Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

NT authorization/shutdown [RESOLVED]


  • This topic is locked This topic is locked

#1
sad.lil.chicken

sad.lil.chicken

    New Member

  • Member
  • Pip
  • 8 posts
Hey!

I'll get straight to the point, this is the first time I've ever got a bug and its such an annoying one! :) It shutsdown my PC within 3 minutes of booting up
The error message that comes up reads:

System Shutdown:
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: *starts at 60 seconds and counts down*
Message: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

:)

I'm running XP and try to make sure its up to date with Windows Updates, its running SP3.
I always have scheduled McAfee scans (and McAfee suite auto updates)
Run Spybot S+D as well as AdAware weekly, basically I try to keep my system okay.

As soon as I saw this pop-up I didnt re-boot, left it shutdown, disconnected all cables other than keyboard/mouse/monitor (no USB connections or cable internet are connected)

I researched it as far as I could with my other PC... tried scanning with a few things in normal mode but it dies before the scan gets 25% in.
I also havn't been able to restore to a clean restore point (I had from when the bug wasnt present....) and didnt think I should create a new restore point when its infected :)
Have performed full scans in safe mode but they couldnt find anything (and it wont shut down with that error)

Have also read http://www.geekstogo...-Log-t2852.html ;)

I just wanted to thank you guys, I do realised you all have other things IRL and really do appriciate this ^_^

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:30, on 26/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.mi...v6/default.aspx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Christine Baird\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
O15 - Trusted Zone: http://*.wedisk.co.kr
O15 - Trusted Zone: http://*.wedisk.net
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Usecndwbfms - Unknown owner - (no file)

--
End of file - 6852 bytes

Edited by sad.lil.chicken, 26 August 2008 - 03:16 AM.

  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello sad.lil.chicken, and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

Sorry for the delay as you can tell we are quite busy :)


I am looking over you log now, and I will post your first set of instructions shortly.
  • 0

#3
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi sad.lil.chicken,

I’m guessing that The error message that comes up looks like this one:

Posted Image


As soon as I saw this pop-up I didnt re-boot, left it shutdown, disconnected all cables other than keyboard/mouse/monitor (no USB connections or cable internet are connected)



Go ahead and connect everything back up, and lets see if we can get you fixed up :)


If you don’t have time to download FixBlast.exe before the error shows up and the computer attempts to shut down, you can use the following steps to prevent the forced shut down.

  • From the Start menu, click Run.
  • In the Run dialog box, type: shutdown -a Click OK.

W32.Blaster.Worm


  • Download the FixBlast.exe file from: Here
  • Save the file to a convenient location, such as your Windows desktop.
  • Close all the running programs.
  • If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  • If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, see the below link:
    How to turn off or turn on Windows XP System Restore
  • Locate the file that you just downloaded.
  • Double-click the FixBlast.exe file to start the removal tool.
  • Click Start to begin the process, and then allow the tool to run.

    NOTE: If you have any problems when you run the tool, or it does not appear to remove the threat, restart the computer in Safe mode (Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.) and run the tool again.
  • Restart the computer.
  • Run the removal tool again to ensure that the system is clean.
  • If you are running Windows Me/XP, then reenable System Restore.
  • If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

===============================================

ComboFix

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.
  • 0

#4
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey!

I've canceled the shutdown and followed the steps to run FixBlast twice, both times it said it couldn't find anything (I did reboot between the 2 trys)
Have also installed the XP Recovery Console, followed the steps for ComboFix... Here's the log for it:

ComboFix 08-08-30.03 - Christine Baird 2008-08-31 13:27:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.70 [GMT 10:00]
Running from: C:\Documents and Settings\Christine Baird\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-31 11:28 . 2008-08-31 11:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-30 18:03 . 2008-08-30 18:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-30 18:03 . 2008-08-30 18:03 <DIR> d---s---- C:\Documents and Settings\Default User
2008-08-30 15:26 . 2008-08-30 15:26 61,224 --a------ C:\Documents and Settings\Christine Baird\GoToAssistDownloadHelper.exe
2008-08-26 19:14 . 2008-08-26 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 18:05 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-26 18:05 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-26 18:05 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-26 18:05 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-26 18:05 . 2008-08-14 21:52 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-26 18:05 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-26 18:05 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-26 18:05 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-26 18:05 . 2008-08-26 18:05 2,378 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-24 21:25 . 2008-08-24 21:25 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEPC\Application Data\Lavasoft
2008-08-24 21:22 . 2008-08-24 21:22 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEPC
2008-08-17 22:24 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-17 22:24 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-17 22:19 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003053_.tmp
2008-08-02 18:47 . 2008-08-02 18:47 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-07-19 20:52 . 2008-07-19 20:52 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-19 20:50 . 2008-06-02 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-07-19 20:45 . 2008-07-19 20:48 <DIR> d-------- C:\Program Files\ATI Technologies
2008-07-17 19:11 . 2008-07-17 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom
2008-07-10 18:24 . 2008-07-10 18:24 <DIR> d-------- C:\Documents and Settings\Christine Baird\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2008-07-10 18:23 . 2008-07-10 18:23 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 09:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-30 08:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-30 08:09 --------- d-----w C:\Program Files\McAfee
2008-08-30 05:19 --------- d-----w C:\Documents and Settings\Christine Baird\Application Data\McAfee
2008-08-30 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-18 08:11 --------- d-----w C:\Program Files\MSN Messenger
2008-08-17 12:01 --------- d-----w C:\Documents and Settings\Christine Baird\Application Data\U3
2008-07-19 10:38 --------- d-----w C:\Program Files\LimeWire
2008-07-19 10:37 --------- d-----w C:\Program Files\DivX
2008-07-19 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 10:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 09:14 6,656 --sha-w C:\Program Files\Thumbs.db
2007-12-27 12:56 4,346,084 -c--a-w C:\Documents and Settings\Christine Baird\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-05-30 07:04 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2005-03-28 00:51 177,870 -c--a-w C:\Program Files\203-10039-01_r3.pdf
2004-12-16 23:53 635,176 -c--a-w C:\Program Files\wgr614v4_V5.0_07.img
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-31 01:42 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 15:01 139264]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ZboardTray"="C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" [2005-05-02 15:41 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
2003-09-03 07:14 49152 C:\WINDOWS\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--ah----- 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S0 UsbSync;UsbSync;C:\WINDOWS\system32\drivers\UsbSync.sys []
S3 UsbButton;UsbButton;C:\WINDOWS\system32\drivers\UsbButton.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-NeroFilterCheck - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Christine Baird\Application Data\Mozilla\Firefox\Profiles\r63d623f.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 13:31:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-31 13:37:16
ComboFix-quarantined-files.txt 2008-08-31 03:37:08

Pre-Run: 25,261,195,264 bytes free
Post-Run: 25,241,608,192 bytes free

142



And here's the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41:25, on 31/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Usecndwbfms - Unknown owner - (no file)

--
End of file - 5661 bytes
  • 0

#5
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
It will take me a few minutes to look through your logs, but are you still getting the NT AUTHORITY\SYSTEM error?
  • 0

#6
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi sad.lil.chicken,

Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

===============================================



Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Usecndwbfms - Unknown owner - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

Combofix Script.txt
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\003053_.tmp
Folder::
C:\Documents and Settings\Christine Baird\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================

Update Java

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
===============================================

P2P Warning!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current problem/infection. I would strongly suggest you remove Limewire. Removing can be done through Add/Remove Programs.

===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner

please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

===============================================


Needed in your next reply:

ComboFix log
Kaspersky WebScanner results
Fresh HijackThis log

Also let me know how things are running :)
  • 0

#7
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey BHowett!!!

Okay, so....

1) Disable Teatimer
The resident wasnt in the taskbar (for the first section)
And when i went to Advianced Mode -> Tools -> Resident, both the boxes were unticked (second section)
TeaTimer_Disabled.JPG
So I'm pretty sure its been diabled
===============================================

2) Fix with HijackThis
I put ticks next to the following 2:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: Usecndwbfms - Unknown owner - (no file)
and clicked Fix Checked.... however, when I did a fresh scan O23 - Service: Usecndwbfms - Unknown owner - (no file) was back! :)
Tried re-selecting it, and fixing it again, no luck ;)
Tried it a third time... its still there, even after a reboot and to the final scan, noticed it still wont die >_<
===============================================
3) Combofix Script.txt

Copied the code you wrote me into a notepad doc, saved as instructed and draged onto the ComboFix desktop icon, which did the following:
auto_scan.JPG

===============================================
4) Update Java

When I went to download and update java from the site, it came up with a wierd message - I can access the internet, but when I clicked the d/load button it had the following error:
unable_to_dload.JPG

I got around this by downloading the offline install file on my clean PC, and took it across on a flash drive.
Also uninstalled all older versions of JRE...
Java_updated___no_limewire.JPG
which brings me to the next point

===============================================
5) P2P Warning - Remove Limewire

Okay, I used to have limewire a fair while ago, havnt actually used it in months and pretty sure I uninstalled it aggeess ago.
when I went to add/remove programs it wasnt there (as noted in the above screenshot)
So I'm guessing I'm fairly safe, not sure why its showing up when its been uninstalled though o.O
===============================================

6) ATF Cleaner
Have downloaded and ran ATF Cleaner, both with All selected under Main and also cleaned the firefox side of things :)
===============================================
7) Kaspersky WebScanner
OMG took its time to complete :) ...but I ran it across My Computer. Results as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 31, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 06:10:59
Records in database: 1171719

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 56766
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:55:06


File name / Threat name / Threats count
C:\Documents and Settings\Administrator.HOMEPC\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Christine Baird\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.Win32.Zbot.edp 1

The selected area was scanned.
===============================================

8) Fresh ComboFix Log

ComboFix 08-08-30.03 - Christine Baird 2008-08-31 19:29:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.163 [GMT 10:00]
Running from: C:\Documents and Settings\Christine Baird\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-31 15:46 . 2008-08-31 15:47 <DIR> d-------- C:\Documents and Settings\Christine Baird\.nbi
2008-08-31 11:28 . 2008-08-31 11:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-30 18:03 . 2008-08-30 18:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-08-30 18:03 . 2008-08-30 18:03 <DIR> d---s---- C:\Documents and Settings\Default User
2008-08-30 15:26 . 2008-08-30 15:26 61,224 --a------ C:\Documents and Settings\Christine Baird\GoToAssistDownloadHelper.exe
2008-08-26 19:14 . 2008-08-26 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 21:25 . 2008-08-24 21:25 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEPC\Application Data\Lavasoft
2008-08-24 21:22 . 2008-08-24 21:22 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEPC
2008-08-17 22:24 . 2008-04-13 22:06 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-08-17 22:24 . 2008-04-14 00:10 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-02 18:47 . 2008-08-02 18:47 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-07-19 20:52 . 2008-07-19 20:52 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-19 20:50 . 2008-06-02 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-07-19 20:45 . 2008-07-19 20:48 <DIR> d-------- C:\Program Files\ATI Technologies
2008-07-17 19:11 . 2008-07-17 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Funcom
2008-07-10 18:23 . 2008-07-10 18:23 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 09:20 --------- d-----w C:\Program Files\Java
2008-08-31 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-30 08:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-30 08:09 --------- d-----w C:\Program Files\McAfee
2008-08-30 05:19 --------- d-----w C:\Documents and Settings\Christine Baird\Application Data\McAfee
2008-08-30 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-18 08:11 --------- d-----w C:\Program Files\MSN Messenger
2008-08-17 12:01 --------- d-----w C:\Documents and Settings\Christine Baird\Application Data\U3
2008-07-19 10:38 --------- d-----w C:\Program Files\LimeWire
2008-07-19 10:37 --------- d-----w C:\Program Files\DivX
2008-07-19 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 10:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 03:46 10,276,864 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-06-03 03:22 413,696 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-06-03 03:21 306,688 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-06-03 03:11 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-06-03 03:11 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-06-03 03:11 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-06-03 03:11 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-06-03 03:09 552,960 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-06-03 03:08 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-06-03 03:04 245,760 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-06-03 03:02 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-06-03 02:59 3,500,352 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-06-03 02:48 2,120,832 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-06-03 02:33 48,128 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-06-03 02:29 348,160 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-06-03 02:28 23,040 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-06-03 02:28 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-06-03 02:22 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-06-03 02:21 557,056 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-02-21 09:14 6,656 --sha-w C:\Program Files\Thumbs.db
2007-12-27 12:56 4,346,084 -c--a-w C:\Documents and Settings\Christine Baird\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-05-30 07:04 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2005-03-28 00:51 177,870 -c--a-w C:\Program Files\203-10039-01_r3.pdf
2004-12-16 23:53 635,176 -c--a-w C:\Program Files\wgr614v4_V5.0_07.img
.

((((((((((((((((((((((((((((( [email protected]_13.36.26.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-30 05:25:43 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-31 05:56:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-30 05:25:43 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-31 05:56:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-07-11 15:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-09 15:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 15:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-09 15:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 16:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-09 16:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-31 01:42 36904]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33 582992]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 15:01 139264]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"ZboardTray"="C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" [2005-05-02 15:41 380928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
2003-09-03 07:14 49152 C:\WINDOWS\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 05:42 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--ah----- 2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S0 UsbSync;UsbSync;C:\WINDOWS\system32\drivers\UsbSync.sys []
S3 UsbButton;UsbButton;C:\WINDOWS\system32\drivers\UsbButton.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Christine Baird\Application Data\Mozilla\Firefox\Profiles\r63d623f.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 19:32:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-31 19:36:02
ComboFix-quarantined-files.txt 2008-08-31 09:35:43
ComboFix2.txt 2008-08-31 09:14:36
ComboFix3.txt 2008-08-31 03:37:18

Pre-Run: 25,089,470,464 bytes free
Post-Run: 25,071,616,000 bytes free

161
===============================================

9) Fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:26:54, on 31/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Usecndwbfms - Unknown owner - (no file)

--
End of file - 5665 bytes
===============================================

10) How things are going

a) Okay, sence I did the first Start->Run->CMD-> shutdown -a it hasnt shutdown once. :)
I've also got the services set to do nothing when the RPC terminates (was set to shutdown) - a dot nerd friend of mine told me to do this, but I'm not 100%, did you want me to put RPC to ShutDown if its unexpectidly stopped??

b) As noted above in the JavaUpdate, I'm unable to download files on that PC

c) O23 - Service: Usecndwbfms - Unknown owner - (no file) wont die *shakes fist at it*

d) Also, sorry, I know I shouldnt have but was about to be murdered, needed to download mail on Outlook (person needing it was getting angry at me for how long they've been waiting to get their mail - I've now set them up with WebMail which they can use on anotehr machine, should be okay)
But..... Outlook came up with the following error when it tried to send/recieve:
unable_to_access_email.JPG
which I've never seen before >_< Running legit office with legit XP so I do have both the disks if a repair or something is needed.

e) Also, McAfee came up with the following message:
About this Virus
Detected: EICAR test file (Virus)
Quarantined From: C:\Documents and Settings\Christine Baird\Local Settings\Temp\Av-test.txt
A virus is a self-replicating program that can harm your computer, compromise its security, and damage valuable files.
.... Not sure what thats about, but thought I should tell you just because it miiight be useful.

To sum it all up, I can now keep the machine up and running - just cant access e-mails or legit downloads online (ie: java from their site)
  • 0

#8
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello again,

I have never seen that Outlook error, but your Kaspersky results are showing an infected Outlook file. Lets nuke that file and see if that fixes your Outlook Problem.


OTMoveIt2 by OldTimer

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\Documents and Settings\Christine Baird\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
    C:\Documents and Settings\Administrator.HOMEPC\Desktop\SmitfraudFix.exe
    C:\Documents and Settings\Christine Baird\Local Settings\Temp\Av-test.txt
    purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

===============================================

We need to Delete NT Service with Hijackthis
Open HiJackThis
Click on the tab "Open the Misc Tools Session"
Click on the Box that says "Delete an NT Service"
In the field type
Usecndwbfms
Click OK

===============================================

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Needed in your next reply:

OTMoveIt2 Log
Malwarebytes' Anti-Malware Log
Fresh HijackThis log
Also let me know how things are running :)
  • 0

#9
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Howdy,
Sorry about the delay in response - [bleep] work *shakes fist* :)

Okay, followed your steps again:

1) OTMoveIt2 by OldTimer
Log as follows:
Explorer killed successfully
C:\Documents and Settings\Christine Baird\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst moved successfully.
C:\Documents and Settings\Administrator.HOMEPC\Desktop\SmitfraudFix.exe moved successfully.
File/Folder C:\Documents and Settings\Christine Baird\Local Settings\Temp\Av-test.txt not found.
< purity >
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\fb_1412.lck scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_qIkIwag4sBau1Zu scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_22G9KhO7LY9wYVj scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_Mhhlnzk2dr5DiaU scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_XtcT1hOBViVjmEK scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09012008_174346

Files moved on Reboot...
File C:\WINDOWS\temp\fb_1412.lck not found!
File C:\WINDOWS\temp\mcmsc_qIkIwag4sBau1Zu not found!
C:\WINDOWS\temp\sqlite_22G9KhO7LY9wYVj moved successfully.
C:\WINDOWS\temp\sqlite_Mhhlnzk2dr5DiaU moved successfully.
File C:\WINDOWS\temp\sqlite_XtcT1hOBViVjmEK not found!

===============================================
2) Delete NT Service with Hijackthis

Yeah, I followed the steps you said and will explain what happened:

Open HiJackThis - done okay
Click on the tab "Open the Misc Tools Session" - done okay
Click on the Box that says "Delete an NT Service" - done okay
In the field type "Usecndwbfms" - done okay
Click OK - done... error message from HJT:
"The service 'Usecndwbfms' is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window"

Tried disabling it from the scan, still wont die when I check it on HJT and press "fix selected"
As soon as the next scans ran its back...
Service_cant_be_killed.JPG

Also tried going through start->run->services.msc and it looks as though its not running or enabled, the only option it gives me is to start/enable the service:
services.jpg

===============================================
3) Malwarebytes' Anti-Malware
Updated and ran scan, log as follows:

Malwarebytes' Anti-Malware 1.25
Database version: 1102
Windows 5.1.2600 Service Pack 3

6:16:27 PM 1/09/2008
mbam-log-09-01-2008 (18-16-27).txt

Scan type: Quick Scan
Objects scanned: 44716
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Help\bnts.dll (Adware.Agent) -> Quarantined and deleted successfully.

===============================================
4) Fresh HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:37, on 1/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Usecndwbfms - Unknown owner - (no file)

--
End of file - 5733 bytes

===============================================
5) How things are going

Overall its going okay, still havnt seent he RPC ShutDown Message, so thats looking good....
but, as noted the Usecndwbfms wont die still.
I still cant access online downloads... Annndd Outlook now has the following error:
outlook_error.JPG
It asked me to select from one of 2 files in the folder path it was pointing to, one was Archive the other was Backup - chose backup but was set to 2007
I'm pretty sure I made another backup of outlook files a few months ago, so it shouldnt matter too much, but after it opened those files it still came up with the error message as noted in section 10 of the post I made yesterday (Posted Yesterday, 08:03 PM)
I might just have to un-install and re-install office which is cool, just hoping this Usecndwbfms wont re-infect the outlook files if that was what caused the problems?!?! >_<
  • 0

#10
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi sad.lil.chicken.

Overall its going okay, still havnt seent he RPC ShutDown Message, so thats looking good....
but, as noted the Usecndwbfms wont die still.
I still cant access online downloads... Annndd Outlook now has the following error


Don’t worry we still have a few tricks up our sleeve to get rid of the service :)

Delete bad services

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop Usecndwbfms
sc delete Usecndwbfms
exit



Double click FixServices.bat. A window will open and close. This is normal.

===============================================


Also it looks like your going to have to reinstall Outlook, but check it first after you delete that service, please post a fresh HijackThis log and give me a little more information about “I still cant access online downloads” like where and what are you trying to download, are you using Internet Explorer, FireFox, any other add-on’s, is this a work computer, etc…
  • 0

Advertisements


#11
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry again, work and all :) Guess thats life /shrugs


Okay, so the bat file seemed to work really well! :)

Not sure if it was the service that was killed with the bat but I can now access online downloads okay:woot:, firefox wouldnt open (when i double clicked, or right clicked and chose open) it would come up with the hourglass for a second then do nothing. But I just uninstalled and re-installed firefox and now thats running okay too. :)
Tested a few sited (from the good old simple google to msn.com which has pics/flash player ads/etc) and all seems okay online, also managed to do a download (of firefox) and also installed the lasted flashplayer (via its online download)
So yay, internet seems otay again :)

Also managed to get the outlook.pst file back (which means I havnt lost a years worth of e-mails) and I'll have to do the uninstall/reinstall of outlook tomorrow after work to check that the "The application or DLL C:\WINDOWS\system32\MSOERT2.dll is not a valid Windows image. Plase check this against your installation diskette" message goes away, thats the only thing thats wrong atm but fingers crossed a re-install will fix it.

I'll let you know how it goes as soon as I've done that (tomorrow after work) :)


Anywho, here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:24, on 2/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\program files\mcafee\msk\msksrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft....k/?LinkId=82580
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - c:\program files\mcafee\msk\msksrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5592 bytes

And superquikcly before I shoot, I just wanted to say thanks for all the help so far! I appriciate it so so so so so so so so much!!! ;)
  • 0

#12
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi sad.lil.chicken,

I’m Glad to hear things are running better :) and your log is now clean! We will do a little clean up next, and I will wait to give you my all clean speech until I hear back about how outlook is working :)

ComboFix Removal

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
===============================================

OTCleanIt



Download OTCleanit
Save it to your Desktop.

  • Double-click on OTCleanIt.exe to run
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You may be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

===============================================

And superquikcly before I shoot, I just wanted to say thanks for all the help so far! I appriciate it so so so so so so so so much!!!

No problem that’s what were here for, just let me know how Outlook turns out :)
  • 0

#13
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Howdy!

So glad my PCs clean again :) and ran both the ComboFix removal and OTCleanIt as instructed.

Outlook is looking a little bit sick still ;) ... *pats her PC* ...
Anyways, I tried:
~ Just removing outlook, rebooting then re-adding it from the office suite CD (because word, excel, etc were fine) but it didn't help
~ Then tried using the office CD to scan its intsall and perform any repairs (took 10 mins adding files and stuff) but still didnt help
~ In the end I completly removed all of Microsoft Office from Add/Remove programs, rebooted, and re-isntalled...
but it still has the following message:
unable_to_access_email.JPG
I've also searched the contents of the disk but cant find what they're refering to >_<

So, I have no idea why, but wanted to do a check disk, went to Start -> run -> cmd -> chkdsk.... didnt work.... then tried Start -> My Computer -> Right Click C:/ -> Properties -> Tools -> Check Now... still didnt work /headdesk
When I say "didn't work" ( *laughs* bet you were hoping I'd give a little more info on that :) ) it comes up with the following:
trying_to_check_disk.JPG

I think whatever happened (which is now gone) might have done some damage
Was going to repair install windows with my CD I have here, but thought I should just double check that I should, or if theres something else I could try :)
  • 0

#14
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello again,

just to be sure let me take a look at one more thing before I send to to the email techs :)

OTViewIt

Download OTViewIt to your desktop.
  • Close all windows and double click OTViewIt
  • Place a tick in the Scan all Users box
  • In the File Age drop down box select 60 days
  • Click Run Scan and let the program run uninterrupted
  • On completion it will produce two logs on the Desktop, post the OTViewIt.txt and Extras.txt logs in your next post.

  • 0

#15
sad.lil.chicken

sad.lil.chicken

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, cool - have the 2 :)

OTView It Log:
OTViewIt logfile created on: 4/09/2008 6:54:58 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.8 Folder = C:\Documents and Settings\Christine Baird\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

511.49 Mb Total Physical Memory | 177.37 Mb Available Physical Memory | 34.68% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.69% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.47 Gb Free Space | 63.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOMEPC
Current User Name: Christine Baird
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

===== Processes - Non-Microsoft Only =====

[05/02/2005 03:41 PM | 00,380,928 | ---- | M] () - C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
[10/27/2005 03:01 PM | 00,139,264 | ---- | M] (Alcor Micro, Corp.) - C:\Program Files\Multimedia Card Reader\shwicon2k.exe
[05/02/2005 03:41 PM | 00,217,088 | ---- | M] (Ideazon) - C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
[01/16/2007 01:59 PM | 00,071,208 | ---- | M] (McAfee) - C:\Program Files\McAfee\MBK\MBackMonitor.exe

===== Win32 Services - Non-Microsoft Only =====

(Adobe LM Service) Adobe LM Service [On_Demand | Stopped]
[09/21/2007 08:31 PM | 00,068,096 | ---- | M] () - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

(ATI Smart) ATI Smart [Auto | Stopped]
[06/02/2008 09:05 PM | 00,593,920 | ---- | M] () - C:\WINDOWS\system32\ati2sgag.exe

(MBackMonitor) MBackMonitor [Auto | Running]
[01/16/2007 01:59 PM | 00,071,208 | ---- | M] (McAfee) - C:\Program Files\McAfee\MBK\MBackMonitor.exe

(NMIndexingService) NMIndexingService [Disabled | Stopped]
File not found - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

===== Driver Services - Non-Microsoft Only =====

(dmboot) dmboot [Disabled | Stopped]
[04/14/2008 12:14 AM | 00,799,744 | ---- | M] () - C:\WINDOWS\system32\drivers\dmboot.sys

(OmniDrv) Ideazon Keyboard Driver [On_Demand | Stopped]
[09/22/2005 04:22 PM | 00,030,976 | ---- | M] (Ideazon) - C:\WINDOWS\system32\drivers\OmniDrv.sys

(OmniUsb) Ideazon USB Zboard Driver [On_Demand | Running]
[09/22/2005 04:22 PM | 00,028,800 | ---- | M] (Ideazon) - C:\WINDOWS\system32\drivers\OmniUsb.sys

(OmniUsbl) Ideazon USBl Zboard Driver [On_Demand | Running]
[09/22/2005 04:22 PM | 00,009,696 | ---- | M] (Ideazon) - C:\WINDOWS\system32\drivers\OmniUsbl.sys

(ovt519) EyeToy [On_Demand | Stopped]
[10/15/2003 05:52 PM | 00,174,530 | ---- | M] (OmniVision Technologies, Inc.) - C:\WINDOWS\system32\drivers\ov519vid.sys

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [On_Demand | Running]
[08/03/2004 10:31 PM | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\system32\drivers\RTL8139.sys

(SunkFilt) Alcor Micro Corp Reader [On_Demand | Stopped]
[10/27/2005 03:01 PM | 00,038,468 | ---- | M] (Alcor Micro Corp.) - C:\WINDOWS\system32\drivers\Sunkfilt.sys

(U81xbus) LGE U8XXX driver (WDM) [On_Demand | Stopped]
[07/15/2005 02:52 PM | 00,052,352 | ---- | M] (MCCI) - C:\WINDOWS\system32\drivers\U81xbus.sys

(U81xmdfl) LGE U8XXX USB WMC Modem Filter [On_Demand | Stopped]
[07/15/2005 02:52 PM | 00,006,064 | ---- | M] (MCCI) - C:\WINDOWS\system32\drivers\U81xmdfl.sys

(U81xmdm) LGE U8XXX USB WMC Modem Driver [On_Demand | Stopped]
[07/15/2005 02:52 PM | 00,084,480 | ---- | M] (MCCI) - C:\WINDOWS\system32\drivers\U81xmdm.sys

(U81xmgmt) LGE U8XXX USB WMC Device Management Drivers (WDM) [On_Demand | Stopped]
[07/15/2005 02:52 PM | 00,077,472 | ---- | M] (MCCI) - C:\WINDOWS\system32\drivers\U81xmgmt.sys

(U81xobex) LGE U8XXX USB WMC OBEX Interface [On_Demand | Stopped]
[07/15/2005 02:52 PM | 00,075,456 | ---- | M] (MCCI) - C:\WINDOWS\system32\drivers\U81xobex.sys

(UsbButton) UsbButton [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\drivers\UsbButton.sys

(UsbSync) UsbSync [Boot | Stopped]
File not found - C:\WINDOWS\system32\drivers\UsbSync.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBkLogOnHook" = C:\Program Files\McAfee\MBK\LogOnHook.exe [01/08/2007 11:22 AM | 00,020,480 | ---- | M] (McAfee)
"mcagent_exe" = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey [08/04/2007 02:33 AM | 00,582,992 | ---- | M] (McAfee, Inc.)
"NeroFilterCheck" = C:\WINDOWS\system32\NeroCheck.exe [07/09/2001 11:50 AM | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"SiteAdvisor" = C:\Program Files\SiteAdvisor\6066\SiteAdv.exe [03/31/2007 01:42 AM | 00,036,904 | ---- | M] (McAfee, Inc.)
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"Sunkist2k" = C:\Program Files\Multimedia Card Reader\shwicon2k.exe [10/27/2005 03:01 PM | 00,139,264 | ---- | M] (Alcor Micro, Corp.)
"UserFaultCheck" = %systemroot%\system32\dumprep 0 -u File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-776561741-329068152-839522115-1005\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[Administrator Startup Folder - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]

[Administrator.HOMEPC Startup Folder - C:\Documents and Settings\Administrator.HOMEPC\Start Menu\Programs\Startup]

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[Christine Baird Startup Folder - C:\Documents and Settings\Christine Baird\Start Menu\Programs\Startup]

========== BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10/22/2006 10:08 PM | 00,062,080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
HKLM CLSID: (McAfee Phishing Filter) - [11/26/2007 09:46 AM | 00,324,936 | ---- | M] () c:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [06/10/2008 04:27 AM | 00,509,328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
HKLM CLSID: (scriptproxy) - [11/09/2007 11:09 AM | 00,058,688 | ---- | M] (McAfee, Inc.) C:\Program Files\McAfee\VirusScan\scriptsn.dll

========== Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0BF43445-2F28-4351-9252-17FE6E806AA0}"
HKLM CLSID: (McAfee SiteAdvisor) - [03/31/2007 01:41 AM | 01,099,304 | ---- | M] (McAfee, Inc.) C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
= Explorer.exe
>Explorer.exe - [04/14/2008 05:42 AM | 01,033,728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
= C:\WINDOWS\system32\userinit.exe,
>C:\WINDOWS\system32\userinit.exe - [04/14/2008 05:42 AM | 00,026,112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
= logonui.exe
>logonui.exe - [04/14/2008 05:42 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
= rundll32 shell32,Control_RunDLL "sysdm.cpl"
>rundll32 shell32 - [04/14/2008 05:42 AM | 08,461,312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
>Control_RunDLL "sysdm.cpl" - [04/14/2008 05:42 AM | 00,300,544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DllName" = C:\WINDOWS\system32\ati2evxx.dll [06/03/2008 01:11 PM | 00,139,264 | ---- | M] (ATI Technologies Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Zboard]
"DllName" = C:\WINDOWS\system32\Winlognotif.dll [09/03/2003 07:14 AM | 00,049,152 | ---- | M] ()

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun" = 67108863
"NoDriveTypeAutoRun" = 255
"NoDrives" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"ZboardTray" = C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe [05/02/2005 03:41 PM | 00,380,928 | ---- | M] ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"DisableRegistryTools" = 0
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoDrives" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0
"disableregistrytools" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-21-776561741-329068152-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoDrives" = 0

[HKEY_USERS\S-1-5-21-776561741-329068152-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_USERS\S-1-5-21-776561741-329068152-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0
"disableregistrytools" = 0

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"Ati HotKey Poller" = 2
"ATI Smart" = 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path" = C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk File not found
"backup" = C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk File not found
"location" = Common Startup
"command" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [02/19/2006 04:21 AM | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"item" = HP Digital Imaging Monitor

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = C:\WINDOWS\system32\ctfmon.exe [04/14/2008 05:42 AM | 00,015,360 | ---- | M] (Microsoft Corporation)
"hkey" = HKCU
"command" = C:\WINDOWS\system32\ctfmon.exe [04/14/2008 05:42 AM | 00,015,360 | ---- | M] (Microsoft Corporation)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = HPWuSchd2
"hkey" = HKLM
"command" = C:\Program Files\HP\HP Software Update\hpwuSchd2.exe [02/19/2006 02:41 AM | 00,049,152 | ---- | M] (Hewlett-Packard Development Company, L.P.)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMan]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = C:\WINDOWS\soundman.exe [11/17/2006 05:42 AM | 00,577,536 | -H-- | M] (Realtek Semiconductor Corp.)
"hkey" = HKLM
"command" = C:\WINDOWS\soundman.exe [11/17/2006 05:42 AM | 00,577,536 | -H-- | M] (Realtek Semiconductor Corp.)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer]
"key" = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"item" = TeaTimer
"hkey" = HKCU
"command" = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [08/18/2008 06:41 PM | 01,832,272 | RHS- | M] (Safer Networking Limited)
"inimapping" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini" = 0
"win.ini" = 0
"bootini" = 0
"services" = 2
"startup" = 2

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[05/09/2007 10:58 PM | 00,000,000 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d4db2bf-4363-11dd-a203-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1fe01961-9f31-11dc-a0e7-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c85bff7-31e7-11dc-b535-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{51d38d9a-227a-11dd-a1b7-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6582427d-0297-11dc-b4e9-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65eda990-57a8-11dc-b56a-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a2716064-8d02-11dc-9af7-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a9c2076f-5c15-11dc-b56f-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac0477a9-14ba-11dc-b507-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d711365c-4483-11dc-b551-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dcc7c08f-c57b-11dc-a112-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e04deeb0-cd4a-11dc-a119-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb65aa92-b274-11dc-a100-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb65aa93-b274-11dc-a100-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb65aa94-b274-11dc-a100-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb65aa95-b274-11dc-a100-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb65aa96-b274-11dc-a100-000d6177a8fc}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K\Shell]
"" = AutoRun

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{26D0C2BA-A2C5-464B-8147-6C4D56DE7CCB}]
Servers: | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{7E8414E9-33AC-4F66-BE5C-10384C6AE909}]
Servers: | Description:

========== Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost



========== Files/Folders - Created Within 60 days ==========

[08/31/2008 01:23 PM | RHSD | C] - C:\cmdcons
[08/31/2008 01:24 PM | 00,000,211 | RHS- | C] () - C:\BOOT.BAK
[08/31/2008 01:24 PM | 00,260,272 | RHS- | C] () - C:\cmldr
[09/03/2008 08:10 PM | RH-D | C] - C:\MSOCache
[5 C:\WINDOWS\System32\*.tmp files]
[07/17/2008 09:58 PM | 00,017,928 | ---- | C] () - C:\WINDOWS\System32\X3DAudio1_2.dll
[07/17/2008 09:58 PM | 00,443,752 | ---- | C] () - C:\WINDOWS\System32\d3dx10_34.dll
[07/19/2008 08:50 PM | 00,593,920 | ---- | C] () - C:\WINDOWS\System32\ati2sgag.exe
[08/17/2008 10:31 PM | 00,006,144 | ---- | C] () - C:\WINDOWS\System32\kbdnepr.dll
[08/17/2008 10:31 PM | 00,006,144 | ---- | C] () - C:\WINDOWS\System32\kbdpash.dll
[08/17/2008 10:31 PM | 00,650,752 | ---- | C] () - C:\WINDOWS\System32\dot3ui.dll
[08/17/2008 10:31 PM | ---D | C] - C:\WINDOWS\System32\bits
[08/17/2008 10:31 PM | ---D | C] - C:\WINDOWS\System32\en
[08/17/2008 10:31 PM | ---D | C] - C:\WINDOWS\System32\scripting
[08/31/2008 11:28 AM | ---D | C] - C:\WINDOWS\System32\NtmsData
[8 C:\WINDOWS\*.tmp files]
[07/19/2008 08:52 PM | 00,000,000 | ---- | C] () - C:\WINDOWS\ativpsrm.bin
[08/17/2008 10:15 PM | -H-D | C] - C:\WINDOWS\$NtServicePackUninstall$
[08/17/2008 10:24 PM | ---D | C] - C:\WINDOWS\network diagnostic
[08/17/2008 10:31 PM | ---D | C] - C:\WINDOWS\l2schemas
[08/17/2008 10:39 PM | ---D | C] - C:\WINDOWS\Prefetch
[08/31/2008 01:23 PM | ---D | C] - C:\WINDOWS\setup.pss
[08/31/2008 01:23 PM | ---D | C] - C:\WINDOWS\setupupd
[07/17/2008 07:11 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Funcom
[09/01/2008 05:57 PM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[09/01/2008 05:57 PM | ---D | C] - C:\Documents and Settings\Christine Baird\Application Data\Malwarebytes
[07/18/2008 08:24 PM | ---D | C] - C:\Documents and Settings\Christine Baird\Local Settings\Application Data\Funcom
[08/02/2008 06:47 PM | ---D | C] - C:\Documents and Settings\Christine Baird\Local Settings\Application Data\TouchStoneSoftware
[07/26/2008 06:50 PM | 00,132,344 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\Scan.jpg
[08/01/2008 11:50 PM | 00,031,232 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\H4ck50R NMAP.doc
[08/02/2008 02:43 PM | 00,303,823 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\Card writing.pdf
[08/04/2008 10:46 PM | 00,024,064 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\Northcote.doc
[08/06/2008 11:32 PM | 00,033,792 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\Hotel Booking 08082008 Confirmation.doc
[08/20/2008 09:46 PM | 00,203,074 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008247.jpg
[08/20/2008 09:46 PM | 00,220,280 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008249.jpg
[08/20/2008 09:46 PM | 00,301,014 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008255.jpg
[08/20/2008 09:46 PM | 00,308,640 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008250.jpg
[08/20/2008 09:46 PM | 00,316,945 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008240.jpg
[08/20/2008 09:46 PM | 00,318,344 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\02082008224.jpg
[08/20/2008 09:46 PM | 00,325,018 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\02082008220.jpg
[08/20/2008 09:46 PM | 00,326,107 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\02082008221.jpg
[08/20/2008 09:46 PM | 00,335,588 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008248.jpg
[08/20/2008 09:46 PM | 00,342,841 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\02082008223.jpg
[08/20/2008 09:46 PM | 00,347,492 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008246.jpg
[08/20/2008 09:46 PM | 00,354,417 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008235.jpg
[08/20/2008 09:46 PM | 00,361,182 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008254.jpg
[08/20/2008 09:46 PM | 00,373,075 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008239.jpg
[08/20/2008 09:46 PM | 00,385,492 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008236.jpg
[08/20/2008 09:46 PM | 00,386,017 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008234.jpg
[08/20/2008 09:46 PM | 00,392,951 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\02082008222.jpg
[08/20/2008 09:46 PM | 00,399,764 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008252.jpg
[08/20/2008 09:46 PM | 00,399,828 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008241.jpg
[08/20/2008 09:46 PM | 00,409,163 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008231.jpg
[08/20/2008 09:46 PM | 00,422,226 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008238.jpg
[08/20/2008 09:46 PM | 00,424,857 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008237.jpg
[08/20/2008 09:46 PM | 00,432,668 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008251.jpg
[08/20/2008 09:46 PM | 00,439,465 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008253.jpg
[08/20/2008 09:46 PM | 00,442,779 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008242.jpg
[08/20/2008 09:46 PM | 00,449,027 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008232.jpg
[08/20/2008 09:46 PM | 00,469,283 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008230.jpg
[08/20/2008 09:46 PM | 00,477,036 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008229.jpg
[08/20/2008 09:46 PM | 00,479,984 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008245.jpg
[08/20/2008 09:46 PM | 00,487,303 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008227.jpg
[08/20/2008 09:46 PM | 00,504,602 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008228.jpg
[08/20/2008 09:46 PM | 00,505,626 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008243.jpg
[08/20/2008 09:46 PM | 00,505,700 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008244.jpg
[08/20/2008 09:46 PM | 00,512,115 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\20082008233.jpg
[08/20/2008 09:46 PM | 00,512,610 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\05082008225.jpg
[08/20/2008 09:46 PM | -H-D | C] - C:\Documents and Settings\Christine Baird\My Documents\_PAlbTN
[09/03/2008 07:48 PM | 15,645,1840 | ---- | C] () - C:\Documents and Settings\Christine Baird\My Documents\Outlookdotdoc.pst
[09/01/2008 05:57 PM | 00,000,696 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[09/02/2008 08:40 PM | 00,001,602 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[08/26/2008 07:14 PM | 00,001,734 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\HijackThis.lnk
[08/30/2008 06:32 PM | 00,000,933 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\Spybot - Search & Destroy.lnk
[09/02/2008 08:06 PM | 00,000,062 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\FixServices.bat
[09/03/2008 08:21 PM | 00,002,507 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\Microsoft Office Excel 2003.lnk
[09/03/2008 08:21 PM | 00,002,509 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\Microsoft Office Word 2003.lnk
[09/03/2008 08:21 PM | 00,002,521 | ---- | C] () - C:\Documents and Settings\Christine Baird\Desktop\Email.lnk
[07/10/2008 06:23 PM | ---D | C] - C:\Program Files\Common Files\Adobe AIR
[09/03/2008 08:13 PM | ---D | C] - C:\Program Files\Common Files\DESIGNER
[07/19/2008 08:45 PM | ---D | C] - C:\Program Files\ATI Technologies
[08/17/2008 10:31 PM | ---D | C] - C:\Program Files\msn
[08/26/2008 06:22 PM | ---D | C] - C:\Program Files\HijackThis
[08/26/2008 07:14 PM | ---D | C] - C:\Program Files\Trend Micro
[09/01/2008 05:57 PM | ---D | C] - C:\Program Files\Malwarebytes' Anti-Malware
[09/03/2008 08:12 PM | ---D | C] - C:\Program Files\Microsoft.NET
[09/03/2008 08:13 PM | ---D | C] - C:\Program Files\Microsoft ActiveSync

========== Files - Modified Within 60 days ==========

[08/17/2008 10:23 PM | 00,250,048 | RHS- | M] () - C:\ntldr
[08/31/2008 01:24 PM | 00,000,282 | RHS- | M] () - C:\boot.ini
[5 C:\WINDOWS\System32\*.tmp files]
[09/02/2008 08:04 PM | 00,013,646 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[09/03/2008 08:21 PM | 00,075,416 | ---- | M] () - C:\WINDOWS\System32\perfc009.dat
[09/03/2008 08:21 PM | 00,458,266 | ---- | M] () - C:\WINDOWS\System32\perfh009.dat
[09/03/2008 08:21 PM | 00,540,592 | ---- | M] () - C:\WINDOWS\System32\PerfStringBackup.INI
[09/03/2008 08:41 PM | 00,155,568 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[09/03/2008 08:57 PM | 00,015,468 | ---- | M] () - C:\WINDOWS\System32\Config.MPF
[8 C:\WINDOWS\*.tmp files]
[07/19/2008 08:36 PM | 00,000,285 | ---- | M] () - C:\WINDOWS\wininit.ini
[07/19/2008 08:52 PM | 00,000,000 | ---- | M] () - C:\WINDOWS\ativpsrm.bin
[08/31/2008 07:32 PM | 00,000,274 | ---- | M] () - C:\WINDOWS\system.ini
[09/03/2008 08:14 PM | 00,000,793 | -H-- | M] () - C:\WINDOWS\win.ini
[09/03/2008 08:15 PM | 00,000,376 | -H-- | M] () - C:\WINDOWS\ODBC.INI
[09/04/2008 06:52 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/12/2008 10:00 PM | 00,000,320 | ---- | M] () - C:\WINDOWS\tasks\Ad-Aware SE Personal.job
[08/19/2008 08:00 PM | 00,000,284 | ---- | M] () - C:\WINDOWS\tasks\CCleaner.job
[08/20/2008 09:00 PM | 00,000,284 | ---- | M] () - C:\WINDOWS\tasks\Spybot - Search & Destroy.job
[09/04/2008 06:53 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[08/20/2008 10:15 PM | 04,814,224 | -H-- | M] () - C:\Documents and Settings\Christine Baird\Local Settings\Application Data\IconCache.db
[09/03/2008 08:19 PM | 00,038,264 | ---- | M] () - C:\Documents and Settings\Christine Baird\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[07/26/2008 06:51 PM | 00,132,344 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Scan.jpg
[08/01/2008 11:50 PM | 00,031,232 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\H4ck50R NMAP.doc
[08/02/2008 02:43 PM | 00,303,823 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Card writing.pdf
[08/02/2008 03:57 AM | 00,325,018 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\02082008220.jpg
[08/02/2008 03:57 AM | 00,326,107 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\02082008221.jpg
[08/02/2008 03:58 AM | 00,318,344 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\02082008224.jpg
[08/02/2008 03:58 AM | 00,342,841 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\02082008223.jpg
[08/02/2008 03:58 AM | 00,392,951 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\02082008222.jpg
[08/04/2008 10:46 PM | 00,024,064 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Northcote.doc
[08/05/2008 08:34 AM | 00,512,610 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\05082008225.jpg
[08/06/2008 11:32 PM | 00,033,792 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Hotel Booking 08082008 Confirmation.doc
[08/20/2008 08:02 PM | 00,000,605 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\My Sharing Folders.lnk
[08/20/2008 09:54 AM | 00,487,303 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008227.jpg
[08/20/2008 09:54 AM | 00,504,602 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008228.jpg
[08/20/2008 09:55 AM | 00,409,163 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008231.jpg
[08/20/2008 09:55 AM | 00,449,027 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008232.jpg
[08/20/2008 09:55 AM | 00,469,283 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008230.jpg
[08/20/2008 09:55 AM | 00,477,036 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008229.jpg
[08/20/2008 09:55 AM | 00,512,115 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008233.jpg
[08/20/2008 09:56 AM | 00,354,417 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008235.jpg
[08/20/2008 09:56 AM | 00,385,492 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008236.jpg
[08/20/2008 09:56 AM | 00,386,017 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008234.jpg
[08/20/2008 09:56 AM | 00,422,226 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008238.jpg
[08/20/2008 09:56 AM | 00,424,857 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008237.jpg
[08/20/2008 09:57 AM | 00,316,945 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008240.jpg
[08/20/2008 09:57 AM | 00,373,075 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008239.jpg
[08/20/2008 09:57 AM | 00,399,828 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008241.jpg
[08/20/2008 09:57 AM | 00,442,779 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008242.jpg
[08/20/2008 09:57 AM | 00,505,626 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008243.jpg
[08/20/2008 09:58 AM | 00,505,700 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008244.jpg
[08/20/2008 09:59 AM | 00,347,492 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008246.jpg
[08/20/2008 09:59 AM | 00,479,984 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008245.jpg
[08/20/2008 10:00 AM | 00,203,074 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008247.jpg
[08/20/2008 10:00 AM | 00,335,588 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008248.jpg
[08/20/2008 10:01 AM | 00,220,280 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008249.jpg
[08/20/2008 10:01 AM | 00,308,640 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008250.jpg
[08/20/2008 10:02 AM | 00,399,764 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008252.jpg
[08/20/2008 10:02 AM | 00,432,668 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008251.jpg
[08/20/2008 10:03 AM | 00,301,014 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008255.jpg
[08/20/2008 10:03 AM | 00,361,182 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008254.jpg
[08/20/2008 10:03 AM | 00,439,465 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\20082008253.jpg
[08/30/2008 07:20 PM | 00,864,256 | -HS- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Thumbs.db
@Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
[09/02/2008 08:36 PM | 15,645,1840 | ---- | M] () - C:\Documents and Settings\Christine Baird\My Documents\Outlookdotdoc.pst
[09/01/2008 05:57 PM | 00,000,696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[09/02/2008 08:40 PM | 00,001,602 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[08/09/2008 01:56 PM | 00,011,776 | -HS- | M] () - C:\Documents and Settings\Christine Baird\Desktop\Thumbs.db
@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
[08/26/2008 07:14 PM | 00,001,734 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\HijackThis.lnk
[08/30/2008 06:32 PM | 00,000,933 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\Spybot - Search & Destroy.lnk
[09/02/2008 08:06 PM | 00,000,062 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\FixServices.bat
[09/03/2008 08:21 PM | 00,002,507 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\Microsoft Office Excel 2003.lnk
[09/03/2008 08:21 PM | 00,002,509 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\Microsoft Office Word 2003.lnk
[09/03/2008 08:22 PM | 00,002,521 | ---- | M] () - C:\Documents and Settings\Christine Baird\Desktop\Email.lnk

< End of report >




OTExtras Log:
OTViewIt Extras logfile created on: 4/09/2008 6:54:58 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.8 Folder = C:\Documents and Settings\Christine Baird\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

511.49 Mb Total Physical Memory | 177.37 Mb Available Physical Memory | 34.68% Memory free
1.22 Gb Paging File | 0.92 Gb Available in Paging File | 75.69% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 23.47 Gb Free Space | 63.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[04/14/2008 05:42 AM | 00,141,312 | ---- | M] (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[04/14/2008 12:23 AM | 00,558,080 | ---- | M] (Microsoft Corporation)

"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[01/19/2007 12:54 PM | 05,674,352 | ---- | M] (Microsoft Corporation)

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[04/14/2008 05:42 AM | 00,141,312 | ---- | M] (Microsoft Corporation)

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test
[04/14/2008 05:42 AM | 00,083,456 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[01/25/2008 12:38 AM | 02,458,128 | ---- | M] (McAfee, Inc.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[04/14/2008 12:23 AM | 00,558,080 | ---- | M] (Microsoft Corporation)

"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[01/19/2007 12:54 PM | 05,674,352 | ---- | M] (Microsoft Corporation)

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[01/04/2007 04:10 PM | 00,297,752 | ---- | M] (Microsoft Corporation)

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = ComFile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.html [@ = FirefoxHTML] - [07/03/2008 12:34 PM | 00,307,712 | ---- | M] (Mozilla Corporation) - C:\Program Files\Mozilla Firefox\firefox.exe
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" %*

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


========== HKEY_CURRENT_USER Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

siteadvisor:{3A5DC592-7723-4EAA-9EE6-AF4222BCF879} [HKLM - Reg Error: Value does not exist or could not be read.]
[03/31/2007 01:41 AM | 01,099,304 | ---- | M] (McAfee, Inc.) C:\Program Files\SiteAdvisor\6066\SiteAdv.dll

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001C43D5-77BA-4084-8F50-8EE8A173A9F7}" = LG PhoneManager
"{07B02BD4-E799-4945-B240-166CA9A9BE2D}" = Multimedia Card Reader
"{12B5658E-5E34-45C1-AAFA-8AF997684928}" = Zboard ™ Software
"{18063128-B9E1-AFAE-B7DD-2C313D2C375B}" = ccc-core-preinstall
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{20749F76-4228-43AD-8AB5-E7B20D8040C4}" = hph_readme
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{24141F03-D9B2-D029-1C94-0BBA9977D173}" = Skins
"{256AEBD0-41C6-471E-92B4-B256F5176A72}" = D7100
"{2A425503-3D15-BE66-8781-3D153AF1F8A9}" = CCC Help English
"{3004FB81-7B9E-4808-BD13-BC5A530BA60B}" = cp_PrintOnCDConfig
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{36DC3E2F-CD8C-4953-9E8F-9A1916D10AA1}" = hph_software
"{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978)
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{714B6179-84C4-4FBE-B934-B6CF75ED37A5}" = D6100_D7100_D7300_Help
"{77FF5817-ABA9-1294-2D3D-A29F8FDA8BAD}" = ccc-core-static
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{7E0AED65-CE72-3715-5FD0-A18C149B5BFF}" = Catalyst Control Center Graphics Full Existing
"{82081779-4175-4666-A457-AB711CD37EF0}" = cp_LightScribeConfig
"{82E55892-6FFD-403F-AA97-D726846768AA}" = CP_AtenaShokunin1Config
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{866A0078-DEA7-4348-9C9A-999AF2991EAA}" = SlideShowMusic
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9DE9E293-5D7B-4312-88C2-BDFAEC5310AE}" = Microsoft .NET Framework 3.0
"{9DEE2DB4-D46C-E7CF-9465-802BD2077A0A}" = Catalyst Control Center Graphics Light
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{ACCCEE83-B49B-4964-8A4F-378B8FBC9F75}" = hph_ProductContext
"{B19F9155-9337-4807-B5EF-ED471DDB2CCE}" = hph_software_req
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B83245C1-AB8A-40C1-91C0-CEDBDB84255D}" = LG PhoneManager
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{C02EDE17-BC2E-4393-70BD-36185ABEBFF7}" = Catalyst Control Center Graphics Previews Common
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C3FAA091-B278-44A7-BF48-190811C5F9F7}" = cp_UpdateProjectsConfig
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB5363FC-04F2-E3F2-78BD-A9A6DB63DB9E}" = ccc-utility
"{D2A3C9D5-0B56-4656-8277-7EDC65D62B6E}" = HP Photosmart and Deskjet 7.0 Software
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FEC22238-FB7E-5D07-F88A-78F15460073A}" = Catalyst Control Center Graphics Full New
"{FFD06ACB-DF8B-D34D-9F9E-CDA18C15E208}" = Catalyst Control Center Core Implementation
"{FFD25152-1916-4744-BAAF-F2D2EBF38284}" = LG SyncManager
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"CodInstl" = Intel A/V Codecs V2.0
"D-Link VGA Webcam" = D-Link VGA Webcam
"DriverAgent.exe" = DriverAgent by TouchStone Software
"DVD Shrink_is1" = DVD Shrink 3.2
"Enable S3 for USB Device" = Enable S3 for USB Device
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Indeo® Software" = Indeo® Software
"InstallShield_{07B02BD4-E799-4945-B240-166CA9A9BE2D}" = Multimedia Card Reader
"KB928365.T1_1ToU569_1" = Security Update for Microsoft .NET Framework 2.0 (KB928365)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6
"NeroVision!UninstallKey" = NeroVision Express 2
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMPUninstallKey" = Nero Media Player
"NVIDIA Gart Driver" = NVIDIA Gart Driver
"NVIDIA nForce Drivers" = NVIDIA nForce Drivers
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-776561741-329068152-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========


[ Application Events ]
Error - 30/08/2008 2:50:03 AM - Computer Name = HOMEPC - User Name = User SID not found - Source = Application Error
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module termsrv.dll, version 5.1.2600.5512, fault address 0x00009c98.

Error - 30/08/2008 2:55:11 AM - Computer Name = HOMEPC - User Name = User SID not found - Source = EventSystem
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of f:\xpsp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 30/08/2008 2:55:11 AM - Computer Name = HOMEPC - User Name = User SID not found - Source = VSS
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.

Error - 30/08/2008 5:08:09 AM - Computer Name = HOMEPC - User Name = User SID not found - Source = ESENT
Description = wuauclt (2772) The database page
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP