Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown hiijack [RESOLVED]


  • This topic is locked This topic is locked

#1
kregan

kregan

    Member

  • Member
  • PipPip
  • 12 posts
First let me say hello, I am a 45 year old minor geek! :)

I recently purchased a PDA, Del x51v. it has ben working great
and all was good untill last night i downloaded a PIM app and all [bleep]
broke loose after I tried to install it on my desktop.

I was running Add aware 2007 and spybot search and destroy with the
teatotaler thing running. In the end the virus won!!! I have now installed
Zone Alarm, and Spyware Doctor - paid version and that has got me back
up and running but something is still wrong.

The sytem boot very slow and now when I go to google to search when I click
on a site in the search result it usually just sitts and works, never taking me to
the site. I had to log on here from another computer to post this.

It is a mess I don't know what else to do besides reformat and start over?

I downloaded Hijackthis and here is the log.

Please help me!

Thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:04 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {32954845-9835-4D5E-B242-B068C773B2D9} - (no file)
O2 - BHO: (no name) - {35A301DE-D397-4E32-AD8F-1DDFD37EECF7} - (no file)
O2 - BHO: (no name) - {6319A0F3-5D3C-4828-95C3-5E67CDA371E6} - (no file)
O2 - BHO: (no name) - {63D0AFDB-A48F-4C13-9A8F-D909FF3B7DF4} - (no file)
O2 - BHO: (no name) - {6B269E0D-0D2B-441E-942C-045080614F77} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {90501BA4-D632-447E-9DF4-25FCBBA05BF6} - (no file)
O2 - BHO: (no name) - {A956E8B4-3463-42C2-9A16-6ECF07F4D01E} - (no file)
O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BM674f44b3] Rundll32.exe "C:\WINDOWS\system32\lrqaehbb.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF73BC06-52AE-4C12-AC64-E11FD333F097}: NameServer = 192.168.0.1
O20 - Winlogon Notify: iifGWqnl - iifGWqnl.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5384 bytes
  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello kregan,

Welcome to Geekstogo.

I am having a look at your log and will get back to you in a bit.

Regards
emeraldnzl
  • 0

#3
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again kregan,

Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

It is important you carry out instructions exactly in the order they appear.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Next

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So when you come back please post
  • VundoFix text
  • the two Deckards Scanner logs

  • 0

#4
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I just ran Malwarebytes' Anti-Malware 1.23
and discovered the Vundo.

I will go run the vundoFix and the DSS
and get back to you soon, here is the log MAM gave me.



Malwarebytes' Anti-Malware 1.23
Database version: 987
Windows 5.1.2600 Service Pack 2

04:12:41 PM 7/24/2008
mbam-log-7-24-2008 (16-12-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 95027
Time elapsed: 30 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lrqaehbb.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm674f44b3 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qusuhwtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctwhusuq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lrqaehbb.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\16R9MHPO\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\QWGOCA8B\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oayfihyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM674f44b3.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM674f44b3.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#5
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
VundoFix found 0 problems.

DSS is crashing when it goes to examine event logs...
it displays "Examining Event Logs" and then crashes and ends.

I ran it 3 times with a full power down reboot twice, same results.

I will try to download the DSS program again.


Here is the new log for Hiijackthis.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:47:16 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {32954845-9835-4D5E-B242-B068C773B2D9} - (no file)
O2 - BHO: (no name) - {35A301DE-D397-4E32-AD8F-1DDFD37EECF7} - (no file)
O2 - BHO: (no name) - {6319A0F3-5D3C-4828-95C3-5E67CDA371E6} - (no file)
O2 - BHO: (no name) - {63D0AFDB-A48F-4C13-9A8F-D909FF3B7DF4} - (no file)
O2 - BHO: (no name) - {6B269E0D-0D2B-441E-942C-045080614F77} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {90501BA4-D632-447E-9DF4-25FCBBA05BF6} - (no file)
O2 - BHO: (no name) - {A956E8B4-3463-42C2-9A16-6ECF07F4D01E} - (no file)
O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF73BC06-52AE-4C12-AC64-E11FD333F097}: NameServer = 192.168.0.1
O20 - Winlogon Notify: iifGWqnl - iifGWqnl.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5268 bytes
  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Look forward to hearing from you.

Regards
emeraldnzl
  • 0

#7
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
emeraldnzl,

Thank you for your help

I downloaded DSS a second time and it still crashes when examining event log ?
  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello kregan,

Lets try in safe mode, it should work.

To boot into Safe Mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
3) Instead of Windows loading as normal, the Advanced Options Menu should appear;
4) Select the first option, to run Windows in Safe Mode
5)Choose your usual account if this option appears.

Next

We will start DSS a different way.

click on Start, click on Run
copy and paste the following shown in bold in the open window and then click OK

"%userprofile%\desktop\dss.exe" /config

This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished, dss will open two Notepads main.txt and extra.txt

Please copy and post back both logs that open in notepad
Main txt and extra txt
  • 0

#9
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
That worked great.

Main.....

Deckard's System Scanner v20071014.68
Run by Kelly on 2008-07-24 18:10:57
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 4 Restore Point(s) --
4: 2008-07-24 20:31:00 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-07-24 18:35:19 UTC - RP3 - System Checkpoint
2: 2008-07-23 16:31:02 UTC - RP2 - Removed Ad-Aware 2007
1: 2008-07-23 15:48:14 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kelly.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:11:42 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Kelly\desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelly.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {32954845-9835-4D5E-B242-B068C773B2D9} - (no file)
O2 - BHO: (no name) - {35A301DE-D397-4E32-AD8F-1DDFD37EECF7} - (no file)
O2 - BHO: (no name) - {6319A0F3-5D3C-4828-95C3-5E67CDA371E6} - (no file)
O2 - BHO: (no name) - {63D0AFDB-A48F-4C13-9A8F-D909FF3B7DF4} - (no file)
O2 - BHO: (no name) - {6B269E0D-0D2B-441E-942C-045080614F77} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {90501BA4-D632-447E-9DF4-25FCBBA05BF6} - (no file)
O2 - BHO: (no name) - {A956E8B4-3463-42C2-9A16-6ECF07F4D01E} - (no file)
O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF73BC06-52AE-4C12-AC64-E11FD333F097}: NameServer = 192.168.0.1
O20 - Winlogon Notify: iifGWqnl - iifGWqnl.dll (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4566 bytes

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 16:21:35 0 d-------- C:\VundoFix Backups
2008-07-24 15:35:12 0 d-------- C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-07-24 15:35:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 15:34:59 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:55:38 0 d-------- C:\Program Files\Trend Micro
2008-07-23 16:54:59 0 d-------- C:\Program Files\Spyware Doctor
2008-07-23 16:54:59 0 d-------- C:\Documents and Settings\Kelly\Application Data\PC Tools
2008-07-23 09:23:54 2090 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 08:49:55 0 d-------- C:\WINDOWS\CSC
2008-07-23 01:42:54 2494496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 01:04:35 0 d-------- C:\Program Files\uTorrent
2008-07-22 22:49:44 4456448 --a------ C:\Documents and Settings\Kelly\ntuser.dat
2008-07-22 22:49:43 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-22 22:49:28 4350 --ahs---- C:\WINDOWS\system32\NXHOrBeg.ini2
2008-07-22 22:40:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-22 22:39:28 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-22 22:38:53 0 d-------- C:\WINDOWS\Internet Logs
2008-07-22 22:24:53 0 d-------- C:\WINDOWS\system32\3738
2008-07-22 21:14:00 1408 --ahs---- C:\WINDOWS\system32\YGfLUvut.ini2
2008-07-22 21:07:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-22 21:06:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\EssentialPIM Pro
2008-07-19 23:40:28 0 d-------- C:\WINDOWS\PreviewSoft
2008-07-19 23:40:23 0 d-------- C:\Program Files\ACD Systems
2008-07-19 23:39:23 0 d-------- C:\Program Files\Common Files\Vbox
2008-07-19 23:04:45 0 d-------- C:\Documents and Settings\Kelly\Application Data\Publish Providers
2008-07-19 22:59:43 0 d-------- C:\Program Files\Vstplugins
2008-07-19 22:59:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-07-19 22:58:23 0 d-------- C:\Program Files\MSBuild
2008-07-19 22:55:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-19 22:55:16 0 d-------- C:\Program Files\Reference Assemblies
2008-07-19 22:33:29 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony Setup
2008-07-19 22:29:49 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-07-19 21:00:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-19 21:00:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony
2008-07-19 20:59:34 0 d-------- C:\Program Files\Sony
2008-07-17 19:31:54 0 d-------- C:\Documents and Settings\Kelly\Application Data\FileZilla
2008-07-17 19:31:43 0 d-------- C:\Program Files\FileZilla FTP Client
2008-07-16 22:43:46 0 d-------- C:\Program Files\Agenda Fusion
2008-07-16 22:02:20 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-07-16 21:44:37 0 d-------- C:\Program Files\LiveUpdate
2008-07-16 21:44:19 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-16 20:38:57 0 d-------- C:\WINDOWS\Agenda Fusion
2008-07-11 22:43:10 0 d-------- C:\Program Files\HanDBase4
2008-07-10 20:48:14 90112 --a------ C:\WINDOWS\RSetupCE.exe
2008-07-10 20:48:09 0 d-------- C:\Program Files\Resco
2008-07-10 12:59:40 0 --a------ C:\Documents and Settings\Kelly\Application Data\sdsce.dll
2008-07-10 12:25:58 0 d-------- C:\Documents and Settings\Kelly\Application Data\WinRAR
2008-07-07 19:44:55 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 19:28:08 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-07 18:39:56 0 d-------- C:\Dell
2008-07-05 13:17:53 0 d-------- C:\Program Files\Audacity


-- Find3M Report ---------------------------------------------------------------

2008-07-24 18:05:06 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-24 08:49:52 0 d-------- C:\Documents and Settings\Kelly\Application Data\OpenOffice.org2
2008-07-23 17:57:00 0 d-------- C:\Program Files\GIGABYTE
2008-07-23 12:31:12 0 d-------- C:\Program Files\Common Files
2008-07-23 11:46:57 0 d-------- C:\Program Files\RegScrubXP
2008-07-17 19:51:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-12 11:53:51 0 d-------- C:\Program Files\MessengerOFF
2008-07-07 19:32:11 2528 --a------ C:\Documents and Settings\Kelly\Application Data\$_hpcst$.hpc
2008-06-20 08:45:07 0 d-------- C:\Program Files\Jasc Software Inc
2008-06-20 08:45:07 0 d-------- C:\Documents and Settings\Kelly\Application Data\Jasc Software Inc
2008-06-19 14:38:18 0 d-------- C:\Documents and Settings\Kelly\Application Data\gtk-2.0
2008-06-19 14:29:43 0 d-------- C:\Documents and Settings\Kelly\Application Data\Bullzip
2008-06-19 14:27:05 0 d-------- C:\Program Files\Bullzip
2008-06-13 14:50:21 0 d-------- C:\Documents and Settings\Kelly\Application Data\Help
2008-06-11 14:02:41 0 d-------- C:\Program Files\CoffeeCup Software
2008-06-07 22:02:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\mIRC
2008-06-07 20:24:51 0 d-------- C:\Program Files\mIRC
2008-06-07 20:02:46 39492 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 10:01:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Canon
2008-06-05 09:56:02 0 d-------- C:\Program Files\Canon
2008-06-03 09:38:12 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-01 20:48:04 0 d-------- C:\Documents and Settings\Kelly\Application Data\Adobe
2008-06-01 20:48:00 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 16:16:36 0 d-------- C:\Program Files\Foxit Software
2008-06-01 15:47:50 0 d-------- C:\Documents and Settings\Kelly\Application Data\Autodesk
2008-06-01 15:47:13 0 d-------- C:\Program Files\AutoCAD 2004
2008-06-01 15:46:08 0 d-------- C:\Program Files\Autodesk
2008-06-01 15:46:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-05-31 19:43:27 0 d-------- C:\Program Files\NewsBin
2008-05-31 17:31:32 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-05-31 17:31:19 0 d-------- C:\Program Files\Java
2008-05-31 17:30:59 0 d-------- C:\Program Files\Common Files\Java
2008-05-31 17:30:53 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sun
2008-05-31 09:41:31 0 d-------- C:\Documents and Settings\Kelly\Application Data\Cynical Peak
2008-05-31 09:40:18 0 d-------- C:\Program Files\Cynical Peak
2008-05-31 08:56:24 0 d-------- C:\Program Files\Kyocera
2008-05-31 08:44:57 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-31 08:44:05 0 d-------- C:\Program Files\Intuit
2008-05-31 08:39:37 0 d-------- C:\Documents and Settings\Kelly\Application Data\Macromedia
2008-05-31 08:39:36 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-30 23:36:40 0 d-------- C:\Program Files\Movie Maker
2008-05-30 23:35:35 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-30 23:34:48 0 d-------- C:\Program Files\Windows NT
2008-05-30 22:27:38 0 d-------- C:\Documents and Settings\Kelly\Application Data\Talkback
2008-05-30 22:27:28 0 d-------- C:\Documents and Settings\Kelly\Application Data\Thunderbird
2008-05-30 22:15:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\Mozilla
2008-05-30 20:51:38 0 d-------- C:\Program Files\Intel
2008-05-30 20:24:44 0 d-------- C:\Documents and Settings\Kelly\Application Data\InstallShield
2008-05-30 19:31:35 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-30 18:22:19 0 d-------- C:\Program Files\Realtek
2008-05-30 18:22:13 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 17:26:57 0 d-------- C:\Documents and Settings\Kelly\Application Data\Identities
2008-05-30 16:48:40 0 d-------- C:\Program Files\microsoft frontpage
2008-05-30 16:48:27 0 -rahs---- C:\MSDOS.SYS
2008-05-30 16:48:27 0 -rahs---- C:\IO.SYS
2008-05-30 16:48:27 0 --a------ C:\CONFIG.SYS
2008-05-30 16:48:27 0 --a------ C:\AUTOEXEC.BAT
2008-05-30 16:46:27 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-30 16:45:31 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-30 12:39:00 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-30 12:38:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-30 12:38:31 62 --ahs---- C:\Documents and Settings\Kelly\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32954845-9835-4D5E-B242-B068C773B2D9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35A301DE-D397-4E32-AD8F-1DDFD37EECF7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6319A0F3-5D3C-4828-95C3-5E67CDA371E6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63D0AFDB-A48F-4C13-9A8F-D909FF3B7DF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B269E0D-0D2B-441E-942C-045080614F77}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90501BA4-D632-447E-9DF4-25FCBBA05BF6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A956E8B4-3463-42C2-9A16-6ECF07F4D01E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 AM C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [07/12/2006 05:58 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/11/2006 09:43 PM]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [08/11/2006 09:43 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/21/2006 04:56 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [07/16/2008 09:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifGWqnl]
iifGWqnl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrOHXN

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8552 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-24 18:12:07 ------------


EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 4300 @ 1.80GHz
CPU 1: Intel® Core™2 CPU 4300 @ 1.80GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1022.42 MiB / 720.42 MiB
Pagefile Memory (total/avail): 2460.89 MiB / 2185.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.31 MiB

C: is Fixed (NTFS) - 43.95 GiB total, 23.9 GiB free.
D: is Fixed (NTFS) - 105.09 GiB total, 70.66 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-56MHB1 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 43.95 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 105.09 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Anti-virus Firewall v7.0.483.000 (Check Point, LTD.)
AV: ZoneAlarm Anti-virus Antivirus v7.0.483.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mirc.exe"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kelly\Application Data
ASLOGDIR=C:\Program Files\Intuit\QuickBooks 2006\
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE-1-KELLY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kelly
LOGONSERVER=\\OFFICE-1-KELLY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Kelly\LOCALS~1\Temp
TMP=C:\DOCUME~1\Kelly\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=OFFICE-1-KELLY
USERNAME=Kelly
USERPROFILE=C:\Documents and Settings\Kelly
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Kelly (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee Classic --> MsiExec.exe /I{8220C40F-AA38-4752-978F-6198328B1C20}
AeroFly Professional Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B3E5A90-1F6E-4FAF-B84F-C306C8A80809}\setup.exe" -l0x9
Agenda Fusion --> "C:\WINDOWS\Agenda Fusion\uninstall.exe" "/U:C:\Program Files\Agenda Fusion\Uninstall\uninstall.xml"
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AutoCAD 2004 --> MsiExec.exe /I{5783F2D7-0201-0409-0002-0060B0CE6BBA}
Autodesk Express Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Bullzip PDF Printer 5.0.0.609 --> "C:\Program Files\Bullzip\PDF Printer\unins000.exe"
Canon CanoScan Toolbox 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\CanoScan Toolbox Ver4.0\Uninst.isu" -c"C:\Program Files\Canon\CanoScan Toolbox Ver4.0\uninst.dll"
CoffeeCup HTML Editor --> C:\PROGRA~1\COFFEE~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\INSTALL.LOG
EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\setup.exe" -l0x9 -removeonly
FileZilla Client 3.0.11.1 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Gigabyte Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.EXE" -l0x9 -removeonly
GPL Ghostscript Lite 8.61 --> "C:\Program Files\Bullzip\PDF Printer\gs\unins000.exe"
HanDBase Professional for Windows Mobile Classic/Professional ( --> "C:\Program Files\HanDBase4\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB925673) --> MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
NewsBin Pro --> C:\Program Files\NewsBin\uninst.exe
OpenOffice.org 2.4 --> MsiExec.exe /I{F87A8E11-02A4-4875-A3A5-5961081B0E4E}
QuickBooks Pro 2006 --> msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2006" ADDREMOVE=1
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RegScrubXP 3.25 --> "C:\Program Files\RegScrubXP\unins000.exe"
Resco Explorer --> C:\WINDOWS\RSetupCE.exe -uninstC:\Program Files\Resco\Pocket Encryption\_Install.log
SafeCast Shared Components --> C:\Program Files\Common Files\Macrovision Shared\SafeCast\Install\CDAC13BA.EXE /uninstall
Scorecard --> MsiExec.exe /I{3E49AC88-4A06-482A-ABB3-69B038C1960C}
Sony Vegas Pro 8.0 --> MsiExec.exe /X{1246FF64-3035-4A92-8FE6-A968275495EB}
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
ZoneAlarm Anti-virus --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type612 / Error
Event Submitted/Written: 07/24/2008 04:55:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss(2).exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss(2).exe!ws!]

Event Record #/Type611 / Error
Event Submitted/Written: 07/24/2008 04:45:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type609 / Warning
Event Submitted/Written: 07/24/2008 04:42:38 PM
Event ID/Source: 19011 / MSSQL$SONY_MEDIAMGR
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type608 / Error
Event Submitted/Written: 07/24/2008 04:39:00 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type607 / Warning
Event Submitted/Written: 07/24/2008 04:37:05 PM
Event ID/Source: 19011 / MSSQL$SONY_MEDIAMGR
Event Description:
(SpnRegister) : Error 1355



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5159 / Error
Event Submitted/Written: 07/24/2008 06:11:28 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
KLIF
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Event Record #/Type5158 / Error
Event Submitted/Written: 07/24/2008 06:11:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type5157 / Error
Event Submitted/Written: 07/24/2008 06:11:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error:
%%31

Event Record #/Type5156 / Error
Event Submitted/Written: 07/24/2008 06:11:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
%%31

Event Record #/Type5155 / Error
Event Submitted/Written: 07/24/2008 06:11:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-24 18:12:07 ------------
  • 0

#10
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is the file i installed that had the virus.


2008-07-22 21:06:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\EssentialPIM Pro
  • 0

Advertisements


#11
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again kregan,

Well we have a bit of work to do. :)

Firstly

Please disable your firewall ZoneAlarm I think this may be what is getting in the way.

Next

Please up date your Java

Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JDK) Update and save it to your desktop or the folder you usually download to.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
-----Step 2-----

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {32954845-9835-4D5E-B242-B068C773B2D9} - (no file)
O2 - BHO: (no name) - {35A301DE-D397-4E32-AD8F-1DDFD37EECF7} - (no file)
O2 - BHO: (no name) - {6319A0F3-5D3C-4828-95C3-5E67CDA371E6} - (no file)
O2 - BHO: (no name) - {63D0AFDB-A48F-4C13-9A8F-D909FF3B7DF4} - (no file)
O2 - BHO: (no name) - {6B269E0D-0D2B-441E-942C-045080614F77} - (no file)
O2 - BHO: (no name) - {90501BA4-D632-447E-9DF4-25FCBBA05BF6} - (no file)
O2 - BHO: (no name) - {A956E8B4-3463-42C2-9A16-6ECF07F4D01E} - (no file)
O2 - BHO: (no name) - {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} - (no file)
O20 - Winlogon Notify: iifGWqnl - iifGWqnl.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

-----Step 3-----

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\NXHOrBeg.ini2
    C:\WINDOWS\system32\YGfLUvut.ini2
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifGWqnl
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-----Step 4-----

Next

Run Deckards System Scanner again (since we have disabled ZoneAlarm it should work OK... otherwise you may have to go to Safe Mode again).

This time there will only be one log.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open Notepad .txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents in your next reply.

So when you come back please post
  • OTMoveIt2 report
  • the DSS report

  • 0

#12
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
First part.

Explorer killed successfully
C:\WINDOWS\system32\NXHOrBeg.ini2 moved successfully.
C:\WINDOWS\system32\YGfLUvut.ini2 moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifGWqnl >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifGWqnl\\ not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Kelly\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kelly\LOCALS~1\Temp\~DF7B5E.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_a0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01f07.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01f0a.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_195456

Files moved on Reboot...
C:\DOCUME~1\Kelly\LOCALS~1\Temp\WCESLog.log moved successfully.
C:\DOCUME~1\Kelly\LOCALS~1\Temp\~DF7B5E.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_a0.dat not found!
File C:\WINDOWS\temp\ZLT01f07.TMP not found!
File C:\WINDOWS\temp\ZLT01f0a.TMP not found!


DSS scan....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01:38 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kelly\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelly.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.6.0_07\bin\java.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF73BC06-52AE-4C12-AC64-E11FD333F097}: NameServer = 192.168.0.1
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4573 bytes

-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-25 19:31:54 0 d-------- C:\Program Files\Java
2008-07-25 19:31:52 0 d-------- C:\Program Files\Common Files\Java
2008-07-24 16:21:35 0 d-------- C:\VundoFix Backups
2008-07-24 15:35:12 0 d-------- C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-07-24 15:35:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 15:34:59 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:55:38 0 d-------- C:\Program Files\Trend Micro
2008-07-23 16:54:59 0 d-------- C:\Program Files\Spyware Doctor
2008-07-23 16:54:59 0 d-------- C:\Documents and Settings\Kelly\Application Data\PC Tools
2008-07-23 09:23:54 2090 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 08:49:55 0 d-------- C:\WINDOWS\CSC
2008-07-23 01:42:54 2619936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 01:04:35 0 d-------- C:\Program Files\uTorrent
2008-07-22 22:49:44 4718592 --a------ C:\Documents and Settings\Kelly\ntuser.dat
2008-07-22 22:49:43 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-22 22:40:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-22 22:39:28 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-22 22:38:53 0 d-------- C:\WINDOWS\Internet Logs
2008-07-22 22:24:53 0 d-------- C:\WINDOWS\system32\3738
2008-07-22 21:07:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-22 21:06:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\EssentialPIM Pro
2008-07-19 23:40:28 0 d-------- C:\WINDOWS\PreviewSoft
2008-07-19 23:39:23 0 d-------- C:\Program Files\Common Files\Vbox
2008-07-19 23:04:45 0 d-------- C:\Documents and Settings\Kelly\Application Data\Publish Providers
2008-07-19 22:59:43 0 d-------- C:\Program Files\Vstplugins
2008-07-19 22:59:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-07-19 22:58:23 0 d-------- C:\Program Files\MSBuild
2008-07-19 22:55:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-19 22:55:16 0 d-------- C:\Program Files\Reference Assemblies
2008-07-19 22:33:29 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony Setup
2008-07-19 22:29:49 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-07-19 21:00:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-19 21:00:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony
2008-07-19 20:59:34 0 d-------- C:\Program Files\Sony
2008-07-17 19:31:54 0 d-------- C:\Documents and Settings\Kelly\Application Data\FileZilla
2008-07-17 19:31:43 0 d-------- C:\Program Files\FileZilla FTP Client
2008-07-16 22:43:46 0 d-------- C:\Program Files\Agenda Fusion
2008-07-16 22:02:20 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-07-16 21:44:37 0 d-------- C:\Program Files\LiveUpdate
2008-07-16 21:44:19 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-16 20:38:57 0 d-------- C:\WINDOWS\Agenda Fusion
2008-07-11 22:43:10 0 d-------- C:\Program Files\HanDBase4
2008-07-10 20:48:14 90112 --a------ C:\WINDOWS\RSetupCE.exe
2008-07-10 20:48:09 0 d-------- C:\Program Files\Resco
2008-07-10 12:59:40 0 --a------ C:\Documents and Settings\Kelly\Application Data\sdsce.dll
2008-07-10 12:25:58 0 d-------- C:\Documents and Settings\Kelly\Application Data\WinRAR
2008-07-07 19:44:55 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 19:28:08 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-07 18:39:56 0 d-------- C:\Dell
2008-07-05 13:17:53 0 d-------- C:\Program Files\Audacity


-- Find3M Report ---------------------------------------------------------------

2008-07-25 19:59:48 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-25 19:31:52 0 d-------- C:\Program Files\Common Files
2008-07-25 19:21:53 0 d-------- C:\Program Files\RegScrubXP
2008-07-24 08:49:52 0 d-------- C:\Documents and Settings\Kelly\Application Data\OpenOffice.org2
2008-07-23 17:57:00 0 d-------- C:\Program Files\GIGABYTE
2008-07-17 19:51:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-12 11:53:51 0 d-------- C:\Program Files\MessengerOFF
2008-07-07 19:32:11 2528 --a------ C:\Documents and Settings\Kelly\Application Data\$_hpcst$.hpc
2008-06-20 08:45:07 0 d-------- C:\Program Files\Jasc Software Inc
2008-06-20 08:45:07 0 d-------- C:\Documents and Settings\Kelly\Application Data\Jasc Software Inc
2008-06-19 14:38:18 0 d-------- C:\Documents and Settings\Kelly\Application Data\gtk-2.0
2008-06-19 14:29:43 0 d-------- C:\Documents and Settings\Kelly\Application Data\Bullzip
2008-06-19 14:27:05 0 d-------- C:\Program Files\Bullzip
2008-06-13 14:50:21 0 d-------- C:\Documents and Settings\Kelly\Application Data\Help
2008-06-11 14:02:41 0 d-------- C:\Program Files\CoffeeCup Software
2008-06-07 22:02:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\mIRC
2008-06-07 20:24:51 0 d-------- C:\Program Files\mIRC
2008-06-07 20:02:46 39492 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 10:01:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Canon
2008-06-05 09:56:02 0 d-------- C:\Program Files\Canon
2008-06-03 09:38:12 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-01 20:48:04 0 d-------- C:\Documents and Settings\Kelly\Application Data\Adobe
2008-06-01 20:48:00 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 16:16:36 0 d-------- C:\Program Files\Foxit Software
2008-06-01 15:47:50 0 d-------- C:\Documents and Settings\Kelly\Application Data\Autodesk
2008-06-01 15:47:13 0 d-------- C:\Program Files\AutoCAD 2004
2008-06-01 15:46:08 0 d-------- C:\Program Files\Autodesk
2008-06-01 15:46:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-05-31 19:43:27 0 d-------- C:\Program Files\NewsBin
2008-05-31 17:31:32 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-05-31 17:30:53 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sun
2008-05-31 09:41:31 0 d-------- C:\Documents and Settings\Kelly\Application Data\Cynical Peak
2008-05-31 09:40:18 0 d-------- C:\Program Files\Cynical Peak
2008-05-31 08:56:24 0 d-------- C:\Program Files\Kyocera
2008-05-31 08:44:57 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-31 08:44:05 0 d-------- C:\Program Files\Intuit
2008-05-31 08:39:37 0 d-------- C:\Documents and Settings\Kelly\Application Data\Macromedia
2008-05-31 08:39:36 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-30 23:36:40 0 d-------- C:\Program Files\Movie Maker
2008-05-30 23:35:35 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-30 23:34:48 0 d-------- C:\Program Files\Windows NT
2008-05-30 22:27:38 0 d-------- C:\Documents and Settings\Kelly\Application Data\Talkback
2008-05-30 22:27:28 0 d-------- C:\Documents and Settings\Kelly\Application Data\Thunderbird
2008-05-30 22:15:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\Mozilla
2008-05-30 20:51:38 0 d-------- C:\Program Files\Intel
2008-05-30 20:24:44 0 d-------- C:\Documents and Settings\Kelly\Application Data\InstallShield
2008-05-30 19:31:35 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-30 18:22:19 0 d-------- C:\Program Files\Realtek
2008-05-30 18:22:13 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 17:26:57 0 d-------- C:\Documents and Settings\Kelly\Application Data\Identities
2008-05-30 16:48:40 0 d-------- C:\Program Files\microsoft frontpage
2008-05-30 16:48:27 0 -rahs---- C:\MSDOS.SYS
2008-05-30 16:48:27 0 -rahs---- C:\IO.SYS
2008-05-30 16:48:27 0 --a------ C:\CONFIG.SYS
2008-05-30 16:48:27 0 --a------ C:\AUTOEXEC.BAT
2008-05-30 16:46:27 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-30 16:45:31 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-30 12:39:00 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-30 12:38:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-30 12:38:31 62 --ahs---- C:\Documents and Settings\Kelly\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 AM C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [07/12/2006 05:58 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/11/2006 09:43 PM]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [08/11/2006 09:43 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/21/2006 04:56 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [07/16/2008 09:16 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrOHXN

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-07-25 20:02:06 ------------

Edited by kregan, 25 July 2008 - 06:06 PM.

  • 0

#13
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello again kregan,

Progressing along.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
dir "C:\WINDOWS\system32\3738" > result.txt
notepad result.txt
exit

Save it to your desktop as File name: result.bat
Save as type: All Files

Once done, double click result.bat to run it. A command window will open briefly, then close. This is quite normal.

Notepad will open with some text. Please copy and post that back here.

Next
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Kelly\Application Data\sdsce.dll
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now

Before we proceed we need to backup your Registry. Making changes to your computers registry is a dangerous proceedure and backup will allow us to recover information if necessary.

Download and install ERUNT (Emergency Recovery Utility NT) from here lars Hederer or here Snapfiles.com.

Click on ERUNT and follow the prompts to backup your registry to a location of your choosing.

Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

Then double click on the fix.reg file, when it prompts to merge click "Yes"

The above Registry file was written specifically for this infection on this person's computer. It should NOT to be used on another computer, as it may cause serious damage causing the computer to become unusable.

-----Step 2-----

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
-----Step 3-----

Next

Run Deckards System Scanner again.

This time there will only be one log.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open Notepad .txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents in your next reply.

-----Step 4-----

Kaspersky only works if you are using Internet Explorer.

Please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)

  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    * Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

So when you come back please post
  • result.bat text
  • OTMoveIt2 log
  • DSS log
  • Kaspersky On Line Scan results

  • 0

#14
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Results.txt -----------------------------

Volume in drive C has no label.
Volume Serial Number is 647C-7780

Directory of C:\WINDOWS\system32\3738

07/23/2008 01:43 AM <DIR> .
07/23/2008 01:43 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 25,361,854,464 bytes free

OTMove log ------------------------------

Explorer killed successfully
LoadLibrary failed for C:\Documents and Settings\Kelly\Application Data\sdsce.dll
C:\Documents and Settings\Kelly\Application Data\sdsce.dll NOT unregistered.
C:\Documents and Settings\Kelly\Application Data\sdsce.dll moved successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Kelly\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Kelly\LOCALS~1\Temp\~DFCE08.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT04083.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT042c4.TMP scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07272008_151833

Files moved on Reboot...
C:\DOCUME~1\Kelly\LOCALS~1\Temp\WCESLog.log moved successfully.
C:\DOCUME~1\Kelly\LOCALS~1\Temp\~DFCE08.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_1ac.dat not found!
C:\WINDOWS\temp\ZLT04083.TMP moved successfully.
C:\WINDOWS\temp\ZLT042c4.TMP moved successfully.

DSS scan ------------------------------

Deckard's System Scanner v20071014.68
Run by Kelly on 2008-07-27 20:33:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Kelly.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:33:26 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Kelly\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelly.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE7-10] rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF73BC06-52AE-4C12-AC64-E11FD333F097}: NameServer = 192.168.0.1
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4840 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 15:33:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 15:33:34 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 21:58:16 0 d-------- C:\Program Files\acdsee 95
2008-07-26 20:14:21 0 d-------- C:\Program Files\mIRC
2008-07-26 11:29:56 0 d-------- C:\Program Files\Pocket Informant
2008-07-25 19:31:54 0 d-------- C:\Program Files\Java
2008-07-25 19:31:52 0 d-------- C:\Program Files\Common Files\Java
2008-07-24 16:21:35 0 d-------- C:\VundoFix Backups
2008-07-24 15:35:12 0 d-------- C:\Documents and Settings\Kelly\Application Data\Malwarebytes
2008-07-24 15:35:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 15:34:59 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 21:55:38 0 d-------- C:\Program Files\Trend Micro
2008-07-23 16:54:59 0 d-------- C:\Program Files\Spyware Doctor
2008-07-23 16:54:59 0 d-------- C:\Documents and Settings\Kelly\Application Data\PC Tools
2008-07-23 09:23:54 2090 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-23 08:49:55 0 d-------- C:\WINDOWS\CSC
2008-07-23 01:42:54 4408352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 01:04:35 0 d-------- C:\Program Files\uTorrent
2008-07-22 22:49:44 4980736 --a------ C:\Documents and Settings\Kelly\ntuser.dat
2008-07-22 22:49:43 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-22 22:40:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-22 22:39:28 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-07-22 22:38:53 0 d-------- C:\WINDOWS\Internet Logs
2008-07-22 22:24:53 0 d-------- C:\WINDOWS\system32\3738
2008-07-22 21:07:00 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-22 21:06:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\EssentialPIM Pro
2008-07-19 23:40:28 0 d-------- C:\WINDOWS\PreviewSoft
2008-07-19 23:39:23 0 d-------- C:\Program Files\Common Files\Vbox
2008-07-19 23:04:45 0 d-------- C:\Documents and Settings\Kelly\Application Data\Publish Providers
2008-07-19 22:59:43 0 d-------- C:\Program Files\Vstplugins
2008-07-19 22:59:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-07-19 22:58:23 0 d-------- C:\Program Files\MSBuild
2008-07-19 22:55:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-07-19 22:55:16 0 d-------- C:\Program Files\Reference Assemblies
2008-07-19 22:33:29 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony Setup
2008-07-19 22:29:49 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-07-19 21:00:41 0 d-------- C:\Program Files\Microsoft SQL Server
2008-07-19 21:00:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sony
2008-07-19 20:59:34 0 d-------- C:\Program Files\Sony
2008-07-17 19:31:54 0 d-------- C:\Documents and Settings\Kelly\Application Data\FileZilla
2008-07-17 19:31:43 0 d-------- C:\Program Files\FileZilla FTP Client
2008-07-16 22:43:46 0 d-------- C:\Program Files\Agenda Fusion
2008-07-16 22:02:20 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-07-16 21:44:37 0 d-------- C:\Program Files\LiveUpdate
2008-07-16 21:44:19 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-16 20:38:57 0 d-------- C:\WINDOWS\Agenda Fusion
2008-07-11 22:43:10 0 d-------- C:\Program Files\HanDBase4
2008-07-10 20:48:14 90112 --a------ C:\WINDOWS\RSetupCE.exe
2008-07-10 20:48:09 0 d-------- C:\Program Files\Resco
2008-07-10 12:25:58 0 d-------- C:\Documents and Settings\Kelly\Application Data\WinRAR
2008-07-07 19:44:55 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 19:28:08 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-07 18:39:56 0 d-------- C:\Dell
2008-07-05 13:17:53 0 d-------- C:\Program Files\Audacity


-- Find3M Report ---------------------------------------------------------------

2008-07-27 20:27:26 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-07-27 19:08:44 0 d-------- C:\Program Files\RegScrubXP
2008-07-26 10:43:17 0 d-------- C:\Documents and Settings\Kelly\Application Data\OpenOffice.org2
2008-07-25 19:31:52 0 d-------- C:\Program Files\Common Files
2008-07-23 17:57:00 0 d-------- C:\Program Files\GIGABYTE
2008-07-17 19:51:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-12 11:53:51 0 d-------- C:\Program Files\MessengerOFF
2008-07-07 19:32:11 2528 --a------ C:\Documents and Settings\Kelly\Application Data\$_hpcst$.hpc
2008-06-20 08:45:07 0 d-------- C:\Program Files\Jasc Software Inc
2008-06-20 08:45:07 0 d-------- C:\Documents and Settings\Kelly\Application Data\Jasc Software Inc
2008-06-19 14:38:18 0 d-------- C:\Documents and Settings\Kelly\Application Data\gtk-2.0
2008-06-19 14:29:43 0 d-------- C:\Documents and Settings\Kelly\Application Data\Bullzip
2008-06-19 14:27:05 0 d-------- C:\Program Files\Bullzip
2008-06-13 14:50:21 0 d-------- C:\Documents and Settings\Kelly\Application Data\Help
2008-06-11 14:02:41 0 d-------- C:\Program Files\CoffeeCup Software
2008-06-07 22:02:02 0 d-------- C:\Documents and Settings\Kelly\Application Data\mIRC
2008-06-07 20:02:46 39492 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-05 10:01:32 0 d-------- C:\Documents and Settings\Kelly\Application Data\Canon
2008-06-05 09:56:02 0 d-------- C:\Program Files\Canon
2008-06-03 09:38:12 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-01 20:48:04 0 d-------- C:\Documents and Settings\Kelly\Application Data\Adobe
2008-06-01 20:48:00 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-01 16:16:36 0 d-------- C:\Program Files\Foxit Software
2008-06-01 15:47:50 0 d-------- C:\Documents and Settings\Kelly\Application Data\Autodesk
2008-06-01 15:47:13 0 d-------- C:\Program Files\AutoCAD 2004
2008-06-01 15:46:08 0 d-------- C:\Program Files\Autodesk
2008-06-01 15:46:07 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-01 15:45:48 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-05-31 19:43:27 0 d-------- C:\Program Files\NewsBin
2008-05-31 17:31:32 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-05-31 17:30:53 0 d-------- C:\Documents and Settings\Kelly\Application Data\Sun
2008-05-31 09:41:31 0 d-------- C:\Documents and Settings\Kelly\Application Data\Cynical Peak
2008-05-31 09:40:18 0 d-------- C:\Program Files\Cynical Peak
2008-05-31 08:56:24 0 d-------- C:\Program Files\Kyocera
2008-05-31 08:44:57 0 d-------- C:\Program Files\Common Files\Intuit
2008-05-31 08:44:05 0 d-------- C:\Program Files\Intuit
2008-05-31 08:39:37 0 d-------- C:\Documents and Settings\Kelly\Application Data\Macromedia
2008-05-31 08:39:36 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-05-30 23:36:40 0 d-------- C:\Program Files\Movie Maker
2008-05-30 23:35:35 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-30 23:34:48 0 d-------- C:\Program Files\Windows NT
2008-05-30 22:27:38 0 d-------- C:\Documents and Settings\Kelly\Application Data\Talkback
2008-05-30 22:27:28 0 d-------- C:\Documents and Settings\Kelly\Application Data\Thunderbird
2008-05-30 22:15:33 0 d-------- C:\Documents and Settings\Kelly\Application Data\Mozilla
2008-05-30 20:51:38 0 d-------- C:\Program Files\Intel
2008-05-30 20:24:44 0 d-------- C:\Documents and Settings\Kelly\Application Data\InstallShield
2008-05-30 19:31:35 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-30 18:22:19 0 d-------- C:\Program Files\Realtek
2008-05-30 18:22:13 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-30 17:26:57 0 d-------- C:\Documents and Settings\Kelly\Application Data\Identities
2008-05-30 16:48:40 0 d-------- C:\Program Files\microsoft frontpage
2008-05-30 16:48:27 0 -rahs---- C:\MSDOS.SYS
2008-05-30 16:48:27 0 -rahs---- C:\IO.SYS
2008-05-30 16:48:27 0 --a------ C:\CONFIG.SYS
2008-05-30 16:48:27 0 --a------ C:\AUTOEXEC.BAT
2008-05-30 16:46:27 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-30 16:45:31 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-30 12:39:00 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-30 12:38:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-30 12:38:31 62 --ahs---- C:\Documents and Settings\Kelly\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [05/16/2006 06:04 AM C:\WINDOWS\SkyTel.exe]
"GBB36X Configure"="C:\WINDOWS\System32\JMRaidTool.exe" [07/12/2006 05:58 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [08/11/2006 09:43 PM]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [08/11/2006 09:43 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/21/2006 04:56 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2008 09:05 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [07/16/2008 09:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32
"IE7-10"=rundll32 advpack.dll,LaunchINFSectionEx NR_IE7en.inf,AfterUserStart,,4,N

C:\Documents and Settings\Kelly\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-07-27 20:33:54 ------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 27, 2008 08:23:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/07/2008
Kaspersky Anti-Virus database records: 1015668
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55432
Number of viruses found: 6
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:04:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Kelly\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Kelly\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\History\History.IE5\MSHist012008072720080728\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kelly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\master.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\model.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\modellog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\templog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP2\A0000386.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP2\A0000386.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP2\A0000386.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP2\A0000386.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP4\A0000526.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP4\A0000526.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP4\A0000526.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP4\A0000526.exe RAR: infected - 3 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7c8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe/data0000.cab/file.exe/data0000.cab/is156999.exe Infected: Trojan.Win32.Pakes.den skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe/data0000.cab/file.exe/data0000.cab/RELPMA~1.EXE Infected: Trojan-Downloader.Win32.Agent.uwu skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe/data0000.cab/file.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.uwu skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe/data0000.cab/file.exe Infected: Trojan-Downloader.Win32.Agent.uwu skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.uwu skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001188.exe Rsrc-Package: infected - 5 skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001189.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001189.exe mIRC: infected - 1 skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001200.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\A0001200.exe RAR: infected - 1 skipped
D:\System Volume Information\_restore{F4F4260F-D795-4FBC-9D56-A77563DFB77F}\RP11\change.log Object is locked skipped

Scan process completed.

Edited by kregan, 27 July 2008 - 06:36 PM.

  • 0

#15
kregan

kregan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just a bit of info for you...

When I start my computer something is hammering away at my internet connection trying to get in.
Zone alarm is blocking it and I have over 6000 intrusions blocked.

If I go into task manager I see about 6 svchost.exe running at the same time. The largest one, about
22,000 KB, seems to be the one hammering my internet connection. If I stop that one prossess the
traffic dies down to nothing and the intrusion attemps stop.

Everything seems to run fine without that one svchost.exe program running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP