YIlRYyxx.ini2
2008-06-27 19:17:34 2210 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-27 19:16:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-27 19:16:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-27 19:16:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-27 19:16:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-27 19:16:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-27 19:16:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-27 17:46:56 238442 --ahs---- C:\WINDOWS\system32\LVCfPqru.ini2
2008-06-27 03:25:00 0 d-------- C:\Documents and Settings\Jack\Application Data\TmpRecentIcons
2008-06-26 17:22:59 283450 --ahs---- C:\WINDOWS\system32\BaHgPqru.ini2
2008-06-19 01:21:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-19 01:20:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-15 03:17:09 0 d-------- C:\WINDOWS\network diagnostic
2008-06-10 04:23:29 4608 --a------ C:\WINDOWS\system32\rnasmm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-06-10 04:23:29 9728 --a------ C:\WINDOWS\system32\rnaph.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-06-10 04:23:28 0 d-------- C:\Program Files\Juno
2008-06-10 04:10:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 04:03:28 0 d-------- C:\Documents and Settings\Jack\Application Data\Macromedia
2008-06-10 04:03:28 0 d-------- C:\Documents and Settings\Jack\Application Data\Adobe
2008-06-10 03:59:42 0 d-------- C:\Program Files\Lavasoft
2008-06-10 03:59:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-10 03:59:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 03:54:21 0 d--hs---- C:\Documents and Settings\Jack\UserData
2008-06-10 03:00:26 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-10 02:20:49 0 d-------- C:\Program Files\Avery Dennison
2008-06-10 02:20:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Avery
2008-06-10 02:20:10 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-10 01:01:28 0 d-------- C:\Documents and Settings\Jack\Contacts
2008-06-10 01:00:00 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-10 00:56:57 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 00:56:54 0 d-------- C:\Program Files\Windows Live
2008-06-10 00:56:47 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-09 14:39:08 0 d-------- C:\Program Files\Microsoft Works
2008-06-09 14:38:20 0 d-------- C:\Program Files\Microsoft.NET
2008-06-09 14:36:35 0 d-------- C:\WINDOWS\SHELLNEW
2008-06-09 14:36:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-09 14:35:48 0 dr-h----- C:\MSOCache
2008-06-09 03:56:42 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-09 00:20:59 327168 --a------ C:\WINDOWS\system32\RPROHTMLHelp.dll <Not Verified; Intuit Inc.; QuickBooks Point of Sale>
2008-06-09 00:20:58 206336 --a------ C:\WINDOWS\system32\VIC32.DLL <Not Verified; Catenary Systems; Victor Image Processing Library>
2008-06-09 00:20:57 1044480 --a------ C:\WINDOWS\system32\ROBOEX32.DLL <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9.2>
2008-06-09 00:20:57 49152 --a------ C:\WINDOWS\system32\INETWH32.DLL <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2008-06-09 00:20:56 167936 --a------ C:\WINDOWS\system32\ILANOT32.DLL <Not Verified; Creative Development LTD; >
2008-06-09 00:20:56 125440 --a------ C:\WINDOWS\system32\DZIP32.DLL <Not Verified; Inner Media, Inc.; DynaZIP-32>
2008-06-09 00:20:56 98304 --a------ C:\WINDOWS\system32\DUNZIP32.DLL <Not Verified; Inner Media, Inc.; DynaZIP-32>
2008-06-09 00:02:59 0 d-------- C:\Program Files\Avira
2008-06-09 00:02:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 23:43:32 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-08 23:18:34 0 d-------- C:\Program Files\Common Files\supportsoft
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Templates
2008-06-08 23:18:14 0 dr------- C:\Documents and Settings\QBDataServiceUser18\Start Menu
2008-06-08 23:18:14 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18\SendTo
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Recent
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\PrintHood
2008-06-08 23:18:14 1572864 --ah----- C:\Documents and Settings\QBDataServiceUser18\NTUSER.DAT
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\NetHood
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\My Documents
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Local Settings
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\Favorites
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\Desktop
2008-06-08 23:18:14 0 d---s---- C:\Documents and Settings\QBDataServiceUser18\Cookies
2008-06-08 23:18:14 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18\Application Data
2008-06-08 23:18:14 0 d---s---- C:\Documents and Settings\QBDataServiceUser18\Application Data\Microsoft
2008-06-08 23:18:03 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-06-08 23:15:49 0 d-------- C:\Program Files\Intuit
2008-06-08 23:15:49 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-08 23:15:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-08 23:11:09 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-06-08 23:10:55 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 22:58:43 0 d-------- C:\WINDOWS\system32\Lang
2008-06-08 22:54:22 0 d-------- C:\Program Files\Java
2008-06-08 22:54:21 0 d-------- C:\Program Files\Common Files\Java
2008-06-08 22:51:19 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-06-08 22:51:18 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-08 22:51:09 0 d-------- C:\Intel
2008-06-08 22:50:16 0 d-------- C:\Program Files\Intel
2008-06-08 22:50:15 0 d-------- C:\Documents and Settings\Jack\Application Data\InstallShield
2008-06-08 22:49:08 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-06-08 22:48:50 0 d-------- C:\WINDOWS\system32\RTCOM
2008-06-08 22:48:18 0 d-------- C:\Program Files\Realtek
2008-06-08 22:48:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 22:48:13 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-06-08 22:48:13 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-06-08 22:48:11 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-08 22:46:00 0 d-------- C:\WINDOWS\system32\vmm32
2008-06-08 22:46:00 0 d-------- C:\Program Files\Dell
2008-06-08 22:28:24 0 d-------- C:\Documents and Settings\Jack\Application Data\Identities
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\Templates
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\Start Menu
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\SendTo
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\Recent
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\PrintHood
2008-06-08 22:28:18 3145728 --ah----- C:\Documents and Settings\Jack\NTUSER.DAT
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\NetHood
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\My Documents
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\Local Settings
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\Favorites
2008-06-08 22:28:18 0 d-------- C:\Documents and Settings\Jack\Desktop
2008-06-08 22:28:18 0 d--hs---- C:\Documents and Settings\Jack\Cookies
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\Application Data
2008-06-08 22:26:31 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-08 22:26:30 0 d-------- C:\WINDOWS\Prefetch
2008-06-08 22:26:29 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-06-08 22:26:29 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-06-08 22:26:29 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-06-08 22:26:29 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-06-08 22:26:29 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-06-08 22:26:29 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-06-08 22:26:11 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-06-08 22:26:11 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-06-08 22:26:11 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-06-08 22:26:11 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-06-08 22:26:11 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-06-08 22:24:07 0 d-------- C:\WINDOWS\system32\xircom
2008-06-08 22:24:07 0 d-------- C:\Program Files\microsoft frontpage
2008-06-08 22:24:00 229376 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-06-08 22:24:00 0 d-------- C:\DELL
2008-06-08 22:23:52 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-08 22:23:38 0 -rahs---- C:\MSDOS.SYS
2008-06-08 22:23:38 0 -rahs---- C:\IO.SYS
2008-06-08 22:23:38 0 --a------ C:\CONFIG.SYS
2008-06-08 22:23:38 0 --a------ C:\AUTOEXEC.BAT
2008-06-08 22:22:49 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-06-08 22:22:42 0 dr------- C:\WINDOWS\Offline Web Pages
2008-06-08 22:22:41 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-06-08 22:22:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-08 22:22:18 0 d-------- C:\WINDOWS\system32\DirectX
2008-06-08 22:21:54 0 d---s---- C:\WINDOWS\Tasks
2008-06-08 22:21:53 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-08 22:21:51 0 d-------- C:\WINDOWS\srchasst
2008-06-08 22:21:50 0 d-------- C:\WINDOWS\system32\Macromed
2008-06-08 22:21:45 0 d-------- C:\Program Files\Movie Maker
2008-06-08 22:21:39 0 d-------- C:\WINDOWS\system32\Restore
2008-06-08 22:21:10 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-08 22:20:57 0 d-------- C:\WINDOWS\Registration
2008-06-08 22:20:51 0 d-------- C:\Program Files\Online Services
2008-06-08 22:20:47 0 d-------- C:\Program Files\Messenger
2008-06-08 22:20:44 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-08 22:20:16 0 d-------- C:\Program Files\Windows NT
2008-06-08 22:20:14 0 d-------- C:\WINDOWS\system32\MsDtc
2008-06-08 22:20:13 0 d-------- C:\WINDOWS\system32\Com
2008-06-08 18:12:01 0 d--hs---- C:\WINDOWS\Installer
2008-06-08 18:12:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-08 18:11:59 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-08 18:11:58 0 dr------- C:\Program Files
2008-06-08 18:11:58 0 d-------- C:\Program Files\Common Files
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-06-08 18:11:39 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-06-08 18:11:39 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-06-08 18:11:39 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\All Users\Documents
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-06-08 18:11:29 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-06-08 18:11:29 0 d-------- C:\WINDOWS\system32\CatRoot
2008-06-08 18:11:24 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-06-08 18:11:24 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-06-08 18:11:24 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-06-08 18:11:24 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-06-08 18:11:05 0 d--hs---- C:\System Volume Information
2008-06-08 18:11:05 0 d-------- C:\Documents and Settings
2008-06-08 18:05:37 0 d-------- C:\WINDOWS
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\WinSxS
2008-06-08 18:05:37 0 dr------- C:\WINDOWS\Web
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\twain_32
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\wins
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\wbem
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\usmt
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\spool
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ShellExt
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\Setup
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ras
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\oobe
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\npp
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\mui
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\inetsrv
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\IME
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\icsxml
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ias
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\export
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-06-08 18:05:37 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\dhcp
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\config
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\3076
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\2052
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1054
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1042
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1041
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1037
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1033
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1031
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1028
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1025
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\security
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Resources
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\repair
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Provisioning
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\PeerNet
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\pchealth
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\mui
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\msapps
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\msagent
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Media
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\java
2008-06-08 18:05:37 0 d--h----- C:\WINDOWS\inf
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\ime
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Help
2008-06-08 18:05:37 0 dr--s---- C:\WINDOWS\Fonts
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\ehome
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Driver Cache
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\dell
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Debug
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Cursors
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Connection Wizard
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Config
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\AppPatch
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-06-08 18:11:39 62 --ahs---- C:\Documents and Settings\Jack\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [04/26/2007 14:27 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 18:43 C:\WINDOWS\Alcmtr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/16/2007 19:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/16/2007 19:51]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/16/2007 19:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2/27/2008 9:00:46 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [4/28/2008 11:20:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8711 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 00:41:16 ------------







extra.txt:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® Dual CPU E2160 @ 1.80GHz
CPU 1: Intel® Pentium® Dual CPU E2160 @ 1.80GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2037.1 MiB / 1570.89 MiB
Pagefile Memory (total/avail): 3930.09 MiB / 3476.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.41 MiB

C: is Fixed (NTFS) - 232.78 GiB total, 222.01 GiB free.
D: is Removable (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is CDROM (No Media)
I: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-75NCB3 - 232.83 GiB - 2 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 232.78 GiB - C:

\\.\PHYSICALDRIVE1 - Memorex TD Classic 003C USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 245.98 MiB - I:

\\.\PHYSICALDRIVE2 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE5 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Juno\\bin\\juno.exe"="C:\\Program Files\\Juno\\bin\\juno.exe:*:Enabled:Juno"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jack\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STINSON-1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jack
LOGONSERVER=\\STINSON-1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jack\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jack\LOCALS~1\Temp
USERDOMAIN=STINSON-1
USERNAME=Jack
USERPROFILE=C:\Documents and Settings\Jack
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jack (admin)
QBDataServiceUser18.STINSON-1.000
QBDataServiceUser18.STINSON-1 (new local)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office system --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Dell Resource CD --> MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
DesignPro 5.4 Limited Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\C1URKXMN\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Jack\Application Data\HouseCall 6.6\uninstaller.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Juno --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11D696C6-0A0C-499A-B431-6190F9DC1904}\setup.exe" Uninstall
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickBooks Point of Sale --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8A88636-9D7B-4755-B86E-733A52AB88A6}\Setup.exe" -l0x9 UNINSTALL
QuickBooks Pro 2008 --> msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2008" ADDREMOVE=1
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Update for Office 2007 (KB932080) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1417 / Error
Event Submitted/Written: 07/05/2008 00:33:13 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1416 / Warning
Event Submitted/Written: 07/04/2008 08:08:27 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Monderb.318208.1C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0007471.dll

Event Record #/Type1415 / Error
Event Submitted/Written: 07/04/2008 07:50:24 PM
Event ID/Source: 4 / QuickBooks
Event Description:
QuickBooks Pro 2008An attempt to LogOff without a logon.

Event Record #/Type1414 / Error
Event Submitted/Written: 07/04/2008 07:50:22 PM
Event ID/Source: 4 / QuickBooks
Event Description:
QuickBooks Pro 2008An attempt to LogOff without a logon.

Event Record #/Type1413 / Warning
Event Submitted/Written: 07/04/2008 06:16:31 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Monderb.318208.1C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0007471.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1930 / Warning
Event Submitted/Written: 07/02/2008 11:04:32 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1928 / Warning
Event Submitted/Written: 07/02/2008 07:29:54 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1882 / Warning
Event Submitted/Written: 07/01/2008 04:52:40 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001AA09D8095. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type1851 / Warning
Event Submitted/Written: 07/01/2008 03:42:54 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1800 / Error
Event Submitted/Written: 07/01/2008 03:15:40 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code c000021a, parameter1 e2e18bd8, parameter2 00000001, parameter3 00000000, parameter4 00000000.



-- End of Deckard's System Scanner: finished at 2008-07-05 00:41:16 ------------
  • 0

#8
Rorschach112
Posted 05 July 2008 - 08:06 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\hjPqYJlm.ini2
C:\WINDOWS\system32\xGghPqru.ini2
C:\WINDOWS\system32\MUuBaccf.ini2
C:\WINDOWS\system32\YIlRYyxx.ini2
C:\WINDOWS\system32\LVCfPqru.ini2
C:\WINDOWS\system32\BaHgPqru.ini2
purity 
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new DSS log
  • 0

#9
GrapleIRIS
Posted 07 July 2008 - 02:51 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok...here we go:

I think I got this right...the buttons on the kapersky scan were not exactly as described, but I believe I got the right thing here:

moveit log:




Explorer killed successfully
C:\WINDOWS\system32\hjPqYJlm.ini2 moved successfully.
C:\WINDOWS\system32\xGghPqru.ini2 moved successfully.
C:\WINDOWS\system32\MUuBaccf.ini2 moved successfully.
C:\WINDOWS\system32\YIlRYyxx.ini2 moved successfully.
C:\WINDOWS\system32\LVCfPqru.ini2 moved successfully.
C:\WINDOWS\system32\BaHgPqru.ini2 moved successfully.
< purity >
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07072008_155304




Kapersky scan:





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 07, 2008 16:40:47
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/07/2008
Kaspersky Anti-Virus database records: 922814
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 46685
Number of viruses found: 6
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:28:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks\qbsdklog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD Object is locked skipped
C:\Documents and Settings\Jack\Application Data\HouseCall 6.6\Backup\ellygsbt.dll.bac_a05220 Infected: Trojan.Win32.Monderb.gen skipped
C:\Documents and Settings\Jack\Application Data\HouseCall 6.6\Backup\gfetqaxsxqs.dll.bac_a05220 Infected: Trojan.Win32.Vapsup.hgm skipped
C:\Documents and Settings\Jack\Application Data\HouseCall 6.6\Backup\puhvsaty.dll.bac_a05220 Infected: Trojan.Win32.Monderb.gen skipped
C:\Documents and Settings\Jack\Application Data\Microsoft\Templates\Normal.dotm Object is locked skipped
C:\Documents and Settings\Jack\Application Data\Microsoft\Word\AutoRecovery save of New Microsoft Office Word Document.asd Object is locked skipped
C:\Documents and Settings\Jack\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jack\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Desktop\New Microsoft Office Word Document.docx Object is locked skipped
C:\Documents and Settings\Jack\Desktop\spyware\backups\backup-20080701-055937-380.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\Documents and Settings\Jack\Local Settings\Application Data\Intuit\QuickBooks\Log\18.0\QBWin.log Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\History\History.IE5\MSHist012008070720080708\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temp\~DFA59C.tmp Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.Word\~WRS{470047ED-4503-4006-935C-F3C5E57986A2}.tmp Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.Word\~WRS{C001D771-63B0-433E-9197-4AA7D6E7DFA7}.tmp Object is locked skipped
C:\Documents and Settings\Jack\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jack\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Local Settings\Temp\asat0004.tmp Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Client.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Client.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Client.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Dept.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Dept.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Dept.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\INVN.DAT Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\INVN.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\INVN.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\InvnPk.DAT Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\InvnPk.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\InvnPk.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\MnMx.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\MnMx.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Multi.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Multi.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\PO0000.DAT Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\PO0000.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\PO0000.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\poqty.dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\POQTY.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\poqty.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Price.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\PRICE.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SA200807.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SA200807.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SA200807.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SO0000.dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SO0000.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\SO0000.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\TO0000.dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\TO0000.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\TO0000.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Vendor.Dat Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Vendor.DIA Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\Vendor.IX Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\WS2\WSLCK.DAT Object is locked skipped
C:\Program Files\Intuit\QBPOS\RPRO\WS2\WSLK.DAT Object is locked skipped
C:\Program Files\Intuit\QuickBooks 2008\STINSONS VILLAGE STORE January 17 2008.QBW Object is locked skipped
C:\Program Files\Intuit\QuickBooks 2008\STINSONS VILLAGE STORE January 17 2008.QBW.TLG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP44\A0006498.dll Infected: Trojan.Win32.Vapsup.hgm skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP45\A0006588.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP46\A0006727.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zja skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP47\A0006729.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP47\A0006731.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.zvs skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP47\A0006774.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0007478.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0008368.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0008493.dll Infected: Trojan.Win32.Pakes.jmg skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0008506.dll Infected: Trojan.Win32.Monderb.gen skipped
C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP58\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




DSS scan:
Main Txt



Deckard's System Scanner v20071014.68
Run by Jack on 2008-07-07 16:43:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jack.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:04, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Jack\Desktop\OTMoveIt2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jack\Desktop\spyware\dss.exe
C:\DOCUME~1\Jack\Desktop\spyware\Jack.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 6647 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 15:55:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-07 15:55:15 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-05 01:00:35 0 d-------- C:\WINDOWS\LastGood
2008-07-03 00:36:51 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-01 17:43:08 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-01 17:42:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-01 16:56:44 0 d-------- C:\Program Files\Panda Security
2008-07-01 15:59:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-01 15:59:36 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-01 15:59:36 0 d-------- C:\Documents and Settings\Jack\Application Data\SUPERAntiSpyware.com
2008-07-01 15:44:56 0 d-------- C:\Documents and Settings\Jack\Application Data\Malwarebytes
2008-07-01 15:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-01 15:44:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-01 15:43:51 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-01 14:53:13 0 d-------- C:\VundoFix Backups
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Templates
2008-07-01 06:23:46 0 dr------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Start Menu
2008-07-01 06:23:46 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\SendTo
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Recent
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\PrintHood
2008-07-01 06:23:46 229376 --ah----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\NTUSER.DAT
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\NetHood
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\My Documents
2008-07-01 06:23:46 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Local Settings
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Favorites
2008-07-01 06:23:46 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Desktop
2008-07-01 06:23:46 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Cookies
2008-07-01 06:23:46 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Application Data
2008-07-01 06:23:46 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1.000\Application Data\Microsoft
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Templates
2008-07-01 04:29:05 0 dr------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Start Menu
2008-07-01 04:29:05 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\SendTo
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Recent
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\PrintHood
2008-07-01 04:29:05 229376 --ah----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\NTUSER.DAT
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\NetHood
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\My Documents
2008-07-01 04:29:05 0 d--h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Local Settings
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Favorites
2008-07-01 04:29:05 0 d-------- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Desktop
2008-07-01 04:29:05 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Cookies
2008-07-01 04:29:05 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Application Data
2008-07-01 04:29:05 0 d---s---- C:\Documents and Settings\QBDataServiceUser18.STINSON-1\Application Data\Microsoft
2008-07-01 02:52:57 0 d-------- C:\Documents and Settings\Jack\Application Data\HouseCall 6.6
2008-07-01 02:35:36 0 d-------- C:\Documents and Settings\Jack\.housecall6.6
2008-07-01 02:34:37 0 d-------- C:\WINDOWS\Sun
2008-07-01 02:34:37 0 d-------- C:\Documents and Settings\Jack\Application Data\Sun
2008-06-28 01:37:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-28 01:00:12 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-28 00:33:34 0 d-------- C:\WINDOWS\pss
2008-06-27 23:16:55 0 d-------- C:\Documents and Settings\Jack\Application Data\Symantec
2008-06-27 23:09:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 23:06:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-27 19:17:34 2210 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-27 19:16:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-27 19:16:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-27 19:16:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-27 19:16:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-27 19:16:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-27 19:16:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-27 03:25:00 0 d-------- C:\Documents and Settings\Jack\Application Data\TmpRecentIcons
2008-06-19 01:21:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-19 01:20:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-15 03:17:09 0 d-------- C:\WINDOWS\network diagnostic
2008-06-10 04:23:29 4608 --a------ C:\WINDOWS\system32\rnasmm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-06-10 04:23:29 9728 --a------ C:\WINDOWS\system32\rnaph.dll <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-06-10 04:23:28 0 d-------- C:\Program Files\Juno
2008-06-10 04:10:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-10 04:03:28 0 d-------- C:\Documents and Settings\Jack\Application Data\Macromedia
2008-06-10 04:03:28 0 d-------- C:\Documents and Settings\Jack\Application Data\Adobe
2008-06-10 03:59:42 0 d-------- C:\Program Files\Lavasoft
2008-06-10 03:59:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-10 03:59:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 03:54:21 0 d--hs---- C:\Documents and Settings\Jack\UserData
2008-06-10 03:00:26 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-10 02:20:49 0 d-------- C:\Program Files\Avery Dennison
2008-06-10 02:20:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Avery
2008-06-10 02:20:10 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-10 01:01:28 0 d-------- C:\Documents and Settings\Jack\Contacts
2008-06-10 01:00:00 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-06-10 00:56:57 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-10 00:56:54 0 d-------- C:\Program Files\Windows Live
2008-06-10 00:56:47 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-09 14:39:08 0 d-------- C:\Program Files\Microsoft Works
2008-06-09 14:38:20 0 d-------- C:\Program Files\Microsoft.NET
2008-06-09 14:36:35 0 d-------- C:\WINDOWS\SHELLNEW
2008-06-09 14:36:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-09 14:35:48 0 dr-h----- C:\MSOCache
2008-06-09 03:56:42 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-09 00:20:59 327168 --a------ C:\WINDOWS\system32\RPROHTMLHelp.dll <Not Verified; Intuit Inc.; QuickBooks Point of Sale>
2008-06-09 00:20:58 206336 --a------ C:\WINDOWS\system32\VIC32.DLL <Not Verified; Catenary Systems; Victor Image Processing Library>
2008-06-09 00:20:57 1044480 --a------ C:\WINDOWS\system32\ROBOEX32.DLL <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9.2>
2008-06-09 00:20:57 49152 --a------ C:\WINDOWS\system32\INETWH32.DLL <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2008-06-09 00:20:56 167936 --a------ C:\WINDOWS\system32\ILANOT32.DLL <Not Verified; Creative Development LTD; >
2008-06-09 00:20:56 125440 --a------ C:\WINDOWS\system32\DZIP32.DLL <Not Verified; Inner Media, Inc.; DynaZIP-32>
2008-06-09 00:20:56 98304 --a------ C:\WINDOWS\system32\DUNZIP32.DLL <Not Verified; Inner Media, Inc.; DynaZIP-32>
2008-06-09 00:02:59 0 d-------- C:\Program Files\Avira
2008-06-09 00:02:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 23:43:32 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-08 23:18:34 0 d-------- C:\Program Files\Common Files\supportsoft
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Templates
2008-06-08 23:18:14 0 dr------- C:\Documents and Settings\QBDataServiceUser18\Start Menu
2008-06-08 23:18:14 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18\SendTo
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Recent
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\PrintHood
2008-06-08 23:18:14 1572864 --ah----- C:\Documents and Settings\QBDataServiceUser18\NTUSER.DAT
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\NetHood
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\My Documents
2008-06-08 23:18:14 0 d--h----- C:\Documents and Settings\QBDataServiceUser18\Local Settings
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\Favorites
2008-06-08 23:18:14 0 d-------- C:\Documents and Settings\QBDataServiceUser18\Desktop
2008-06-08 23:18:14 0 d---s---- C:\Documents and Settings\QBDataServiceUser18\Cookies
2008-06-08 23:18:14 0 dr-h----- C:\Documents and Settings\QBDataServiceUser18\Application Data
2008-06-08 23:18:14 0 d---s---- C:\Documents and Settings\QBDataServiceUser18\Application Data\Microsoft
2008-06-08 23:18:03 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-06-08 23:15:49 0 d-------- C:\Program Files\Intuit
2008-06-08 23:15:49 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-08 23:15:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-08 23:11:09 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-06-08 23:10:55 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 22:58:43 0 d-------- C:\WINDOWS\system32\Lang
2008-06-08 22:54:22 0 d-------- C:\Program Files\Java
2008-06-08 22:54:21 0 d-------- C:\Program Files\Common Files\Java
2008-06-08 22:51:19 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-06-08 22:51:18 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-08 22:51:09 0 d-------- C:\Intel
2008-06-08 22:50:16 0 d-------- C:\Program Files\Intel
2008-06-08 22:50:15 0 d-------- C:\Documents and Settings\Jack\Application Data\InstallShield
2008-06-08 22:49:08 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-06-08 22:48:50 0 d-------- C:\WINDOWS\system32\RTCOM
2008-06-08 22:48:18 0 d-------- C:\Program Files\Realtek
2008-06-08 22:48:18 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-08 22:48:13 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-06-08 22:48:13 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-06-08 22:48:11 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-08 22:46:00 0 d-------- C:\WINDOWS\system32\vmm32
2008-06-08 22:46:00 0 d-------- C:\Program Files\Dell
2008-06-08 22:28:24 0 d-------- C:\Documents and Settings\Jack\Application Data\Identities
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\Templates
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\Start Menu
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\SendTo
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\Recent
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\PrintHood
2008-06-08 22:28:18 3145728 --ah----- C:\Documents and Settings\Jack\NTUSER.DAT
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\NetHood
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\My Documents
2008-06-08 22:28:18 0 d--h----- C:\Documents and Settings\Jack\Local Settings
2008-06-08 22:28:18 0 dr------- C:\Documents and Settings\Jack\Favorites
2008-06-08 22:28:18 0 d-------- C:\Documents and Settings\Jack\Desktop
2008-06-08 22:28:18 0 d--hs---- C:\Documents and Settings\Jack\Cookies
2008-06-08 22:28:18 0 dr-h----- C:\Documents and Settings\Jack\Application Data
2008-06-08 22:26:31 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-08 22:26:30 0 d-------- C:\WINDOWS\Prefetch
2008-06-08 22:26:29 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-06-08 22:26:29 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-06-08 22:26:29 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-06-08 22:26:29 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-06-08 22:26:29 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-06-08 22:26:29 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-06-08 22:26:11 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-06-08 22:26:11 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-06-08 22:26:11 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-06-08 22:26:11 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-06-08 22:26:11 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-06-08 22:24:07 0 d-------- C:\WINDOWS\system32\xircom
2008-06-08 22:24:07 0 d-------- C:\Program Files\microsoft frontpage
2008-06-08 22:24:00 229376 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-06-08 22:24:00 0 d-------- C:\DELL
2008-06-08 22:23:52 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-08 22:23:38 0 -rahs---- C:\MSDOS.SYS
2008-06-08 22:23:38 0 -rahs---- C:\IO.SYS
2008-06-08 22:23:38 0 --a------ C:\CONFIG.SYS
2008-06-08 22:23:38 0 --a------ C:\AUTOEXEC.BAT
2008-06-08 22:22:49 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-06-08 22:22:42 0 dr------- C:\WINDOWS\Offline Web Pages
2008-06-08 22:22:41 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-06-08 22:22:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-08 22:22:18 0 d-------- C:\WINDOWS\system32\DirectX
2008-06-08 22:21:54 0 d---s---- C:\WINDOWS\Tasks
2008-06-08 22:21:53 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-08 22:21:51 0 d-------- C:\WINDOWS\srchasst
2008-06-08 22:21:50 0 d-------- C:\WINDOWS\system32\Macromed
2008-06-08 22:21:45 0 d-------- C:\Program Files\Movie Maker
2008-06-08 22:21:39 0 d-------- C:\WINDOWS\system32\Restore
2008-06-08 22:21:10 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-08 22:20:57 0 d-------- C:\WINDOWS\Registration
2008-06-08 22:20:51 0 d-------- C:\Program Files\Online Services
2008-06-08 22:20:47 0 d-------- C:\Program Files\Messenger
2008-06-08 22:20:44 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-08 22:20:16 0 d-------- C:\Program Files\Windows NT
2008-06-08 22:20:14 0 d-------- C:\WINDOWS\system32\MsDtc
2008-06-08 22:20:13 0 d-------- C:\WINDOWS\system32\Com
2008-06-08 18:12:01 0 d--hs---- C:\WINDOWS\Installer
2008-06-08 18:12:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-08 18:11:59 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-08 18:11:58 0 dr------- C:\Program Files
2008-06-08 18:11:58 0 d-------- C:\Program Files\Common Files
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-06-08 18:11:39 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-06-08 18:11:39 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-06-08 18:11:39 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-06-08 18:11:39 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-06-08 18:11:39 0 dr------- C:\Documents and Settings\All Users\Documents
2008-06-08 18:11:39 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-06-08 18:11:29 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-06-08 18:11:29 0 d-------- C:\WINDOWS\system32\CatRoot
2008-06-08 18:11:24 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-06-08 18:11:24 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-06-08 18:11:24 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-06-08 18:11:24 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-06-08 18:11:05 0 d--hs---- C:\System Volume Information
2008-06-08 18:11:05 0 d-------- C:\Documents and Settings
2008-06-08 18:05:37 0 d-------- C:\WINDOWS
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\WinSxS
2008-06-08 18:05:37 0 dr------- C:\WINDOWS\Web
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\twain_32
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\wins
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\wbem
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\usmt
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\spool
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ShellExt
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\Setup
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ras
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\oobe
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\npp
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\mui
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\inetsrv
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\IME
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\icsxml
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\ias
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\export
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-06-08 18:05:37 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\dhcp
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\config
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\3076
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\2052
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1054
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1042
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1041
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1037
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1033
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1031
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1028
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system32\1025
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\system
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\security
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Resources
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\repair
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Provisioning
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\PeerNet
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\pchealth
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\mui
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\msapps
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\msagent
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Media
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\java
2008-06-08 18:05:37 0 d--h----- C:\WINDOWS\inf
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\ime
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Help
2008-06-08 18:05:37 0 dr--s---- C:\WINDOWS\Fonts
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\ehome
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Driver Cache
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\dell
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Debug
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Cursors
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Connection Wizard
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\Config
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\AppPatch
2008-06-08 18:05:37 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-06-08 18:11:39 62 --ahs---- C:\Documents and Settings\Jack\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [04/26/2007 14:27 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 18:43 C:\WINDOWS\Alcmtr.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/16/2007 19:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/16/2007 19:51]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/16/2007 19:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 22:16]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2/27/2008 9:00:46 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [4/28/2008 11:20:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-07 16:43:44 ------------



Hope I got that right

Brenda
  • 0

#10
Rorschach112
Posted 08 July 2008 - 10:22 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#11
GrapleIRIS
Posted 08 July 2008 - 04:21 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello again.



Antivir has been giving me this warning:

Virus or unwanted program 'TR/Monderb.91520.2 [trojan]'
detected in file 'C:\System Volume Information\_restore{FCE6557E-159A-4F35-98E6-CB7758DB8DA2}\RP48\A0007478.dll.
Action performed: Deny access

I had already downloaded and run mbam before posting, as per the instructions posted for removing Vundo. I updated it, turned Antivir off, and ran it again.

The mbam scan found nothing however:

mbam log

Malwarebytes' Anti-Malware 1.20
Database version: 933
Windows 5.1.2600 Service Pack 2

6:08:43 PM 7/8/2008
mbam-log-7-8-2008 (18-08-43).txt

Scan type: Quick Scan
Objects scanned: 49268
Time elapsed: 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Is there a way to manually remove this file? Or perhaps turning system restore off, running antivir scan and then turning system restore back on?

awaiting your reply
many thanks for your help so far
Brenda
  • 0

#12
Rorschach112
Posted 09 July 2008 - 06:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
We will remove it now

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
GrapleIRIS
Posted 11 July 2008 - 10:14 PM

GrapleIRIS

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
It's been well over 24 hours, and no more warnings from Antivir...that is to say:

I THINK YOU'VE DONE IT!!!

This machine seems to be working very nicely and clear from any malware/virus/spyware.

Thank you SO much!

I have taken into grave consideration the suggestions you posted and have implemented most of them already.

You are an internet angel!

Brenda
  • 0

#14
Rorschach112
Posted 12 July 2008 - 06:00 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP