Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Help - Virus? (Google Redirect and Other Malware)

Started by gcorbett , Jul 01 2008 08:37 PM

  • Please log in to reply

#1
gcorbett
Posted 01 July 2008 - 08:37 PM

gcorbett

    New Member

  • Member
  • Pip
  • 5 posts
Hello - I have a big problem - looks like some malware

The virus/spyware redirects all links from Google - AND it also prevents me from downloading Malware removal software such as HiJackThis, SpyBot, and Ad-Aware...

I've tried turning off things using startup control panel... still doesn't work... I was able to get a scan of Ad-Aware to run - but still problems... new spyware cookies all the time are added also...

The only way I was able to get the following HiJackThis log was by downloading HJT to another computer and transferring it on a USB memory stick.

It even prevents me from registering at this website (I am using another computer and transferred the HJT logfile using a USB stick...)

Please help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:53 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\program files\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\GCorbett\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://keconnect/
O3 - Toolbar: nqgpedlr - {08E11E95-E8E4-43DD-B762-43F2159C8759} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'Default user')
O4 - .DEFAULT User Startup: Interwoven Current User Registry Install.lnk = C:\WINDOWS\Interwoven Current User Registry.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O15 - Trusted Zone: *.qa.kirkland.com
O15 - Trusted Zone: *.test.kirkland.com
O15 - Trusted Zone: http://AttendanceRep...ng.kirkland.com
O15 - Trusted Zone: http://blackberry.kirkland.com
O15 - Trusted Zone: http://EU-iSolve.kirkland.com
O15 - Trusted Zone: http://eu-kedmssvc.kirkland.com
O15 - Trusted Zone: http://eu.kemsam.kirkland.com
O15 - Trusted Zone: http://fundstest.kirkland.com
O15 - Trusted Zone: http://iSolve.kirkland.com
O15 - Trusted Zone: http://kecollab-admin.kirkland.com
O15 - Trusted Zone: http://kecollab-atty.kirkland.com
O15 - Trusted Zone: http://kedmssvc.kirkland.com
O15 - Trusted Zone: http://kemsam.kirkland.com
O15 - Trusted Zone: http://keni.kirkland.com
O15 - Trusted Zone: http://kenitest.kirkland.com
O15 - Trusted Zone: http://kenotesapp1.kirkland.com
O15 - Trusted Zone: http://kenotesqa1.kirkland.com
O15 - Trusted Zone: keris.kirkland.com
O15 - Trusted Zone: KESurveys.kirkland.com
O15 - Trusted Zone: http://KnowNow.kirkland.com
O15 - Trusted Zone: http://KronosOTTools.kirkland.com
O15 - Trusted Zone: http://remote.kirkland.com
O15 - Trusted Zone: http://review.kirkland.com
O15 - Trusted Zone: reviewtest.kirkland.com
O15 - Trusted Zone: http://roomtracker.kirkland.com
O15 - Trusted Zone: *.kirkland.com
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: *.qa.kirkland.com (HKLM)
O15 - Trusted Zone: *.test.kirkland.com (HKLM)
O15 - Trusted Zone: *.kirkland.com (HKLM)
O15 - Trusted Zone: *.westlaw.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://remote.kirkl...ca32/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151020131811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194851856046
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://ftp.samsungse...uiSECIE_eng.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kirkland.com
O17 - HKLM\Software\..\Telephony: DomainName = kirkland.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kirkland.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O21 - SSODL: okmdepgb - {593C0DE6-592F-4CB6-83F7-C7B74CBC0BCE} - C:\WINDOWS\okmdepgb.dll
O21 - SSODL: axrfgvek - {7C85C97D-70F3-4DC5-B6C6-6425725E6DAF} - C:\WINDOWS\axrfgvek.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\program files\notes\ntmulti.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10067 bytes
  • 0

Advertisements

#2
gcorbett
Posted 01 July 2008 - 09:15 PM

gcorbett

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Also... after reading some other posts with similar problems - I tried to run COMBOFIX..

BUT - it does not run (I think the virus is preventing it from running?)

I double-click on COMBOFIX and the hourglass appears for a moment - but nothing happens...

I know that my COMBOFIX is fine - because I ran it on another (non-infected) computer...
  • 0

#3
gcorbett
Posted 01 July 2008 - 09:18 PM

gcorbett

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
One other thing I forgot to mention - the virus changed my background wallpaper to a blue screen with a yellow text box in the middle that says "Warning Spyware Detected On Your Computer!"
  • 0

#4
gcorbett
Posted 01 July 2008 - 10:20 PM

gcorbett

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Although Combofix will not run - I was able to get DSS to work and have posted the log below.

Note that the problem first occurred yesterday (July 1) at around noon - I noticed on the DSS log there are several "new" files that were added around that time....

Also note that I still cannot access this GEEKSTOGO website from my infected computer (I am posting from a separate computer). Likewise, I cannot access many different anti-virus and anti-spyware websites.

Thanks in advance.

- - - -

Deckard's System Scanner v20071014.68
Run by gcorbett on 2008-07-02 00:10:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-02 04:11:06 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-07-01 20:11:51 UTC - RP4 - Installed Ad-Aware
3: 2008-07-01 20:11:34 UTC - RP3 - Removed Ad-Aware SE Personal
2: 2008-07-01 16:10:26 UTC - RP2 - Last known good configuration
1: 2008-07-01 16:10:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.46 GiB (less than 15%) free.


-- HijackThis (run as gcorbett.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:21 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\program files\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GCorbett\Desktop\dss.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\DOCUME~1\GCorbett\Desktop\gcorbett.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://keconnect/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28220052-D9A9-44B1-AB98-EDC594D238B6} - C:\WINDOWS\system32\xxyywxvt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {C358357F-2E26-46C0-ACD2-474B2F8F308B} - C:\WINDOWS\system32\yayxyywV.dll
O2 - BHO: QXK Olive - {EBD82173-92C5-42F9-8A62-B573912E1F7B} - C:\WINDOWS\kgqfweltkxw.dll
O3 - Toolbar: nqgpedlr - {08E11E95-E8E4-43DD-B762-43F2159C8759} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [CurrentUser] "c:\temp\iManage Current User.exe" /s (User 'Default user')
O4 - .DEFAULT User Startup: Interwoven Current User Registry Install.lnk = C:\WINDOWS\Interwoven Current User Registry.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF269~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O15 - Trusted Zone: *.qa.kirkland.com
O15 - Trusted Zone: *.test.kirkland.com
O15 - Trusted Zone: http://AttendanceRep...ng.kirkland.com
O15 - Trusted Zone: http://blackberry.kirkland.com
O15 - Trusted Zone: http://EU-iSolve.kirkland.com
O15 - Trusted Zone: http://eu-kedmssvc.kirkland.com
O15 - Trusted Zone: http://eu.kemsam.kirkland.com
O15 - Trusted Zone: http://fundstest.kirkland.com
O15 - Trusted Zone: http://iSolve.kirkland.com
O15 - Trusted Zone: http://kecollab-admin.kirkland.com
O15 - Trusted Zone: http://kecollab-atty.kirkland.com
O15 - Trusted Zone: http://kedmssvc.kirkland.com
O15 - Trusted Zone: http://kemsam.kirkland.com
O15 - Trusted Zone: http://keni.kirkland.com
O15 - Trusted Zone: http://kenitest.kirkland.com
O15 - Trusted Zone: http://kenotesapp1.kirkland.com
O15 - Trusted Zone: http://kenotesqa1.kirkland.com
O15 - Trusted Zone: keris.kirkland.com
O15 - Trusted Zone: KESurveys.kirkland.com
O15 - Trusted Zone: http://KnowNow.kirkland.com
O15 - Trusted Zone: http://KronosOTTools.kirkland.com
O15 - Trusted Zone: http://remote.kirkland.com
O15 - Trusted Zone: http://review.kirkland.com
O15 - Trusted Zone: reviewtest.kirkland.com
O15 - Trusted Zone: http://roomtracker.kirkland.com
O15 - Trusted Zone: *.kirkland.com
O15 - Trusted Zone: *.westlaw.com
O15 - Trusted Zone: *.qa.kirkland.com (HKLM)
O15 - Trusted Zone: *.test.kirkland.com (HKLM)
O15 - Trusted Zone: *.kirkland.com (HKLM)
O15 - Trusted Zone: *.westlaw.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://remote.kirkl...ca32/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1151020131811
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1194851856046
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://ftp.samsungse...uiSECIE_eng.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kirkland.com
O17 - HKLM\Software\..\Telephony: DomainName = kirkland.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kirkland.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: xxyywxvt - C:\WINDOWS\SYSTEM32\xxyywxvt.dll
O21 - SSODL: okmdepgb - {593C0DE6-592F-4CB6-83F7-C7B74CBC0BCE} - C:\WINDOWS\okmdepgb.dll
O21 - SSODL: axrfgvek - {7C85C97D-70F3-4DC5-B6C6-6425725E6DAF} - C:\WINDOWS\axrfgvek.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\program files\notes\ntmulti.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10926 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\GCorbett\Desktop\backups\) ------------

backup-20080701-225210-732 O23 - Service: Abel - Unknown owner - C:\Program Files\Cain\Abel.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MDC80211 (iPass Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc80211.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 PGPmemlock - c:\windows\system32\drivers\pgpmemlock.sys <Not Verified; Network Associates, Inc.; PGPsdk>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 AlKernel (Altiris Kernel Driver) - c:\windows\system32\drivers\alkernel.sys
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys (file missing)
S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys (file missing)
S3 slabbus (BTWIN BM2001 USB Adapter driver (WDM)) - c:\windows\system32\drivers\slabbus.sys (file missing)
S3 slabser (BTWIN BM2001 USB Adapter Drivers) - c:\windows\system32\drivers\slabser.sys (file missing)
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 vsinstdv - c:\docume~1\gcorbett\locals~1\temp\{84d2c697-075f-4cd3-a2ab-f1666a44e9b0}\vsinstdv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>
R2 iPCAgent - c:\program files\ipass\ipassconnect\ipcagent.exe <Not Verified; iPass, Inc.; iPCAgent Module>
R2 Multi-user Cleanup Service - "c:\program files\notes\ntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 odClientService (Odyssey Client) - "c:\program files\funk software\odyssey client\odclientservice.exe" <Not Verified; Funk Software, Inc.; Odyssey>
R2 Rpcnet (Remote Procedure Call (RPC) Net) - c:\windows\system32\rpcnet.exe <Not Verified; Absolute Software Corp.; Installation/Management Application>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 AClient (Altiris Client Service) - c:\program files\altiris\aclient\aclient.exe -service <Not Verified; Altiris, Inc.; Altiris Client Agent for Windows>
S3 AeXNSClient (Altiris Agent) - c:\program files\altiris\altiris agent\aexnsagent.exe <Not Verified; Altiris, Inc.; Altiris Agent>
S3 iPassConnectEngine - c:\program files\ipass\ipassconnect\ipassconnectengine.exe <Not Verified; iPass; iPassConnectEngine Module>
S3 License Management Service ESD - "c:\program files\common files\element5 shared\service\licence manager esd.exe" <Not Verified; element5; License Management Service ESD>
S4 Abel - c:\program files\cain\abel.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {E0CBF06C-CD8B-4647-BB8A-263B43F0F974}
Description: Dell Wireless 350 Bluetooth Module
Device ID: USB\VID_413C&PID_8103\6&17D0A9A2&0&4
Manufacturer: Dell
Name: Dell Wireless 350 Bluetooth Module
PNP Device ID: USB\VID_413C&PID_8103\6&17D0A9A2&0&4
Service: BTHUSB


-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-01 18:11:58 92032 --a------ C:\WINDOWS\system32\vibygeor.dll
2008-07-01 16:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-01 12:43:43 0 d-------- C:\Program Files\Enigma Software Group
2008-07-01 12:14:14 0 d-------- C:\Documents and Settings\GCorbett\Application Data\rhcat6j0ev2n
2008-07-01 12:10:57 92032 --a------ C:\WINDOWS\system32\bdjpffoq.dll
2008-07-01 12:10:11 237866 --ahs---- C:\WINDOWS\system32\Vwyyxyay.ini2
2008-07-01 12:10:09 318720 --a------ C:\WINDOWS\system32\yayxyywV.dll
2008-07-01 12:01:00 28288 --a------ C:\WINDOWS\system32\urqNHyvW.dll
2008-07-01 12:00:54 28288 --a------ C:\WINDOWS\system32\xxyywxvt.dll
2008-07-01 12:00:19 229376 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-01 12:00:19 155648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-01 12:00:19 81920 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-01 12:00:19 303104 --a------ C:\WINDOWS\kgqfweltkxw.dll
2008-07-01 12:00:19 94208 --a------ C:\WINDOWS\eolk.exe
2008-07-01 12:00:19 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-01 11:58:42 109056 --a------ C:\WINDOWS\system32\lphcet6j0ev2n.exe
2008-07-01 11:54:46 156672 --a------ C:\WINDOWS\sprof32.dll <Not Verified; Eastman Kodak Company; KODAK DIGITAL SCIENCE ICC Profile API>
2008-07-01 11:54:46 53760 --a------ C:\WINDOWS\PTPICK32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision PT Picker>
2008-07-01 11:54:46 58368 --a------ C:\WINDOWS\pfpick.dll <Not Verified; Eastman Kodak Company; Kodak Digital Science Profile Picker>
2008-07-01 11:54:46 48128 --a------ C:\WINDOWS\KPSYS32.DLL <Not Verified; Eastman Kodak Company; KCMS System Interface Library>
2008-07-01 11:54:46 31744 --a------ C:\WINDOWS\KPSHARP.DLL <Not Verified; Eastman Kodak Company; KODAK PRECISION Sharpen Plug-in>
2008-07-01 11:54:46 31232 --a------ C:\WINDOWS\KPSCALE.DLL <Not Verified; Eastman Kodak Company; KODAK PRECISION Scaling Plug-in>
2008-07-01 11:54:46 70144 --a------ C:\WINDOWS\KPFP32.DLL <Not Verified; Eastman Kodak Company; Kodak Precision Filter Processor (Win32)>
2008-07-01 11:54:46 243712 --a------ C:\WINDOWS\KPCP32.DLL <Not Verified; Eastman Kodak Company; KODAK DIGITAL SCIENCE Professional Color Processor (Win32)>
2008-07-01 11:54:46 39095 --a------ C:\WINDOWS\Iccsigs.dat
2008-07-01 11:54:46 20992 --a------ C:\WINDOWS\icccodes.dll <Not Verified; Eastman Kodak Company; KCMS ICCCODES>
2008-07-01 11:54:46 42483 --a------ C:\WINDOWS\ICCCODES.DAT
2008-07-01 11:54:27 33424 --a------ C:\WINDOWS\system32\URLCACHE.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-07-01 11:54:27 32792 --a------ C:\WINDOWS\SPWHPT.DLL <Not Verified; Eastman Kodak Company; Kodak Digital Science White Point>
2008-07-01 11:54:20 0 d-------- C:\WINDOWS\system32\Color
2008-07-01 11:54:20 0 d-------- C:\Kpcms


-- Find3M Report ---------------------------------------------------------------

2008-07-01 23:39:51 17408 --a------ C:\WINDOWS\system32\rpcnetp.dll
2008-07-01 23:39:50 47104 --a------ C:\WINDOWS\system32\rpcnet.dll <Not Verified; Absolute Software Corp.; Installation/Management Application>
2008-07-01 23:36:13 17408 --a------ C:\WINDOWS\system32\rpcnetp.exe
2008-07-01 21:38:33 0 d-------- C:\Program Files\notes
2008-07-01 16:11:54 0 d-------- C:\Program Files\Lavasoft
2008-07-01 16:11:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 12:02:21 679 --ah----- C:\os084633.bin
2008-07-01 11:54:20 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-11 18:19:41 0 d-------- C:\Documents and Settings\GCorbett\Application Data\Skype
2008-06-11 18:19:07 0 d-------- C:\Documents and Settings\GCorbett\Application Data\skypePM
2008-06-02 15:37:36 0 d-------- C:\Documents and Settings\GCorbett\Application Data\Adobe
2008-05-22 16:32:10 0 d-------- C:\Program Files\PicoZipRT
2008-05-22 15:58:13 0 d-------- C:\Program Files\PasswordTools
2008-05-22 15:54:26 0 d-------- C:\Program Files\ElcomSoft
2008-05-07 14:07:08 0 d-------- C:\Program Files\LimeWire2
2008-05-07 01:39:11 0 d-------- C:\Program Files\Registry Workshop
2008-04-30 01:34:11 46221 --a------ C:\WINDOWS\msginst.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28220052-D9A9-44B1-AB98-EDC594D238B6}]
07/01/2008 12:00 PM 28288 --a------ C:\WINDOWS\system32\xxyywxvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C358357F-2E26-46C0-ACD2-474B2F8F308B}]
07/01/2008 12:10 PM 318720 --a------ C:\WINDOWS\system32\yayxyywV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBD82173-92C5-42F9-8A62-B573912E1F7B}]
07/01/2008 08:15 AM 303104 --a------ C:\WINDOWS\kgqfweltkxw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="C:\Program Files\CheckPoint\Integrity Client\iclient.exe" [03/07/2007 07:48 PM]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [03/23/2006 09:52 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"CurrentUser"="c:\temp\iManage Current User.exe" /s
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoPropertiesMyDocuments"=1 (0x1)
"NoPropertiesRecycleBin"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuSubFolders"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Folders"=1 (0x1)
"Btn_Fullscreen"=1 (0x1)
"Btn_Tools"=1 (0x1)
"Btn_MailNews"=1 (0x1)
"Btn_Size"=1 (0x1)
"Btn_Print"=1 (0x1)
"Btn_Edit"=1 (0x1)
"Btn_Discussions"=2 (0x2)
"Btn_Cut"=1 (0x1)
"Btn_Copy"=1 (0x1)
"Btn_Paste"=1 (0x1)
"Btn_Encoding"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoManageMyComputerVerb"=1 (0x1)
"NoDFSTab"=1 (0x1)
"NoHardwareTab"=1 (0x1)
"NoSecurityTab"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoChangeKeyboardNavigationIndicators"=1 (0x1)
"NoChangeAnimation"=1 (0x1)
"NoThumbnailCache"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"RestrictCpl"=0 (0x0)
"DisallowRun"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"=aoldnld.exe
"2"=aolsetup.exe
"3"=bb2.exe
"4"=bb2remix.exe
"5"=bearshare.exe
"6"=bejeweled2.exe
"7"=bonzibdy.exe
"8"=cardgames.exe
"9"=funpack.exe
"10"=gmt.exe
"11"=googledesktop.exe
"12"=googledesktopcrawl.exe
"13"=googledesktopdisplay.exe
"14"=googledesktopindex.exe
"15"=googledesktopsetup.exe
"16"=GooglewebAccClient.exe
"17"=GoogleWebAcceleratorsetup.msi
"18"=GooglewebAccwarden.exe
"19"=hoyle_card_games.exe
"20"=IE7-WindowsXP-x86-enu.exe
"21"=kazaa.exe
"22"=limewire.exe
"23"=morphexe.exe
"24"=p2p networking.exe
"25"=pinball.exe
"26"=q-bert2005.exe
"27"=save.exe
"28"=sol.exe
"29"=solitaire.exe
"30"=tiptop.exe
"31"=tumblebugs.exe
"32"=weather.exe
"33"=wints.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]
"1"=Accessibility Options
"2"=Add or Remove Programs
"3"=Administrative Tools
"4"=Bluetooth Devices
"5"=Display
"6"=Fonts
"7"=Keyboard
"8"=mail
"9"=Mouse
"10"=Phone and Modem Options
"11"=Power Options
"12"=Regional and Language Options
"13"=Sounds and Audio Devices
"14"=System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{28220052-D9A9-44B1-AB98-EDC594D238B6}"= C:\WINDOWS\system32\xxyywxvt.dll [07/01/2008 12:00 PM 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"okmdepgb"= {593C0DE6-592F-4CB6-83F7-C7B74CBC0BCE} - C:\WINDOWS\okmdepgb.dll [07/01/2008 08:15 AM 229376]
"axrfgvek"= {7C85C97D-70F3-4DC5-B6C6-6425725E6DAF} - C:\WINDOWS\axrfgvek.dll [07/01/2008 08:15 AM 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 12/08/2006 12:49 PM 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyywxvt]
xxyywxvt.dll 07/01/2008 12:00 PM 28288 C:\WINDOWS\system32\xxyywxvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayxyywV

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=DCcms1.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\0\0]
"Script"=CopyFolders.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\1\0]
"Script"=NotesIDCopyXCopy.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\2\0]
"Script"=\\kirkland.com\SysVol\kirkland.com\scripts\DCLogonScript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1154184054-119158659-1237804090-10876\Scripts\Logon\3\0]
"Script"=\\kirkland.com\SYSVOL\kirkland.com\scripts\DC Robocopy.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28bb38cb-dcd1-11dc-8850-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6355881-abb2-11dc-8827-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b777cb85-ba12-11dc-882e-0015c551fc11}]
1\Command- E:\.\RECYCLER\RECYCLER\autorun.exe -autorun
2\Command- E:\.\RECYCLER\RECYCLER\autorun.exe -autorun
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc4f7ed-d911-11dc-884a-0015c551fc11}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e80f4152-d5a5-11dc-8846-0015c551fc11}]
1\Command- .\RECYCLER\RECYCLER\autorun.exe -autorun
2\Command- .\RECYCLER\RECYCLER\autorun.exe -autorun
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe -autorun




-- Hosts -----------------------------------------------------------------------

192.168.0.103 HP0017A479D809


-- End of Deckard's System Scanner: finished at 2008-07-02 00:13:40 ------------
  • 0

#5
gcorbett
Posted 02 July 2008 - 02:25 AM

gcorbett

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I think I have removed the Malware.... Things seem to be working again...

I used a combination of tools discussed here for others with similar problems - (CCleaner, MalwareBytes, SuperAntiSpyware, FixWareOut, Vundofix, SDFix from Safe Mode).

Some of the programs didn't run at first - but then I renamed them and they worked - the malware was apparently blocking them...

The programs say everything is clean... but it still seems slightly sluggish...

I will repost if the problems return...

Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP