Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware.Cyberlog-X and/or Trojan-Spy.win32.mx [RESOLVED]


  • This topic is locked This topic is locked

#1
TmlGuy

TmlGuy

    Member

  • Member
  • PipPip
  • 58 posts
AVG – up to date did not catch virus and still does not see infection.
LavaSoft Ad-Aware gets errors during update – preventing updated definitions. Does not see infection.

Browser hijacked
- Geekstogo.com blocked
- Pctools.com blocked
- Google works but links are re-directed
-
TaskMan.exe disabled
- In safe mode I was finally able to re-enable in registry.

Unable to run some .exe files
- sdsetup.exe – pctools spyware doctor installation does not run.
- Malwarebytes' Anti-Malware - Download_mbam-setup.exe will not run

Norton Antivirus installed found a few things but did not detect the major infection.

Java had not been updated for a while.
- Uninstalled java.
-

Critical system warning constantly displayed.
messagebox1.JPG



Security center in systray redirects to: http://spywareisosca...n.php?wmid=mrs2

security_alert.JPG


security_alert2.JPG

spywarewarning.JPG

pandasecurity.JPG


There is no yellow bar to allow Panda Active scan to run.

Thanks,

Tim

Hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:50 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\adsnwc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Denise\Desktop\VIRUS\HiJackThis.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: gPhotoShow Toolbar Helper - {AE67B5AA-B590-4034-98B5-6AEAAF558B95} - C:\Program Files\gPhotoShow Toolbar\v3.2.0.0\gPhotoShow_Toolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cyclone License Server (CycloneLicenseServer) - Unknown owner - C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Leica HDS Server - Versant Corporation - C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Denise/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Component 1: (no name) - http://www.hawaiipic...s31600x1200.jpg

--
End of file - 12368 bytes

Edited by TmlGuy, 30 July 2008 - 05:12 PM.

  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**




Regards
fenzodahl512
  • 0

#3
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Okay, I see that it is important to rename the file at the time it is downloaded. I have removed this computer from my network and from the internet. I can disable access to my other computers from the network and internet access (rather not) to download it directly but do I have to? Can I download it from another and copy it from a flash drive to the desktop?

I will follow you every command...


Tim

I have downloaded-renamed it, have it on a flash drive.

Edited by TmlGuy, 30 July 2008 - 10:17 PM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Yup you may.. But I'd rather have you burn it on cd (after renamed).. Don't want your flashdrive get infected as soon as it plug in to your computer :)
  • 0

#5
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
After Combo-Fix restarted the computer I let it run for a few, then realized AVG had a scan in progress in the systray. I had disabled it per instructions. I canceled the scan.

A few minutes later Combo-Fix finished.

results:

Combo-Fix log------

ComboFix 08-07-29.1 - Denise 2008-07-30 21:46:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.437 [GMT -7:00]
Running from: C:\Documents and Settings\Denise\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Denise\Application Data\macromedia\Flash Player\#SharedObjects\QAKQBFLZ\interclick.com
C:\Documents and Settings\Denise\Application Data\macromedia\Flash Player\#SharedObjects\QAKQBFLZ\interclick.com\ud.sol
C:\Documents and Settings\Denise\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Denise\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Denise\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Denise\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Denise\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Dot1XCfg
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetModule\pckik.dat
C:\Program Files\iCheck
C:\Program Files\iCheck\iCheck.exe
C:\Program Files\iCheck\Uninstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Temporary
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\spywarewarning.mht
C:\WINDOWS\system32\spywarewarning2.mht
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-06-29 20:15 . 2008-06-29 20:15 <DIR> d-------- C:\Documents and Settings\TmlGuy\Application Data\AVG7
2008-06-29 15:03 . 2008-06-29 15:03 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-29 15:03 . 2008-06-29 15:18 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-29 15:02 . 2008-06-29 15:03 <DIR> d-------- C:\Program Files\Symantec
2008-06-29 15:02 . 2008-06-29 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-29 15:02 . 2008-06-29 15:03 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-29 15:02 . 2008-06-29 15:03 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-29 15:02 . 2008-06-29 15:03 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-29 15:02 . 2008-06-29 15:03 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-29 14:55 . 2008-06-30 10:08 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 16:07 . 2008-06-28 16:07 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Lavasoft
2008-06-28 15:57 . 2008-06-28 17:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-28 15:31 . 2008-06-28 15:31 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-28 12:39 . 2008-06-28 12:39 92,672 -r-hs---- C:\WINDOWS\system32\adsnwc.exe
2008-06-28 10:17 . 2008-06-28 10:20 <DIR> d-------- C:\WINDOWS\system32\6347
2008-06-28 09:33 . 2008-06-28 09:33 18,688 --a------ C:\WINDOWS\dnsrelay_old.dll
2008-06-28 09:33 . 2008-06-28 09:33 11,776 --a------ C:\WINDOWS\cpan-old.dll
2008-06-28 09:18 . 2008-06-28 09:18 <DIR> d-------- C:\WINDOWS\system32\netrax06
2008-06-28 09:18 . 2008-06-28 09:18 <DIR> d-------- C:\Temp\itmp4
2008-06-28 09:18 . 2008-06-28 09:18 <DIR> d-------- C:\Temp
2008-06-28 09:18 . 2004-08-10 03:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-20 14:42 . 2008-06-20 14:45 <DIR> d-------- C:\c;TmlStore
2008-06-18 14:40 . 2008-06-18 14:40 <DIR> d-------- C:\Program Files\MSBuild
2008-06-18 14:38 . 2008-06-18 14:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-18 14:38 . 2008-06-18 14:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-18 14:37 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-16 20:54 . 2008-06-16 20:54 <DIR> d-------- C:\Program Files\gPhotoShow Toolbar
2008-06-16 20:54 . 2008-06-16 20:54 <DIR> d-------- C:\Program Files\gPhotoShow
2008-06-16 20:54 . 2007-03-12 15:06 626,688 --a------ C:\WINDOWS\system32\gPhotoShow.scr
2008-06-16 20:54 . 2008-06-16 20:54 231,080 --a------ C:\WINDOWS\gPhotoShow_Toolbar_Uninstaller_3859.exe
2008-06-11 00:56 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:56 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 19:37 . 2008-06-28 09:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-09 19:37 . 2008-06-09 19:37 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-30 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-30 19:26 --------- d-----w C:\Program Files\Java
2008-06-29 00:09 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-23 18:45 --------- d-----w C:\Documents and Settings\Denise\Application Data\U3
2008-06-04 21:43 --------- d-----w C:\Documents and Settings\Denise\Application Data\AdobeUM
2008-03-01 18:45 6,656 ----a-w C:\Documents and Settings\Denise\~.exe
2006-05-13 00:48 88 --sh--r C:\WINDOWS\system32\E08F8332E2.sys
2007-07-04 00:49 56 --sh--r C:\WINDOWS\system32\E232838FE0.sys
2007-07-04 00:49 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 23:00 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 09:01 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 16:07 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-28 01:22 580096]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-28 15:14 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-06 23:49 718704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"CTHelper"="CTHELPER.EXE" [2005-11-08 10:30 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 02:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-03 13:22 219136]
"IEUpdate"="C:\WINDOWS\system32\adsnwc.exe" [2008-06-28 12:39 92672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 01:48 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"="C:\WINDOWS\system32\adsnwc.exe" [2008-06-28 12:39 92672]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-28 15:07:27 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 12:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 14:00:54 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 CycloneLicenseServer;Cyclone License Server;C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe C:\Program Files\Leica Geosystems\Cyclone\ []
R2 Leica HDS Server;Leica HDS Server;C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe [2006-03-30 23:49]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 18:47]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 04:40]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Denise.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{28F4A32B-116F-48FD-B4CE-4273852BB730} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R0 -: HKLM-Main,Start Page = hxxp://www.dell.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 21:57:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-07-30 22:08:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 05:07:53

Pre-Run: 91,145,977,856 bytes free
Post-Run: 91,527,528,448 bytes free

290 --- E O F --- 2008-06-28 22:31:32



$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

HJT log -----------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:09 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Denise\Desktop\VIRUS\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cyclone License Server (CycloneLicenseServer) - Unknown owner - C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Leica HDS Server - Versant Corporation - C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Denise/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Component 1: (no name) - http://www.hawaiipic...s31600x1200.jpg

--
End of file - 9621 bytes
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Please post the following logs in your next reply.. Please post each log in separate post..

1. SDFix
2. DSS main.txt
3. DSS extra.txt


Regards
fenzodahl512
  • 0

#7
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
SDFIX Report $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$


SDFix: Version 1.210
Run by Denise on Wed 07/30/2008 at 11:18 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default IE HomePage

Rebooting


Checking Files :

Trojan Files Found:

C:\101.TMP - Deleted
C:\102.TMP - Deleted
C:\FD.TMP - Deleted
C:\FE.TMP - Deleted



Folder C:\WINDOWS\system32\netrax06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 23:32:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000098
"TracesSuccessful"=dword:0000006e

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windowsr NetMeetingr"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 3 Jun 2001 28,160 A..H. --- "C:\HP\~WRL0003.tmp"
Mon 29 Oct 2001 27,648 A..H. --- "C:\HP\~WRL0297.tmp"
Sun 3 Jun 2001 28,160 A..H. --- "C:\HP\~WRL0742.tmp"
Tue 2 Jan 2001 28,160 A..H. --- "C:\HP\~WRL1179.tmp"
Thu 13 Sep 2001 28,160 A..H. --- "C:\HP\~WRL1338.tmp"
Tue 2 Jan 2001 27,648 A..H. --- "C:\HP\~WRL1509.tmp"
Mon 29 Oct 2001 28,160 A..H. --- "C:\HP\~WRL1629.tmp"
Fri 14 Mar 2003 28,672 A..H. --- "C:\HP\~WRL2518.tmp"
Tue 2 May 2006 8 A.SHR --- "C:\i386\E08F8332E2.sys"
Tue 2 May 2006 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Sun 3 Jun 2001 28,160 A..H. --- "C:\TmlStore1\HP\~WRL0003.tmp"
Mon 29 Oct 2001 27,648 A..H. --- "C:\TmlStore1\HP\~WRL0297.tmp"
Sun 3 Jun 2001 28,160 A..H. --- "C:\TmlStore1\HP\~WRL0742.tmp"
Tue 2 Jan 2001 28,160 A..H. --- "C:\TmlStore1\HP\~WRL1179.tmp"
Thu 13 Sep 2001 28,160 A..H. --- "C:\TmlStore1\HP\~WRL1338.tmp"
Tue 2 Jan 2001 27,648 A..H. --- "C:\TmlStore1\HP\~WRL1509.tmp"
Mon 29 Oct 2001 28,160 A..H. --- "C:\TmlStore1\HP\~WRL1629.tmp"
Fri 14 Mar 2003 28,672 A..H. --- "C:\TmlStore1\HP\~WRL2518.tmp"
Sat 28 Jun 2008 92,672 ..SHR --- "C:\WINDOWS\system32\adsnwc.exe"
Fri 12 May 2006 88 ..SHR --- "C:\WINDOWS\system32\E08F8332E2.sys"
Tue 3 Jul 2007 56 ..SHR --- "C:\WINDOWS\system32\E232838FE0.sys"
Tue 3 Jul 2007 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 3 Feb 2002 24,064 A..H. --- "C:\TmlStore1\My Documents\Denise\~WRL1047.tmp"
Sun 3 Feb 2002 24,576 A..H. --- "C:\TmlStore1\My Documents\Denise\~WRL1653.tmp"
Thu 24 Jan 2002 22,528 A..H. --- "C:\TmlStore1\My Documents\Denise\~WRL2607.tmp"
Thu 27 May 2004 29,694,976 A..H. --- "C:\TmlStore1\My Documents\Janae\~WRL1007.tmp"
Fri 9 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Thu 26 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BITA2.tmp"
Thu 26 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BITA1.tmp"
Wed 30 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1d01f188c8132c12d35c3222b7723a4\BITE.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Denise\Application Data\U3\temp\Launchpad Removal.exe"
Mon 7 Mar 2005 20,480 A..H. --- "C:\TmlStore1\My Documents\Janae\Homework\English\~WRL0001.tmp"
Mon 7 Mar 2005 19,456 A..H. --- "C:\TmlStore1\My Documents\Janae\Homework\English\~WRL4067.tmp"
Wed 30 Jul 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"
Tue 30 Aug 2005 24,064 A..H. --- "C:\Documents and Settings\All Users\Documents\My Pictures\TmlStore3D\HP\DEV\~WRL3321.tmp"
Fri 28 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Fri 28 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 28 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue 2 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!




DSS MAIN $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Deckard's System Scanner v20071014.68
Run by Denise on 2008-07-30 23:47:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2008-07-31 06:48:09 UTC - RP841 - Deckard's System Scanner Restore Point
102: 2008-07-31 04:45:45 UTC - RP840 - ComboFix created restore point
101: 2008-07-30 18:47:53 UTC - RP839 - System Checkpoint
100: 2008-07-29 14:42:57 UTC - RP838 - System Checkpoint
99: 2008-07-28 14:39:50 UTC - RP837 - System Checkpoint


-- First Restore Point --
1: 2008-05-02 07:53:49 UTC - RP739 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Denise.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:16 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Denise\Desktop\VIRUS\dss.exe
C:\DOCUME~1\Denise\Desktop\VIRUS\Denise.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\adsnwc.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cyclone License Server (CycloneLicenseServer) - Unknown owner - C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Leica HDS Server - Versant Corporation - C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Denise/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Component 1: (no name) - http://www.hawaiipic...s31600x1200.jpg

--
End of file - 9554 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 catchme - c:\docume~1\denise\locals~1\temp\catchme.sys (file missing)

S2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CycloneLicenseServer (Cyclone License Server) - "c:\program files\leica geosystems\cyclone\cyralicense.exe" "c:\program files\leica geosystems\cyclone\"
R2 Leica HDS Server - "c:\program files\leica geosystems\cyclone\ptserv32.exe" -config "c:\program files\leica geosystems\cyclone\ptserver.cfg" <Not Verified; Versant Corporation; FastObjects Server for Windows NT>
R2 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>
R2 NTService1 (MaxSyncService) - "c:\program files\maxtor\onetouch\utils\syncservices.exe" <Not Verified; ; SyncServices>

S2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service (file missing)
S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-28 21:41:02 558 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Denise.job


-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-30 23:12:13 0 d-------- C:\WINDOWS\ERUNT
2008-07-30 21:43:48 68096 --a------ C:\WINDOWS\zip.exe
2008-07-30 21:43:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-30 21:43:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-30 21:43:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-30 21:43:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-30 21:43:48 98816 --a------ C:\WINDOWS\sed.exe
2008-07-30 21:43:48 80412 --a------ C:\WINDOWS\grep.exe
2008-07-30 21:43:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 21:43:44 0 d-------- C:\Combo-Fix


-- Find3M Report ---------------------------------------------------------------

2008-07-30 22:12:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-30 21:49:23 0 d-------- C:\Program Files\Common Files
2008-06-30 12:26:51 0 d-------- C:\Program Files\Java
2008-06-29 15:18:07 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-29 15:03:39 0 d-------- C:\Program Files\Symantec
2008-06-29 15:03:07 0 d-------- C:\Program Files\Windows Sidebar
2008-06-28 17:09:35 0 d-------- C:\Program Files\Common Files\AOL
2008-06-28 15:31:25 0 d-------- C:\Program Files\MSXML 6.0
2008-06-28 12:39:56 92672 -r-hs---- C:\WINDOWS\system32\adsnwc.exe
2008-06-28 09:33:22 18688 --a------ C:\WINDOWS\dnsrelay_old.dll
2008-06-28 09:33:22 11776 --a------ C:\WINDOWS\cpan-old.dll
2008-06-23 11:45:59 0 d-------- C:\Documents and Settings\Denise\Application Data\U3
2008-06-18 14:40:34 0 d-------- C:\Program Files\MSBuild
2008-06-18 14:38:12 0 d-------- C:\Program Files\Reference Assemblies
2008-06-16 20:54:51 231080 --a------ C:\WINDOWS\gPhotoShow_Toolbar_Uninstaller_3859.exe <Not Verified; gPhotoShow; gPhotoShow>
2008-06-16 20:54:51 0 d-------- C:\Program Files\gPhotoShow Toolbar
2008-06-16 20:54:49 0 d-------- C:\Program Files\gPhotoShow
2008-06-04 14:43:23 0 d-------- C:\Documents and Settings\Denise\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/29/2008 03:04 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [11/08/2005 10:30 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [03/02/2006 02:00 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 07:05 PM]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/17/2003 11:00 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [10/14/2005 09:01 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 04:07 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/10/2000 11:00 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 03:20 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [06/28/2008 01:22 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/15/2005 12:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/28/2006 03:14 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 06:47 PM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [02/06/2008 11:49 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\adsnwc.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IEUpdate"=C:\WINDOWS\system32\adsnwc.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/28/2006 3:07:27 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [12/15/2005 12:40:44 PM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/15/2005 2:00:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-07-30 23:50:09 ------------



DSS EXTRA $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1022.07 MiB / 527.15 MiB
Pagefile Memory (total/avail): 2460.18 MiB / 2060.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.8 MiB

C: is Fixed (NTFS) - 144.21 GiB total, 85.12 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3160812AS - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 144.21 GiB - C:
\PARTITION2 - Unknown - 4.74 GiB

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton AntiVirus v15.5.0.23 (Symantec Corporation) Disabled
FW: v (McAfee) Disabled
AV: AVG 7.5.526 v7.5.526 (Grisoft) Disabled Outdated
AV: Norton AntiVirus v15.5.0.23 (Symantec Corporation) Disabled Outdated
AV: v (McAfee) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE:*:Enabled:Microsoft Office Word"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Denise\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TMLSTORE6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Denise
LOGONSERVER=\\TMLSTORE6
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Denise\LOCALS~1\Temp
TMP=C:\DOCUME~1\Denise\LOCALS~1\Temp
USERDOMAIN=TMLSTORE6
USERNAME=Denise
USERPROFILE=C:\Documents and Settings\Denise
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Denise (admin)
Tim (admin)
TmlGuy
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W
--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{06E3E953-0570-4DFF-A7B5-46114C390228}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6349CEE9-19F2-49D9-AC9D-B0350E3CBDB1}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup &quo
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, you have three antivirus (AVG7, McAfee, Norton).. Please uninstall AVG7 and another antivirus.. Just leave ONLY ONE antivirus in your computer.. Another Add-on, all of them are disabled and outdated.. Please update your antivirus and re-enable them back after performing all fix..



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
PlugPlayRPC

File::
C:\WINDOWS\system32\adsnwc.exe
C:\WINDOWS\dnsrelay_old.dll
C:\WINDOWS\cpan-old.dll
C:\WINDOWS\portsv.exe
E:\setup.exe

Folder::
C:\WINDOWS\system32\netrax06
C:\Temp\itmp4

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"IEUpdate"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"IEUpdate"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

DirLook::
C:\WINDOWS\system32\6347

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I uninstalled Norton (expired trial version).
I can not find McAfee in the start menu, or in Add/Remove Programs. Not sure how to remove any of it's files. I think I removed it years ago when I got the computer.

COMBOFIX LOG $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
ComboFix 08-07-29.1 - Denise 2008-07-31 8:54:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -7:00]
Running from: C:\Documents and Settings\Denise\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Denise\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\cpan-old.dll
C:\WINDOWS\dnsrelay_old.dll
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\adsnwc.exe
E:\setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\itmp4
C:\WINDOWS\cpan-old.dll
C:\WINDOWS\dnsrelay_old.dll
C:\WINDOWS\system32\adsnwc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PLUGPLAYRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 23:47 . 2008-07-30 23:47 <DIR> d-------- C:\Deckard
2008-07-30 23:12 . 2008-07-30 23:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-30 23:11 . 2008-07-30 23:42 <DIR> d-------- C:\SDFix
2008-06-29 20:15 . 2008-06-29 20:15 <DIR> d-------- C:\Documents and Settings\TmlGuy\Application Data\AVG7
2008-06-29 15:02 . 2008-07-31 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-29 14:55 . 2008-07-31 08:49 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 16:07 . 2008-06-28 16:07 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Lavasoft
2008-06-28 15:57 . 2008-06-28 17:10 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-28 15:31 . 2008-06-28 15:31 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-28 10:17 . 2008-06-28 10:20 <DIR> d-------- C:\WINDOWS\system32\6347
2008-06-28 09:18 . 2008-07-31 08:54 <DIR> d-------- C:\Temp
2008-06-28 09:18 . 2004-08-10 03:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-20 14:42 . 2008-06-20 14:45 <DIR> d-------- C:\c;TmlStore
2008-06-20 10:41 . 2008-06-20 10:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 03:44 . 2008-06-20 03:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 14:40 . 2008-06-18 14:40 <DIR> d-------- C:\Program Files\MSBuild
2008-06-18 14:38 . 2008-06-18 14:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-18 14:38 . 2008-06-18 14:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-18 14:37 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-16 20:54 . 2008-06-16 20:54 <DIR> d-------- C:\Program Files\gPhotoShow Toolbar
2008-06-16 20:54 . 2008-06-16 20:54 <DIR> d-------- C:\Program Files\gPhotoShow
2008-06-16 20:54 . 2007-03-12 15:06 626,688 --a------ C:\WINDOWS\system32\gPhotoShow.scr
2008-06-16 20:54 . 2008-06-16 20:54 231,080 --a------ C:\WINDOWS\gPhotoShow_Toolbar_Uninstaller_3859.exe
2008-06-11 00:56 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:56 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 19:37 . 2008-06-28 09:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-09 19:37 . 2008-06-09 19:37 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 06:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-30 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-30 19:26 --------- d-----w C:\Program Files\Java
2008-06-29 00:09 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-23 18:45 --------- d-----w C:\Documents and Settings\Denise\Application Data\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-04 21:43 --------- d-----w C:\Documents and Settings\Denise\Application Data\AdobeUM
2008-03-01 18:45 6,656 ----a-w C:\Documents and Settings\Denise\~.exe
2006-05-13 00:48 88 --sh--r C:\WINDOWS\system32\E08F8332E2.sys
2007-07-04 00:49 56 --sh--r C:\WINDOWS\system32\E232838FE0.sys
2007-07-04 00:49 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\6347 ----



((((((((((((((((((((((((((((( [email protected]_22.07.28.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
+ 2008-07-30 19:50:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-31 06:12:42 4,980,736 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-31 06:12:42 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-30 19:50:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-31 06:12:27 4,980,736 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-31 06:12:27 450,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-02-20 05:32:43 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2007-10-30 17:20:55 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2004-08-10 10:00:00 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-17 23:00 45056]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 09:01 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 16:07 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00 90112]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-06-28 01:22 580096]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 12:18 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-28 15:14 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"CTHelper"="CTHELPER.EXE" [2005-11-08 10:30 16384 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 02:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-03 13:22 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 01:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-28 15:07:27 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 12:40:44 282624]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 14:00:54 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 CycloneLicenseServer;Cyclone License Server;C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe C:\Program Files\Leica Geosystems\Cyclone\ []
R2 Leica HDS Server;Leica HDS Server;C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe [2006-03-30 23:49]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 04:40]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{28F4A32B-116F-48FD-B4CE-4273852BB730} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 09:00:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-07-31 9:08:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 16:07:44
ComboFix2.txt 2008-07-31 05:09:00

Pre-Run: 91,568,095,232 bytes free
Post-Run: 91,561,701,376 bytes free

231 --- E O F --- 2008-07-31 15:40:27

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
HJT LOG $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:13 AM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Denise\Desktop\VIRUS\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cyclone License Server (CycloneLicenseServer) - Unknown owner - C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Leica HDS Server - Versant Corporation - C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Denise/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Component 1: (no name) - http://www.hawaiipic...s31600x1200.jpg

--
End of file - 7868 bytes
  • 0

#10
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I have an install for PcTools should I remove AVG7 and install PcTools Spyware Dr?
AVG did not catch the problem to begin with, so I don't trust it any more.

What AntiVirus/Spyware do you recommend?

Tim
  • 0

Advertisements


#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

I have an install for PcTools should I remove AVG7 and install PcTools Spyware Dr?
AVG did not catch the problem to begin with, so I don't trust it any more.

What AntiVirus/Spyware do you recommend?

Tim



Well, I suggest you uninstall AVG7 as it is already outdated and no longer support by Grisoft.. It has been replaced by AVG8..

As for recommendation, there's no perfect antivirus.. Each one has its own strength and weakness.. However, I'll recommend you these free and excellent free antivirus below.. Please install ONLY ONE of them..



Now, lets do this...


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator



Please post the following logs in your next reply.. Please post each log in separate post..

1. Malwarebytes'
2. DSS main.txt
3. DSS extra.txt


Regards
fenzodahl512
  • 0

#12
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Removed AVG7
Installed PcTools AntiVirus Free
Ran PcTools Scan - nothing found
Ran MBAM - 31 item removed
DSS - Extra.txt never opened.

MBAM file:
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

11:59:08 AM 7/31/2008
mbam-log-7-31-2008 (11-59-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193766
Time elapsed: 1 hour(s), 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Adobe\Acrobat 6.0\Reader\PDF417Encoder.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\iCheck\iCheck.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\iCheck\Uninstall.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\adsnwc.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP840\A0026388.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP840\A0026389.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP840\A0026391.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP840\A0026392.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP843\A0027229.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP797\A0023851.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP797\A0023858.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP797\A0023859.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP797\A0023860.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0024119.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP798\A0024315.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP802\A0024825.dll (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP802\A0024829.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.



$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
DSS Main.txt:
Deckard's System Scanner v20071014.68
Run by Denise on 2008-07-31 12:00:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Denise.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:17 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Documents and Settings\Denise\Desktop\VIRUS\dss.exe
C:\DOCUME~1\Denise\Desktop\VIRUS\Denise.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Cyclone License Server (CycloneLicenseServer) - Unknown owner - C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Leica HDS Server - Versant Corporation - C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Denise/LOCALS~1/Temp/msohtml1/01/clip_image001.gif
O24 - Desktop Component 1: (no name) - http://www.hawaiipic...s31600x1200.jpg

--
End of file - 7335 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 10:48:35 0 d-------- C:\Documents and Settings\Denise\Application Data\Malwarebytes
2008-07-31 10:48:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 10:48:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 10:48:08 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-31 10:43:04 0 d-------- C:\Documents and Settings\Denise\Application Data\PC Tools
2008-07-31 10:41:28 0 d-------- C:\Program Files\Common Files\PC Tools
2008-07-31 10:41:22 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-07-31 10:41:22 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-30 23:12:13 0 d-------- C:\WINDOWS\ERUNT
2008-07-30 21:43:48 68096 --a------ C:\WINDOWS\zip.exe
2008-07-30 21:43:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-30 21:43:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-30 21:43:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-30 21:43:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-30 21:43:48 98816 --a------ C:\WINDOWS\sed.exe
2008-07-30 21:43:48 80412 --a------ C:\WINDOWS\grep.exe
2008-07-30 21:43:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 21:43:44 0 d-------- C:\Combo-Fix


-- Find3M Report ---------------------------------------------------------------

2008-07-31 10:48:08 0 d-------- C:\Program Files\Common Files
2008-07-31 08:49:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-30 12:26:51 0 d-------- C:\Program Files\Java
2008-06-28 17:09:35 0 d-------- C:\Program Files\Common Files\AOL
2008-06-28 15:31:25 0 d-------- C:\Program Files\MSXML 6.0
2008-06-23 11:45:59 0 d-------- C:\Documents and Settings\Denise\Application Data\U3
2008-06-18 14:40:34 0 d-------- C:\Program Files\MSBuild
2008-06-18 14:38:12 0 d-------- C:\Program Files\Reference Assemblies
2008-06-16 20:54:51 231080 --a------ C:\WINDOWS\gPhotoShow_Toolbar_Uninstaller_3859.exe <Not Verified; gPhotoShow; gPhotoShow>
2008-06-16 20:54:51 0 d-------- C:\Program Files\gPhotoShow Toolbar
2008-06-16 20:54:49 0 d-------- C:\Program Files\gPhotoShow
2008-06-04 14:43:23 0 d-------- C:\Documents and Settings\Denise\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [11/08/2005 10:30 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [03/02/2006 02:00 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 07:05 PM]
"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [06/17/2003 11:00 PM]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [10/14/2005 09:01 AM]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 04:07 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/10/2000 11:00 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 03:20 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/15/2005 12:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/28/2006 03:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [03/05/2008 09:37 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/28/2006 3:07:27 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [12/15/2005 12:40:44 PM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/15/2005 2:00:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

*Newly Created Service* - AVFILTER
*Newly Created Service* - AVHOOK
*Newly Created Service* - AVREC
*Newly Created Service* - PCTAVSVC



-- End of Deckard's System Scanner: finished at 2008-07-31 12:01:42 ------------
  • 0

#13
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Good news.. Your log looks clean to my eyes..


Time for some housekeeping
  • Click START then RUN
  • Now type Combo-Fix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image



NEXT


Please download OTCleanIt and save it to Desktop.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



NEXT


I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.



Lastly, to keep your operating system up to date please visit the link below monthly

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#14
TmlGuy

TmlGuy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Well, everything was going pretty good until I purchased PcTools Internet Security. I figured their firewall would work best with their antivirus.
I had to uninstall the free version of pctools antivirus before I installed the new one.
I installed full version and lost my network and internet connection from that computer.
I have to take the dog to the vet now, I will contact PcTools Support when I return and hopefully have good news to post.

Thanks for all your help.

Tim
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Well, everything was going pretty good until I purchased PcTools Internet Security. I figured their firewall would work best with their antivirus.
I had to uninstall the free version of pctools antivirus before I installed the new one.
I installed full version and lost my network and internet connection from that computer.
I have to take the dog to the vet now, I will contact PcTools Support when I return and hopefully have good news to post.

Thanks for all your help.

Tim



Ouch.. will wait for your news.. by the way, here's the PCTools support forum if you need them... (better call them since you purchased it)

http://www.pctools.com/forum/
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP