[rgram]

Hi,
Please don't think I am double posting. I posted yesterday in the WinXP Operating System Forum about being unable to get past the BSOD (haven't had a reply yet), but was able to resolve that by F12 and clicking Last Known Configuration. My laptop is now on, yet I cannot get past the AntiSpyCheck program to get onto the geekstogo website (I am on a desktop with the infected laptop nearby) in order to to the HTL preparation. I don't know what to do with this. It keeps bringing up AntiSpyCheck EVALUATION VERSION WARNING and down in the far lower right corner a System alert box with a yellow triangle with an ! in it says that "System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware program. I am afraid to click on anything. I googled antispycheck on my desktop and it said it is a rogue program that brings viruses of it's own.


I didn't know how to resolve my other post and was afraid I might "bump" it, though I am not so sure that I know what that is. I need to end the other post so that I am not rude and have someone working on it while I begin the next task in hopefully repairing this laptop. I will go back to my old post and see if I can resolve it.

Sorry that I don't know what I am doing. I will follow allthe directions once I can get to the geekstogo website on the laptop! Or, can I download the preparation software...I forget the name AT something....onto a zipdrive and install it to the laptop that way?

Any help I can get is so greatly appreciated. Thank you for taking the time to help.

[Advertisements]

Hello rgram and welcome at Geekstogo,

Don't worry about your other topic in the Windows XP forum. you have said you have fixed your problem there, so thats fine. And you won't get help there with malwareproblems anyway, because this is the only section of Geekstogo where we help with malwareproblems.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report and if possible a Hijackthislog in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thunderbird1988

[Thunderbird1988]

Hello rgram and welcome at Geekstogo,

Don't worry about your other topic in the Windows XP forum. you have said you have fixed your problem there, so thats fine. And you won't get help there with malwareproblems anyway, because this is the only section of Geekstogo where we help with malwareproblems.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report and if possible a Hijackthislog in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thunderbird1988

[rgram]

Hello Thunderbird 1988,
Thanks for your help. I am unable to see your post on the geekstogo website n the infected laptop due to the fact that another blue screen has popped up with many other little additional windows and now another BSOD with another stop message. I will try to explain the windows. In the meantime, PCTool (cleanuptool.com) has come up wanting to fix things....I don't know if this is something I should do..

Antispycheck is still on the screen....with these other small windows:

File download - Security Warning
Do you want to run or save this file?
Name: setup_sbd_en.exe
Type: Application, 1.04MB
From: cdn.bestdownloadsoft.com

Another long skinny window that says:
Warning (in a blue top border with a red X
The rectangle contains a yellow triangle with exclamation in it
Warning: If your
computer has been
suffering from
frequent crashes,
instability or slow PC
speeds, you may have
critical errors
on you computer.

To scan for critical errors, click yes below.

Has yes and no buttons

Another small window says:
Windows Internet Explorer at the top bar
Bubble with ? in it off to the side: Notice: You have not completed your errors scan. If your computer has errors in the file system or Windows
Registry, it could cause (no duh!) unpredictable or erratic PC behavior, freezes, crashes and loss of data.
You need to install CleanupTool to scan for and, if found, fix system errors now. (Recommend)? Ok and Cancel buttons below



[u]Now for the Blue screen of death info: I will give you what I quickly wrote down befor it got covered up again:
Blue shield with a ? in it followed by: To protect your security, Internet Explorer has restricted this site (I was trying to get to my thread on G@g))
from showing certain content. click for options...

A problem has been detected and windows has been shut down to previent damage to your system files and folders.
The Problem seems to be caused by the following file: MSKSSRV.sys
PAGE_FAULT_IN_NONPAGED_AREA
If this is the first time you've seen this Stop error screen, click here (underlined) to install the program to protect your system files and folders. Please read the following information carefully.

Unwanted junk files occupy blah blah blah various warnings about consuming important system resources aggravating pc performance

You've been directed to this (part of the bsod is covered by a salmon colored rectangle that I am supposed to press Enter to fix all errors)

Technical information:
***STOP:0x00000050 (0xEDBD2DB0, 0x00000000, 0xBAE4AAAF. 0x00000002)
*** MSKSSRV.sys - Adress BAE4AAF base at BAE4A000, Date Stamp 41107b0f


Numerous junk files have been detected.
It is crucial that you install the application immediately to run disc clean-up and free up hard drive space.

Click here (salmon colored rectangle) to install it.

I am not doing anything till I hear again from you. I am wondering if the laptop is trying to fix itself? or has these warnings already installed so that it can tell you that your computer is going to crash before it does, giving yourself a chance to fis it, is IE really warning me, or is this again some rogue program
like antispycheck that is just harrassing me?

another little pop up window that keeps popping up and making that pop sound, too

System Alert!
System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware solution.

I am thinking that it is connected to antispyware.

What is PC cleanup tool?

Anyway, thank you for all of your help. I have tried to give you all the info that I can. Can I save the malware program to a zip drive 2GB from this desktop and then install it on the laptop to at least start the process of cleaning it up? Then maybe I can get on G2Go on the laptop? The website came up, but I couldn't get to my post and read your thread. Computer wouldn;t load it and that is when the BSOD came up, a different BSOD, mind you, than I had before, with a different STOP code.

rgram

[Thunderbird1988]

Hello rgram,

Yes it would be a good idea to download Malwarebytes' Anti-Malware, and tranfer it to the laptop.

Thunderbird1988

[rgram]

Hi Thunderbird!
I am on the laptop!!! I did the zip drive thing and bout 54 infected things needed to be dealt with, a few also that needed to be dealt with upon reboot. Hopefully this is the HTL:

Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 2

12:21:23 PM 7/23/2008
mbam-log-7-23-2008 (12-21-23).txt

Scan type: Quick Scan
Objects scanned: 45386
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 32
Registry Values Infected: 24
Registry Data Items Infected: 17
Folders Infected: 6
Files Infected: 45

Memory Processes Infected:
C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe (Rogue.VirusHeat) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\geBtRhHx.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\kgllstlv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\mlJCVnLC.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jhzpcn.dll (Trojan.Zlob) -> Unloaded module successfully.
C:\WINDOWS\system32\ygvspu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ead69dae-5832-4cd4-b642-42179e99db75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ead69dae-5832-4cd4-b642-42179e99db75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f5a54c57-5eaa-4744-be28-b7e2ca5803e3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f5a54c57-5eaa-4744-be28-b7e2ca5803e3} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{82f6fea3-a6ee-41d7-bf74-59bf9795f15e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82f6fea3-a6ee-41d7-bf74-59bf9795f15e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljcvnlc (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iewarning.warningbho (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56fa7933-dc3e-403b-8d47-bb5e3f345a21} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56fa7933-dc3e-403b-8d47-bb5e3f345a21} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iewarning.warningbho.1 (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{D2608046-DD09-A225-01BF-70C1EDD8B2E8} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Live.com (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4944188 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{82f6fea3-a6ee-41d7-bf74-59bf9795f15e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispycheck 2.1.0 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispycheck (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmb7a77214 (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\some (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtrhhx -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtrhhx -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdjpi.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearc...ce.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearc...ce.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\788877 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\AntiSpyCheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\AntiSpyCheck 2.1.0 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ygvspu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\geBtRhHx.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xHhRtBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xHhRtBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kgllstlv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vltsllgk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysuxdxsu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\usxdxusy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCVnLC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jhzpcn.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kdjpi.exe (Rootkit.DNSChanger) -> Delete on reboot.
C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck\IEWarning.dll (Rogue.PestPatrol) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\788877\788877.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBqQGyW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctqyuouy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C3HVYAJH\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\CN1D84YZ\un[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\IITS1DGA\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\W16L3E2R\setup_225_509_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\W16L3E2R\setup_243_509_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck\uninst.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck 2.1\IEWarning32.dll (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpyCheck 2.1\uninst.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\AntiSpyCheck 2.1\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\AntiSpyCheck 2.1.0\AntiSpyCheck 2.1.0.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ismdfbol.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\BMb7a77214.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb7a77214.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpyCheck 2.1.0.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\AntiSpyCheck 2.1.0.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\AntiSpyCheck 2.1.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.

Whoo Hooo!!!!
Thanks for all the work you are doing for everyone! Awaiting your next instructions!
rgram

[Thunderbird1988]

Hello rgram,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Thunderbird1988

[rgram]

Hi,
Sorry, but I was just reading your instructions and you said to cut and paste the malwarelog AND also, if possible, do a HTL too.
Do I now start at the preparation for a hijack this log and to that scan? I am totally willing to do that, just not sure if that is what you want me to do.
rgram

[rgram]

Hi, Deckard's System Scanner unable to download HT. The window before had said to make sure I allow it past my firewall. I don't know if I have one, and don't know how to do this.
rgram

[rgram]

Hi Thunderbird 1988,
Boy, I tell you, I am so computer shy that I did not click "OK" on the "cannot download hijack this" window. but, I got up the courage to do so and the clicked on cancel cause the underneath window said to click on it if HT could not be downloaded, so Deckard's attempted to lead the HT clone and it was unable. Windows made an error report...I didn't send it...It wont let me copy the error report...I thought i could send it to you. The error report contents window is still up. Awaiting your instructions.
rgram

[Thunderbird1988]

Hello rgram,

Lets see if we can install Hijackthis manually.

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis. Please close it, as we don't need it for now.

After that, please try DSS again, and if possible, post the logs of it.

Thunderbird1988

[rgram]

Hi Thunderbird 1988,

I hope these are what you need:

.68
Run by User on 2008-07-23 14:09:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
46: 2008-07-23 20:11:36 UTC - RP114 - Deckard's System Scanner Restore Point
45: 2008-07-23 04:35:11 UTC - RP113 - System Checkpoint
44: 2008-07-17 02:40:35 UTC - RP112 - System Checkpoint
43: 2008-07-10 00:04:27 UTC - RP111 - Last known good configuration
42: 2008-07-10 00:04:21 UTC - RP110 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-10 00:04:15 UTC - RP69 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:05 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070424
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.restoreho.../www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070424
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdjpi.exe] C:\WINDOWS\system32\kdjpi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179421432937
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5491 bytes

-- File Associations -----------------------------------------------------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5600 @ 1.83GHz
CPU 1: Intel® Core™2 CPU T5600 @ 1.83GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2046.05 MiB / 1569.82 MiB
Pagefile Memory (total/avail): 3938.94 MiB / 3616.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.43 MiB

C: is Fixed (NTFS) - 55.81 GiB total, 32.34 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - Hitachi HTS721060G9SA00 - 55.89 GiB - 2 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 (bootable) - Installable File System - 55.81 GiB - C:

\\.\PHYSICALDRIVE1 - USB Flash Memory USB Device - 1929.68 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1930.23 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AntiSpyCheck\\AntiSpyCheck.exe"="C:\\Program Files\\AntiSpyCheck\\AntiSpyCheck.exe:*:Enabled:AntiSpyCheck"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D3VYWVC1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\D3VYWVC1
NUMBER_OF_PROCESSORS=2
OMP_NUM_THREADS=2
OS=Windows_NT
Path=Autodesk Shared;C:\Program Files\Autodesk\Data Management Server 2008\Server\Components\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=D3VYWVC1
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AOEMView 2008 --> C:\Program Files\AOEMView 2008\Setup\Setup.exe /P {6F411DB4-EC41-482B-AD46-384957928F69} /M AOEM
Autodesk Data Management Server 2008 --> C:\Program Files\Autodesk\Data Management Server 2008\Setup\setup.exe /p {5E8ED61B-9027-4EA3-8E5B-BC2A9EE6B020} /M SERVER
Autodesk Data Management Server 2008 --> MsiExec.exe /X{5E8ED61B-9027-4EA3-8E5B-BC2A9EE6B020}
Autodesk Design Review 2008 --> MsiExec.exe /I{FACF203E-0F4D-489A-B80C-D185253C8FCB}
Autodesk Inventor Professional 2008 --> MsiExec.exe /I{7F4DD591-1200-0409-0000-7107D70F3DB4}
Autodesk Mechanical Desktop 2008 --> C:\Program Files\Autodesk\MDT 2008\Setup\Setup.exe /P {5783F2D7-6013-0409-0002-0060B0CE6BBA} /M MDT
Autodesk Vault 2008 --> C:\Program Files\Autodesk\Vault 2008\Setup\setup.exe /p {E55B00B0-9DBF-4EE1-AC1D-5DEBE12BD097} /M VAULT
Autodesk Vault 2008 --> MsiExec.exe /X{E55B00B0-9DBF-4EE1-AC1D-5DEBE12BD097}
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Broadcom Advanced Control Suite --> MsiExec.exe /X{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Printer Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105F3CE5-FE55-408E-BF30-E78F85BA0B12}\setup.exe" -l0x9 /UninstallOnly
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Disney Pirates of the Caribbean Online --> C:\Program Files\Disney\Disney Online\PiratesOnline\uninst.exe
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
DWG TrueView 2007 --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
EMBASSY Security Center --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEAFE1E5-076B-430A-96D9-B567792AFA88}
EMBASSY Trust Suite by Wave Systems --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe" -l0x9
ETS Launch Pad --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{DD41AC25-61B2-4FC9-90AA-672F32139AC3} /l1033
ETS Upgrade --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{72FECEA1-E87F-4192-89FA-D0FBF92885BB}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp deskjet 3320 series --> rundll32 hpzcon07.dll,VendorJettison hp deskjet 3320 series
hp deskjet 3320 series (Remove only) --> C:\Program Files\hp deskjet 3320 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=3320 -huninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LEGO Star Wars II --> C:\Program Files\InstallShield Installation Information\{578FA426-47C0-4A3F-98A4-01ACD26B7556}\setup.exe -runfromtemp -l0x0409
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (AUTODESKVAULT) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
Microsoft WSE 3.0 Runtime --> MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
NTRU Hybrid TSS v2.0.25 --> MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PowerDVD 5.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Preboot Manager --> MsiExec.exe /I{EE2EE62C-E27D-486A-AF6D-FA4A06E67476}
Private Information Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0B0A2153-58A6-4244-B458-25EDF5FCD809} /l1033
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
ROBOPro (fischertechnik) Programm --> C:\Program Files\ROBOPro\UnInstall.exe
SearchAssist --> C:\DELL\SearchAssist\UninstSA.bat
Secure Update --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D1E829E9-88B8-47C6-A75E-0D40E2C09D50} /l1033
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Wizards --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4} /l1033
upekmsi --> MsiExec.exe /I{BE40EC9E-9466-4288-916D-C1D6C13F4A40}
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Wave Infrastructure Installer --> MsiExec.exe /I{CDD4761A-3D3F-4487-9AAF-7855A36E0D31}
Wave Support Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{07D618CD-B016-438A-ADC9-A75BD23F85CE} /l1033
West Point Bridge Designer 2007 --> C:\WINDOWS\iun6002.exe "C:\Program Files\West Point Bridge Designer 2007\irunin.ini"


-- Application Event Log -------------------------------------------------------

Event Record #/Type559 / Error
Event Submitted/Written: 07/23/2008 01:29:46 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011bf4.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type557 / Error
Event Submitted/Written: 07/23/2008 00:34:51 PM
Event ID/Source: 3011 / LoadPerf
Event Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Event Record #/Type556 / Error
Event Submitted/Written: 07/23/2008 00:34:51 PM
Event ID/Source: 3012 / LoadPerf
Event Description:
The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Event Record #/Type530 / Error
Event Submitted/Written: 07/23/2008 00:30:48 PM
Event ID/Source: 3409 / MSSQL$AUTODESKVAULT
Event Description:
Performance counter shared memory setup failed with error -1. Reinstall sqlctr.ini for this instance, and ensure that the instance login account has correct registry permissions.

Event Record #/Type529 / Error
Event Submitted/Written: 07/23/2008 00:30:48 PM
Event ID/Source: 8313 / MSSQL$AUTODESKVAULT
Event Description:
Error in mapping SQL Server performance object/counter indexes to object/counter names. SQL Server performance counters are disabled.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21000 / Error
Event Submitted/Written: 07/22/2008 08:59:13 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer D3H6ZPC1
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4311E1AF-B739-4668-.
The master browser is stopping or an election is being forced.

Event Record #/Type20995 / Error
Event Submitted/Written: 07/22/2008 08:50:22 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 00000071, parameter1 00000000, parameter2 00000000, parameter3 00000000, parameter4 00000000.

Event Record #/Type20966 / Warning
Event Submitted/Written: 07/17/2008 11:18:56 PM
Event ID/Source: 262 / PlugPlayManager
Event Description:
The service "Spooler" vetoed a power event request.

Event Record #/Type20965 / Error
Event Submitted/Written: 07/17/2008 11:17:55 PM
Event ID/Source: 4321 / NetBT
Event Description:
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.254.3.
The machine with the IP address 192.168.254.1 did not allow the name to be claimed by
this machine.

Event Record #/Type20964 / Error
Event Submitted/Written: 07/17/2008 11:03:28 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer D3H6ZPC1
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4311E1AF-B739-4668-.
The master browser is stopping or an election is being forced.



-- End of Deckard's System Scanner: finished at 2008-07-23 14:11:38 ------------

Thank you,
rgram

[Thunderbird1988]

Hello rgram,

You don't have a virusscanner installed. Please go to the free protectionpage in my signature and choose a virusscanner. Then please download and install it.

Please also enable your Norton Internet Worm Protection.

After that, please run DSS again and post the entire log it produces.

Thunderbird1988

[rgram]

Hello Thunderbird,
Thank you for helping me. I am sorry, but I don't know how to go to the free protectionpage in your signature and choose a virusscanner to download. Also, I think at one time, I had Norton on the computer for a trial. I cannot find the thing you speak of....the "Norton Internet Worm Protection." I tried to search for the protection page....?
rgram

[rgram]

Thunderbird,
never mind about the free protection page...I found your link under your signature.
rgram

however, still dont know about the norton internet worm protector

Thanks

[Thunderbird1988]

Hello rgram,

DSS, says you have installed that program. But if you don't know about it, then it maybe only a leftover. In that case, I would also like you to choose and install a firewall from the protection page.

Thunderbird1988