Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AVG finds Trojan horse Generic9.AAVJ [RESOLVED]

Started by slreagan , Dec 20 2007 09:33 PM

  • This topic is locked This topic is locked

#1
slreagan
Posted 20 December 2007 - 09:33 PM

slreagan

    Member

  • Member
  • PipPip
  • 45 posts
AVG keeps telling me that it has found a threat called Trojan horse Generic9.AAVJ in C:\windows\system32\cscdl.dll. I have tried having AVG heal the file and move the file to the vault, but it keeps coming back. I have checked the status of the virus vault and find several instances of cscdl.dll in there. However, it also continues to show up in the C:\windows\system32 directory. I have completed the initial steps defined in the site and am posting the logs below, except for the AVG Anti-Spyware log. For some reason, that program would not let me save a report. Not sure what I did wrong on that one.

Thank you in advance for your help!


SUPERAntiSpyware Log
Generated 12/19/2007 at 07:59 PM

Application Version : 3.6.1000

Core Rules Database Version : 3363
Trace Rules Database Version: 1362

Scan type : Complete Scan
Total Scan Time : 03:02:21

Memory items scanned : 553
Memory threats detected : 0
Registry items scanned : 5930
Registry threats detected : 0
File items scanned : 70035
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@ads.pointroll[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@ads.associatedcontent[2].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@serving-sys[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@anat.tacoda[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@bs.serving-sys[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@www.burstbeacon[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@questionmarket[2].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@anad.tacoda[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@ads.l-word[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@tacoda[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@richmedia.yahoo[1].txt
C:\Documents and Settings\Shawn Reagan\Cookies\shawn reagan@2o7[2].txt

Panda Software ActiveScan Log
Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/isearch Not disinfected c:\windows\downloaded program files\initial.inf
Possible Virus. Not disinfected C:\I386\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\AolCoach.cab[.\Data\Player\AolNySEV.exe]
Adware:Adware/AVSystemCare Not disinfected C:\WINDOWS\SYSTEM32\cscdl.dll

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:31 PM, on 12/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10142 bytes

Uninstall List
3D Groove Playback Engine
ABBYY FineReader 4.0 Sprint
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe PhotoDeluxe Home Edition 4.0
Adobe Reader 6.0.1
ATI Display Driver
AVG 7.5
AVG Anti-Spyware 7.5
BUM
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.0
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities WFT-E1/E2 Utility
Canon Utilities ZoomBrowser EX
CCHelp
CCScore
ChainCast Proxy (remove only)
ClueFinders 4th Grade Adventures
ClueFinders 5th Grade Adventures
ClueFinders® 3rd Grade Adventures
Conexant HSF V92 56K Data Fax PCI Modem
CR2
Dell ResourceCD
Dell Solution Center
DellTouch
Disney's Toontown Online
Disney's Winnie the Pooh Kindergarten
DivX Codec
DivX Player 2.1
DrawPlus 3.0
Easy CD Creator 5 Basic
eMedia Rock Guitar Starter Lessons
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSvpaht
ESSvpot
Family Tree Maker 7.0
Fisher Price ABC 32
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPSFO
Internet Explorer Q903235
iTunes
JumpStart 1st Grade 2000
JumpStart Kindergarten 98 v2.5
JumpStart Parent Resource Center
JumpStart Pre-K v2.0
Kensington MouseWorks
Kid Pix Deluxe 3
Kodak EasyShare software
KSU
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
MathQuest
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Microsoft Picture It! Photo 2002
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Microsoft Zoo Tycoon
Microtek ScanWizard 5
Modem Helper
Money Matters Deluxe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Palm Desktop
Panda ActiveScan
PCDLNCH
PhoneTools
PhotoParade Player
PrintMaster
PRO200WL
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit 2nd Grade
RealArcade
RealOne Player
Rhapsody Player Engine
RitzPix E-Z Print & Share
SafeCast Shared Components
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SFR
SFR2
Shockwave
Shockwave Player
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
The Game Of Life
TP Preview Exclusive Broadside Blast
TurboTax ItsDeductible 2006
Ulead Photo Explorer 7.0 SE
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VCAMCEN
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
VPRINTOL
Wal-Mart Music Downloads Store
WeatherBug
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Yahoo! Toolbar
ZoneAlarm
  • 0

Advertisements

#2
don77
Posted 28 December 2007 - 06:13 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello and welcome slreagan
sorry for the delay

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
slreagan
Posted 28 December 2007 - 10:12 PM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi don77. Thanks for the reply. Here are the logs from the DSS scan:

Main.txt
Deckard's System Scanner v20071014.68
Run by Shawn Reagan on 2007-12-28 21:54:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2007-12-29 03:55:02 UTC - RP11 - Deckard's System Scanner Restore Point
9: 2007-12-28 02:54:12 UTC - RP10 - System Checkpoint
8: 2007-12-24 18:15:55 UTC - RP9 - System Checkpoint
7: 2007-12-23 17:23:21 UTC - RP8 - Software Distribution Service 3.0
6: 2007-12-23 14:29:41 UTC - RP7 - System Checkpoint


-- First Restore Point --
1: 2007-12-19 02:20:07 UTC - RP2 - Prior to cscdl removal via Geeks to Go


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Shawn Reagan.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:47 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Shawn Reagan\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ssmypics.scr
C:\PROGRA~1\TRENDM~1\HIJACK~1\Shawn Reagan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10241 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 cxfcshut - c:\windows\system32\drivers\usaycupu.dat
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 IPFilter (Microsoft IntelliPoint Features driver) - c:\windows\system32\drivers\ipfilter.sys <Not Verified; Microsoft Corporation; Microsoft IntelliPoint>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>

S2 IomegaAccess - c:\program files\iomega\tools_nt\iomegaaccess.exe /s (file missing)
S2 ZipToA - c:\windows\system32\ziptoa.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Kensington PS/2 Mouse Driver
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Kensington Technology Group
Name: Kensington PS/2 Mouse Driver
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt


-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-20 21:08:08 0 d-------- C:\Program Files\Trend Micro
2007-12-19 16:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:53:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 16:53:22 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 20:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 20:49:45 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Grisoft
2007-12-17 19:50:50 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-17 01:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-17 01:06:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\PrevxCSI
2007-12-16 15:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-16 01:27:16 0 dr-h----- C:\$VAULT$.AVG
2007-12-15 23:58:42 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\AVG7
2007-12-15 23:57:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-15 23:27:15 708608 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll <Not Verified; Gracenote; CDDBUIControl Module>
2007-12-15 23:27:15 569344 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2007-12-15 17:24:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-12-15 12:06:26 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Uniblue
2007-12-15 09:13:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-12-13 18:22:30 19456 --a------ C:\WINDOWS\system32\drivers\usaycupu.dat
2007-12-13 18:21:28 84992 --a------ C:\WINDOWS\system32\cscdl.dll
2007-11-29 22:53:54 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Canon


-- Find3M Report ---------------------------------------------------------------

2007-12-28 01:52:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\ZoomBrowser EX
2007-12-19 22:57:49 0 d-------- C:\Program Files\RitzPix E-Z Print & Share
2007-12-19 22:55:45 0 d-------- C:\Program Files\QuickTime
2007-12-19 22:55:26 0 d-------- C:\Program Files\Palm
2007-12-19 22:54:55 0 d-------- C:\Program Files\Netropa
2007-12-19 22:28:49 0 d-------- C:\Program Files\iTunes
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files
2007-12-15 23:27:24 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-12-15 23:27:18 0 d-------- C:\Program Files\Adaptec
2007-12-15 23:27:15 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2007-12-15 23:27:13 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2007-12-15 22:11:27 0 d-------- C:\Program Files\Norton SystemWorks
2007-12-15 22:11:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 21:55:06 0 d-------- C:\Program Files\Symantec
2007-11-27 21:58:50 0 d-------- C:\Program Files\Canon
2007-11-27 21:34:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 21:13:52 0 d-------- C:\Program Files\Common Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71919CC1-D895-4BC1-B570-ACC6F4596BDB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2006 12:42 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/12/2004 11:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/16/2002 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/08/2004 04:21 PM]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [07/26/2002 01:00 PM]
"MSWheel"="" []
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [01/19/2006 10:06 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [01/19/2006 10:06 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 10:41 PM]
"kmw_run.exe"="kmw_run.exe" [12/01/2003 04:39 PM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 12:20 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 04:34 PM]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [11/30/1998 06:04 PM]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [09/23/2001 07:14 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 08:40 AM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/15/2007 11:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [12/19/2001 04:23 PM]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [06/19/2006 04:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\Shawn Reagan\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [7/26/2002 2:19:00 PM]
PowerReg Scheduler.exe [4/9/2002 9:38:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [3/30/2002 5:02:46 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microtek Scanner Finder.lnk - C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe [4/22/2004 8:59:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bc6462-b25e-11dc-9f84-00095b1b0ae1}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2007-12-28 22:05:49 ------------



extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 255.3 MiB / 71.43 MiB
Pagefile Memory (total/avail): 785.64 MiB / 289.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.8 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 11.34 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: ZoneAlarm Firewall v6.5.731.000 (Zone Labs, Inc.)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shawn Reagan\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DELL1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shawn Reagan
LOGONSERVER=\\DELL1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHAWNR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHAWNR~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=DELL1
USERNAME=Shawn Reagan
USERPROFILE=C:\Documents and Settings\Shawn Reagan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shawn Reagan (admin)
Lisa (admin)
Kristen
Bethany
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
ABBYY FineReader 4.0 Sprint --> C:\WINDOWS\bitdeins.exe C:\PROGRA~1\ABBYYF~1.0SP\bitdeins.ini
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe PhotoDeluxe Home Edition 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PhotoDeluxe Home Edition 4.0\Uninst.isu"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BUM --> MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon EOS-1Ds Mark II WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{652C4ADF-0A29-4B02-9211-EE61675847DE}
Canon EOS 5D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon EOS Kiss_N REBEL_XT 350D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4} /l1033
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 3.0 --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities Original Data Security Tools --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities WFT-E1/E2 Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ChainCast Proxy (remove only) --> rundll32 C:\WINDOWS\System32\ccmp392.dll,UninstallProxy
ClueFinders 4th Grade Adventures --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\ClueFinders 4th Grade Adventures\Uninstall.xml"
ClueFinders 5th Grade Adventures --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\ClueFinders 5th Grade Adventures\Uninstall.xml"
ClueFinders® 3rd Grade Adventures --> C:\Program Files\The Learning Company\ClueFinders® 3rd Grade Adventures\uninstall.exe
Conexant HSF V92 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Disney's Winnie the Pooh Kindergarten --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\WINNIE~1\DeIsL1.isu -c"C:\Program Files\Disney Interactive\Winnie the Pooh Kindergarten\Code\Saved Games\Uninst.dll
DivX Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Bundle.log
DivX Player 2.1 --> C:\Program Files\DivX\DivX Player 2.1\uninstall.bat
DrawPlus 3.0 --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\DrawPlus\DeIsL1.isu"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eMedia Rock Guitar Starter Lessons --> "C:\Program Files\eMedia Rock Guitar Starter Lessons\Uninstall.exe" "C:\Program Files\eMedia Rock Guitar Starter Lessons\install.log"
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Family Tree Maker 7.0 --> C:\WINDOWS\IsUninst.exe -fC:\FTW\Uninst.isu
Fisher Price ABC 32 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\FPABC32\DeIsL1.isu"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPCCTR --> MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
JumpStart 1st Grade 2000 --> C:\WINDOWS\IsUninst.exe -fC:\KA\JS1G2000\DeIsL1.isu
JumpStart Kindergarten 98 v2.5 --> C:\WINDOWS\IsUninst.exe -fC:\KA\KG98\DeIsL1.isu
JumpStart Parent Resource Center --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRC\DeIsL1.isu
JumpStart Pre-K v2.0 --> C:\WINDOWS\uninst.exe -fC:\KA\PRE_K\DeIsL1.isu
Kensington MouseWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57764780-E33B-11D1-96ED-00A024A83A15}\SETUP.EXE" -u
Kid Pix Deluxe 3 --> C:\Program Files\Broderbund\Kid Pix Deluxe 3\uninstal.exe
KODAK EASYSHARE Gallery Easy Upload, v2.1 --> C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\KodakGallery\EasyShareSetup\$SETUP_140007_126e8836\Setup.exe /APR-REMOVE
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_10009_1c8ade3a\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
MathQuest --> C:\WINDOWS\uninst.exe -fC:\Disney\MathQuest\DeIsL1.isu
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard for Students and Teachers --> MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft Zoo Tycoon --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove
Microtek ScanWizard 5 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Twain_32\ScanWiz5\Uninst.isu
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
Money Matters Deluxe --> MsiExec.exe /I{E3B30C03-9245-481C-8FEE-53EE7E81C5D6}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Palm Desktop --> MsiExec.exe /X{9B52B30C-F65C-4244-ABCE-215E46E27AF0}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
PhotoParade Player --> "C:\Program Files\PhotoParade\Uninstall PhotoParade Player.exe" "PhotoParade.exe"
PocketMirror 3.1.2 (Standard Edition) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Palm\Chapura\PocketMirror\DeIsL1.isu" -cC:\PROGRA~1\Palm\Chapura\POCKET~1\UninstEx.dll
PrintMaster --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PRINTM~1\DeIsL1.isu" -c"C:\PROGRA~1\BRODER~1\PRINTM~1\psfinst.dll"
PRO200WL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Reader Rabbit 1st Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 1st Grade\Uninstall.xml"
Reader Rabbit 2nd Grade --> C:\Program Files\The Learning Company\Reader Rabbit 2nd Grade\uninstal.exe
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RitzPix E-Z Print & Share --> MsiExec.exe /X{CD55BC4A-C299-4632-91A9-88705157EAC2}
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Shockwave Player --> MsiExec.exe /X{95D885F5-B696-11D5-9D1D-0050DAB14E03}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
TP Preview Exclusive Broadside Blast --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2156D3D1-7EBF-11D6-B2FB-0002A5E32BEF}\setup.exe" TP Preview Exclusive Broadside Blast
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Ulead Photo Explorer 7.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E38E1721-7FE7-11D4-A898-0000E83DCDA6}\setup.exe"
VCAMCEN --> MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Wal-Mart Music Downloads Store --> MsiExec.exe /I{1DB2FBA5-D57A-42A7-8E87-5B3EEBED8283}
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type25238 / Error
Event Submitted/Written: 12/28/2007 10:02:43 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type25206 / Error
Event Submitted/Written: 12/27/2007 08:18:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type25205 / Error
Event Submitted/Written: 12/27/2007 08:01:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type25066 / Error
Event Submitted/Written: 12/20/2007 05:28:38 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type25062 / Error
Event Submitted/Written: 12/20/2007 03:57:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9b.ocx, version 9.0.28.0, fault address 0x0018a68d.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29017 / Error
Event Submitted/Written: 12/28/2007 09:53:50 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.100 for the Network Card with network address 00095B1B0AE1 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type29008 / Error
Event Submitted/Written: 12/28/2007 01:39:33 AM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Canon\ZoomBrowser EX\Program\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type29007 / Error
Event Submitted/Written: 12/28/2007 01:39:33 AM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type29006 / Error
Event Submitted/Written: 12/28/2007 01:39:33 AM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type29005 / Error
Event Submitted/Written: 12/28/2007 01:39:28 AM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Canon\ZoomBrowser EX\Program\MFC80U.DLL.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2007-12-28 22:05:49 ------------
  • 0

#4
don77
Posted 30 December 2007 - 08:35 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
sorry for the delay


Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”


O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k

close out HJT and reboot your computer



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Post back a fresh HJT log as well please
  • 0

#5
slreagan
Posted 30 December 2007 - 03:38 PM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I restarted HJT and checked the boxes next to the 2 items you mentioned. After rebooting, the file c:\windows\system32\cscdl.dll is still on the computer. I am also still getting a warning from AVG every time I start IE6 about finding Trojan horse Generic9.AAVJ in c:\windows\system32\cscdl.dll.

Here are the log files from the Kaspersky scan and a new HJT log:

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 3:30:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 76279
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:49:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-30_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Temp\JETE82E.tmp Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Temp\ZLT01241.TMP Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Temp\ZLT012b0.TMP Object is locked skipped
C:\Documents and Settings\Shawn Reagan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shawn Reagan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shawn Reagan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP12\change.log Object is locked skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000023.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DELL1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\cscdl.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:40 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10210 bytes
  • 0

#6
don77
Posted 30 December 2007 - 09:03 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\cscdl.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


Next

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll

close out HJT and reboot the computer.


Please rescan with DSS and post back the new log ( it will only produce the main txt this time )
  • 0

#7
slreagan
Posted 30 December 2007 - 10:44 PM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I downloaded and ran OTMoveIt and it did ask me to reboot the machine. Upon reboot, one of the windows to come up was a blank IE6 window. Should that have happened? After that, I re-ran HJT with the box checked that you indicated and rebooted again. I then ran DSS again. I still get the warning from AVG whenever an IE6 or Windows Explorer window opens. Also, the file c:\windows\system32\cscdl.dll is still there.

Here are the logs from OTMoveIt and DSS.

OTMoveIt log:
LoadLibrary failed for C:\WINDOWS\system32\cscdl.dll
C:\WINDOWS\system32\cscdl.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\cscdl.dll scheduled to be moved on reboot.

Created on 12/30/2007 21:44:55


DSS log:
Deckard's System Scanner v20071014.68
Run by Shawn Reagan on 2007-12-30 22:34:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Shawn Reagan.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:08 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Documents and Settings\Shawn Reagan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SHAWNR~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10222 bytes

-- Files created between 2007-11-30 and 2007-12-30 -----------------------------

2007-12-30 12:14:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:14:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:08:08 0 d-------- C:\Program Files\Trend Micro
2007-12-19 16:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:53:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 16:53:22 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 20:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 20:49:45 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Grisoft
2007-12-17 19:50:50 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-17 01:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-17 01:06:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\PrevxCSI
2007-12-16 15:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-16 01:27:16 0 dr-h----- C:\$VAULT$.AVG
2007-12-15 23:58:42 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\AVG7
2007-12-15 23:57:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-15 23:27:15 708608 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll <Not Verified; Gracenote; CDDBUIControl Module>
2007-12-15 23:27:15 569344 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2007-12-15 17:24:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-12-15 12:06:26 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Uniblue
2007-12-15 09:13:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-12-13 18:22:30 19456 --a------ C:\WINDOWS\system32\drivers\usaycupu.dat
2007-12-13 18:21:28 84992 --a------ C:\WINDOWS\system32\cscdl.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-28 01:52:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\ZoomBrowser EX
2007-12-19 22:57:49 0 d-------- C:\Program Files\RitzPix E-Z Print & Share
2007-12-19 22:55:45 0 d-------- C:\Program Files\QuickTime
2007-12-19 22:55:26 0 d-------- C:\Program Files\Palm
2007-12-19 22:54:55 0 d-------- C:\Program Files\Netropa
2007-12-19 22:28:49 0 d-------- C:\Program Files\iTunes
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files
2007-12-15 23:27:24 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-12-15 23:27:18 0 d-------- C:\Program Files\Adaptec
2007-12-15 23:27:15 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2007-12-15 23:27:13 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2007-12-15 22:11:27 0 d-------- C:\Program Files\Norton SystemWorks
2007-12-15 22:11:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 21:55:06 0 d-------- C:\Program Files\Symantec
2007-11-29 22:53:54 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Canon
2007-11-27 21:58:50 0 d-------- C:\Program Files\Canon
2007-11-27 21:34:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 21:13:52 0 d-------- C:\Program Files\Common Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71919CC1-D895-4BC1-B570-ACC6F4596BDB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2006 12:42 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/12/2004 11:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/16/2002 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/08/2004 04:21 PM]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [07/26/2002 01:00 PM]
"MSWheel"="" []
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [01/19/2006 10:06 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [01/19/2006 10:06 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 10:41 PM]
"kmw_run.exe"="kmw_run.exe" [12/01/2003 04:39 PM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 12:20 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 04:34 PM]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [11/30/1998 06:04 PM]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [09/23/2001 07:14 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 08:40 AM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/15/2007 11:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [12/19/2001 04:23 PM]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [06/19/2006 04:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\Shawn Reagan\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [7/26/2002 2:19:00 PM]
PowerReg Scheduler.exe [4/9/2002 9:38:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [3/30/2002 5:02:46 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microtek Scanner Finder.lnk - C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe [4/22/2004 8:59:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bc6462-b25e-11dc-9f84-00095b1b0ae1}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2007-12-30 22:37:34 ------------
  • 0

#8
don77
Posted 31 December 2007 - 07:08 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new DSS log.

  • 0

#9
slreagan
Posted 31 December 2007 - 09:40 AM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
I downloaded and ran Vundofix.exe and it did not find Vundo on the machine. I clicked on Remove Vundo anyway and it said there was no infection found and closed out of the program. I'm posting the log from the Vundo scan and a new DSS log.

Vundo scan log:

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 8:20:21 AM 12/31/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



DSS log:
Deckard's System Scanner v20071014.68
Run by Shawn Reagan on 2007-12-31 09:34:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Shawn Reagan.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:10 AM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Shawn Reagan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SHAWNR~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10348 bytes

-- Files created between 2007-11-30 and 2007-12-31 -----------------------------

2007-12-31 08:20:21 0 d-------- C:\VundoFix Backups
2007-12-30 12:14:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:14:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:08:08 0 d-------- C:\Program Files\Trend Micro
2007-12-19 16:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:53:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 16:53:22 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 20:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 20:49:45 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Grisoft
2007-12-17 19:50:50 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-17 01:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-17 01:06:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\PrevxCSI
2007-12-16 15:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-16 01:27:16 0 dr-h----- C:\$VAULT$.AVG
2007-12-15 23:58:42 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\AVG7
2007-12-15 23:57:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-15 23:27:15 708608 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll <Not Verified; Gracenote; CDDBUIControl Module>
2007-12-15 23:27:15 569344 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2007-12-15 17:24:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-12-15 12:06:26 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Uniblue
2007-12-15 09:13:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-12-13 18:22:30 19456 --a------ C:\WINDOWS\system32\drivers\usaycupu.dat
2007-12-13 18:21:28 84992 --a------ C:\WINDOWS\system32\cscdl.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-28 01:52:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\ZoomBrowser EX
2007-12-19 22:57:49 0 d-------- C:\Program Files\RitzPix E-Z Print & Share
2007-12-19 22:55:45 0 d-------- C:\Program Files\QuickTime
2007-12-19 22:55:26 0 d-------- C:\Program Files\Palm
2007-12-19 22:54:55 0 d-------- C:\Program Files\Netropa
2007-12-19 22:28:49 0 d-------- C:\Program Files\iTunes
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files
2007-12-15 23:27:24 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-12-15 23:27:18 0 d-------- C:\Program Files\Adaptec
2007-12-15 23:27:15 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2007-12-15 23:27:13 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2007-12-15 22:11:27 0 d-------- C:\Program Files\Norton SystemWorks
2007-12-15 22:11:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 21:55:06 0 d-------- C:\Program Files\Symantec
2007-11-29 22:53:54 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Canon
2007-11-27 21:58:50 0 d-------- C:\Program Files\Canon
2007-11-27 21:34:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 21:13:52 0 d-------- C:\Program Files\Common Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71919CC1-D895-4BC1-B570-ACC6F4596BDB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2006 12:42 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/12/2004 11:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/16/2002 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/08/2004 04:21 PM]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [07/26/2002 01:00 PM]
"MSWheel"="" []
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [01/19/2006 10:06 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [01/19/2006 10:06 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 10:41 PM]
"kmw_run.exe"="kmw_run.exe" [12/01/2003 04:39 PM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 12:20 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 04:34 PM]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [11/30/1998 06:04 PM]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [09/23/2001 07:14 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 08:40 AM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/15/2007 11:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [12/19/2001 04:23 PM]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [06/19/2006 04:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\Shawn Reagan\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [7/26/2002 2:19:00 PM]
PowerReg Scheduler.exe [4/9/2002 9:38:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [3/30/2002 5:02:46 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microtek Scanner Finder.lnk - C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe [4/22/2004 8:59:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bc6462-b25e-11dc-9f84-00095b1b0ae1}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2007-12-31 09:36:41 ------------
  • 0

#10
don77
Posted 31 December 2007 - 03:00 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
lets try a different route

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

Advertisements

#11
slreagan
Posted 31 December 2007 - 05:41 PM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Thanks for the help so far! I think we've made progress! I downloaded and ran ComboFix and ran another log of HJT. When I started IE6, I did not get the warning from AVG. So, I went to check and the file cscdl.dll is no longer in c:\windows\system32. Here are the logs from ComboFix and HJT. Let me know what else needs to be done.

ComboFix log:
ComboFix 07-12-31.4 - Shawn Reagan 2007-12-31 16:36:12.1 - NTFSx86
Running from: C:\Documents and Settings\Shawn Reagan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cscdl.dll
C:\WINDOWS\system32\drivers\usaycupu.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CXFCSHUT
-------\cxfcshut


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 16:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 08:20 . 2007-12-31 08:20 <DIR> d-------- C:\VundoFix Backups
2007-12-30 12:14 . 2007-12-30 12:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-12-30 12:14 . 2007-12-30 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 21:53 . 2007-12-28 21:53 <DIR> d-------- C:\Deckard
2007-12-20 21:08 . 2007-12-20 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 16:54 . 2007-12-19 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:53 . 2007-12-19 22:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 16:53 . 2007-12-19 16:53 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com
2007-12-19 16:52 . 2007-12-19 16:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 20:59 . 2007-12-18 20:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 20:49 . 2007-12-18 20:49 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Grisoft
2007-12-18 20:48 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-12-17 19:50 . 2007-12-19 23:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-17 19:50 . 2007-12-19 21:27 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-17 19:50 . 2007-12-19 21:27 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-17 19:50 . 2007-12-19 21:27 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-17 01:07 . 2007-12-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-17 01:06 . 2007-12-17 01:09 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\PrevxCSI
2007-12-16 15:13 . 2007-12-18 02:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-15 23:58 . 2007-12-28 09:49 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\AVG7
2007-12-15 23:57 . 2007-12-15 23:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-15 23:56 . 2007-12-18 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 23:56 . 2007-12-31 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-15 23:27 . 2007-12-15 23:27 708,608 --a------ C:\WINDOWS\SYSTEM32\CDDBUIRoxio.dll
2007-12-15 23:27 . 2007-12-15 23:27 569,344 --a------ C:\WINDOWS\SYSTEM32\CDDBControlRoxio.dll
2007-12-15 12:06 . 2007-12-15 12:06 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Uniblue
2007-12-15 09:13 . 2007-12-15 09:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-11-29 22:53 . 2007-11-29 22:53 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Canon
2007-11-27 22:26 . 2007-12-28 01:52 <DIR> d-------- C:\Documents and Settings\Shawn Reagan\Application Data\ZoomBrowser EX
2007-11-27 21:31 . 2007-12-28 01:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-11-27 21:29 . 2007-11-27 21:58 <DIR> d-------- C:\Program Files\Canon
2007-11-27 21:13 . 2007-11-27 21:13 <DIR> d-------- C:\Program Files\Common Files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 04:57 --------- d-----w C:\Program Files\RitzPix E-Z Print & Share
2007-12-20 04:55 --------- d-----w C:\Program Files\QuickTime
2007-12-20 04:55 --------- d-----w C:\Program Files\Palm
2007-12-20 04:54 --------- d-----w C:\Program Files\Netropa
2007-12-20 04:28 --------- d-----w C:\Program Files\iTunes
2007-12-16 05:41 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-16 05:27 57,344 ----a-w C:\WINDOWS\uneng.exe
2007-12-16 05:27 30,662 ----a-w C:\WINDOWS\system32\drivers\Mmc_2k.sys
2007-12-16 05:27 25,930 ----a-w C:\WINDOWS\system32\drivers\Dvd_2k.sys
2007-12-16 05:27 241,280 ----a-w C:\WINDOWS\system32\drivers\cdudf_xp.sys
2007-12-16 05:27 23,436 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-16 05:27 206,464 ----a-w C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2007-12-16 05:27 144,250 ----a-w C:\WINDOWS\system32\drivers\pwd_2K.sys
2007-12-16 05:27 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2007-12-16 05:27 --------- d-----w C:\Program Files\Adaptec
2007-12-16 04:11 --------- d-----w C:\Program Files\Norton SystemWorks
2007-12-16 04:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-16 03:55 --------- d-----w C:\Program Files\Symantec
2007-11-28 03:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-05-29 18:12 88,848 ----a-w C:\Documents and Settings\Shawn Reagan\Application Data\GDIPFONTCACHEV1.DAT
2002-05-23 06:46 7,432 ----a-w C:\Program Files\Avc1.exe
2002-05-23 05:06 7,432 ----a-w C:\Program Files\Wo1.exe
2002-05-23 03:42 7,432 ----a-w C:\Program Files\Riv1.exe
2002-05-23 03:40 7,432 ----a-w C:\Program Files\Zzg1.exe
2002-05-23 03:39 7,432 ----a-w C:\Program Files\Dtq1.exe
2002-05-22 23:14 7,432 ----a-w C:\Program Files\Wge1.exe
2002-05-22 23:13 7,432 ----a-w C:\Program Files\Mrl1.exe
2002-05-22 23:11 7,432 ----a-w C:\Program Files\Vn1.exe
2002-05-22 03:32 7,432 ----a-w C:\Program Files\Bx1.exe
2002-05-22 03:23 7,432 ----a-w C:\Program Files\Mf1.exe
2002-05-20 03:17 7,432 ----a-w C:\Program Files\Gb1.exe
2002-05-13 03:17 7,432 ----a-w C:\Program Files\Mho1.exe
2002-05-04 01:23 7,432 ----a-w C:\Program Files\Hli1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2001-12-19 16:23 778240]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [2006-06-19 16:30 4796416]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-07-09 12:42 968696]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-12 11:24 106557]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2002-10-16 16:32 151597]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-08 16:21 98304]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [2002-07-26 13:00 28672]
"MSWheel"="" []
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2006-01-19 10:06 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 10:06 11776]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738]
"kmw_run.exe"="kmw_run.exe" [2003-12-01 16:39 106496 C:\WINDOWS\SYSTEM32\kmw_run.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20 278528]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 18:04 497376]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [2001-09-23 07:14 163840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:40 579072]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-12-15 23:27 684032]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-15 23:57 219136]

C:\Documents and Settings\Shawn Reagan\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-07-26 14:19:00]
PowerReg Scheduler.exe [2002-04-09 21:38:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2002-03-30 17:02:46]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Microtek Scanner Finder.lnk - C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe [2004-04-22 20:59:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 12:53]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-08-31 00:40]
R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\FA31XND5.SYS [2002-05-14 20:27]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2003-12-01 16:53]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2003-12-01 16:54]
R3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2003-12-01 16:53]
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2000-10-03 15:18]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 12:48]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 11:12]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 13:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bc6462-b25e-11dc-9f84-00095b1b0ae1}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 17:00:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2007-12-31 17:21:03 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 23:20:54
.
2007-12-23 17:25:15 --- E O F ---



HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:12 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10021 bytes
  • 0

#12
don77
Posted 01 January 2008 - 09:55 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
That seems to have rid us of that pest !!!!!


Need to have a look at one more thing please

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



Next

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#13
slreagan
Posted 01 January 2008 - 10:40 AM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Thanks, don77! I downloaded and ran Flash_Disinfector and then ran DSS again with the command line you sent. Let me know if there is anything else that needs to be done. Here are the 2 logs from DSS:

main.txt:
Deckard's System Scanner v20071014.68
Run by Shawn Reagan on 2008-01-01 10:29:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-01-01 16:30:09 UTC - RP15 - Deckard's System Scanner Restore Point
10: 2007-12-31 22:34:21 UTC - RP14 - ComboFix created restore point
9: 2007-12-31 05:06:33 UTC - RP13 - System Checkpoint
8: 2007-12-30 04:57:43 UTC - RP12 - System Checkpoint
7: 2007-12-29 03:55:02 UTC - RP11 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2007-12-21 13:09:16 UTC - RP5 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Shawn Reagan.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:03 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shawn Reagan\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SHAWNR~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.wea...uginstaller.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 10080 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071230-114410-288 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20071230-114410-807 O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll
backup-20071230-220910-848 O2 - BHO: (no name) - {71919CC1-D895-4BC1-B570-ACC6F4596BDB} - C:\WINDOWS\system32\cscdl.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 catchme - c:\docume~1\shawnr~1\locals~1\temp\catchme.sys (file missing)
S3 IPFilter (Microsoft IntelliPoint Features driver) - c:\windows\system32\drivers\ipfilter.sys <Not Verified; Microsoft Corporation; Microsoft IntelliPoint>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>

S2 IomegaAccess - c:\program files\iomega\tools_nt\iomegaaccess.exe /s (file missing)
S2 ZipToA - c:\windows\system32\ziptoa.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Kensington PS/2 Mouse Driver
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Kensington Technology Group
Name: Kensington PS/2 Mouse Driver
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\SYSTEM32\winlogon.exe (pid 652)
2007-02-27 11:39:26 282624 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2000-10-09 06:50:00 28672 --a------ C:\WINDOWS\SYSTEM32\NavLogon.dll

C:\WINDOWS\SYSTEM32\svchost.exe (pid 1828)
2001-06-20 14:30:56 10909 --a------ C:\WINDOWS\SYSTEM32\msmusd7.dll <Not Verified; Microtek International Inc.; STI Scanner Driver>
2001-08-22 09:31:16 60784 --a------ C:\WINDOWS\TWAIN_32\ScanWiz5\SMCE32.dll <Not Verified; Microtek International Inc.; ScanMaker Series>

C:\WINDOWS\explorer.exe (pid 2080)
2003-12-01 16:38:50 110592 --a------ C:\WINDOWS\SYSTEM32\kmw_dll.dll <Not Verified; Kensington Technology Group; KMW>


-- Files created between 2007-12-01 and 2008-01-01 -----------------------------

2008-01-01 10:03:31 0 drahs---- C:\autorun.inf
2007-12-31 08:20:21 0 d-------- C:\VundoFix Backups
2007-12-30 12:14:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 12:14:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 21:08:08 0 d-------- C:\Program Files\Trend Micro
2007-12-19 16:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:53:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 16:53:22 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\SUPERAntiSpyware.com
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-18 20:59:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 20:49:45 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Grisoft
2007-12-17 19:50:50 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-17 01:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-17 01:06:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\PrevxCSI
2007-12-16 15:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-16 01:27:16 0 dr-h----- C:\$VAULT$.AVG
2007-12-15 23:58:42 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\AVG7
2007-12-15 23:57:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 23:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-15 23:27:15 708608 --a------ C:\WINDOWS\system32\CDDBUIRoxio.dll <Not Verified; Gracenote; CDDBUIControl Module>
2007-12-15 23:27:15 569344 --a------ C:\WINDOWS\system32\CDDBControlRoxio.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2007-12-15 17:24:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2007-12-15 12:06:26 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Uniblue
2007-12-15 09:13:49 0 d-------- C:\Documents and Settings\LocalService\Application Data\Symantec


-- Find3M Report ---------------------------------------------------------------

2007-12-28 01:52:55 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\ZoomBrowser EX
2007-12-19 22:57:49 0 d-------- C:\Program Files\RitzPix E-Z Print & Share
2007-12-19 22:55:45 0 d-------- C:\Program Files\QuickTime
2007-12-19 22:55:26 0 d-------- C:\Program Files\Palm
2007-12-19 22:54:55 0 d-------- C:\Program Files\Netropa
2007-12-19 22:28:49 0 d-------- C:\Program Files\iTunes
2007-12-19 16:52:27 0 d-------- C:\Program Files\Common Files
2007-12-15 23:27:24 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2007-12-15 23:27:18 0 d-------- C:\Program Files\Adaptec
2007-12-15 23:27:15 1044480 --a------ C:\WINDOWS\system32\Roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9>
2007-12-15 23:27:13 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2007-12-15 22:11:27 0 d-------- C:\Program Files\Norton SystemWorks
2007-12-15 22:11:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 21:55:06 0 d-------- C:\Program Files\Symantec
2007-11-29 22:53:54 0 d-------- C:\Documents and Settings\Shawn Reagan\Application Data\Canon
2007-11-27 21:58:50 0 d-------- C:\Program Files\Canon
2007-11-27 21:34:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 21:13:52 0 d-------- C:\Program Files\Common Files\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07/09/2006 12:42 PM]
"ViewMgr"="C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [11/12/2004 11:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/16/2002 04:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/08/2004 04:21 PM]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [07/26/2002 01:00 PM]
"MSWheel"="" []
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [01/19/2006 10:06 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [01/19/2006 10:06 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 10:41 PM]
"kmw_run.exe"="kmw_run.exe" [12/01/2003 04:39 PM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/18/2004 12:20 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [03/20/2006 04:34 PM]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [11/30/1998 06:04 PM]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [09/23/2001 07:14 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/21/2007 08:40 AM]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/15/2007 11:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [12/19/2001 04:23 PM]
"OurPictures"="C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" [06/19/2006 04:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\Shawn Reagan\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [7/26/2002 2:19:00 PM]
PowerReg Scheduler.exe [4/9/2002 9:38:30 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [11/15/2001 7:31:16 AM]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [3/30/2002 5:02:46 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [8/11/2004 2:22:40 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Microtek Scanner Finder.lnk - C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe [4/22/2004 8:59:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bc6462-b25e-11dc-9f84-00095b1b0ae1}]
AutoRun\command- E:\Autorun.exe /run
Shell00\Command- E:\Autorun.exe /run
Shell01\Command- E:\Autorun.exe /action
Shell02\Command- E:\Autorun.exe /uninstall




-- End of Deckard's System Scanner: finished at 2008-01-01 10:34:26 ------------



extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 255.3 MiB / 65.73 MiB
Pagefile Memory (total/avail): 617.36 MiB / 169.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 11.35 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 37.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

FW: ZoneAlarm Firewall v6.5.731.000 (Zone Labs, Inc.)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shawn Reagan\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DELL1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shawn Reagan
LOGONSERVER=\\DELL1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHAWNR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHAWNR~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=DELL1
USERNAME=Shawn Reagan
USERPROFILE=C:\Documents and Settings\Shawn Reagan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shawn Reagan (admin)
Lisa (admin)
Kristen
Bethany
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
ABBYY FineReader 4.0 Sprint --> C:\WINDOWS\bitdeins.exe C:\PROGRA~1\ABBYYF~1.0SP\bitdeins.ini
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe PhotoDeluxe Home Edition 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PhotoDeluxe Home Edition 4.0\Uninst.isu"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BUM --> MsiExec.exe /I{55937F00-A69B-4049-8D3A-1C7729742B6F}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon EOS-1Ds Mark II WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{652C4ADF-0A29-4B02-9211-EE61675847DE}
Canon EOS 5D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon EOS Kiss_N REBEL_XT 350D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4} /l1033
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 3.0 --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities Original Data Security Tools --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Original Data Security Tools\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities WFT-E1/E2 Utility --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\WFT Utility\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
ChainCast Proxy (remove only) --> rundll32 C:\WINDOWS\System32\ccmp392.dll,UninstallProxy
ClueFinders 4th Grade Adventures --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\ClueFinders 4th Grade Adventures\Uninstall.xml"
ClueFinders 5th Grade Adventures --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\ClueFinders 5th Grade Adventures\Uninstall.xml"
ClueFinders® 3rd Grade Adventures --> C:\Program Files\The Learning Company\ClueFinders® 3rd Grade Adventures\uninstall.exe
Conexant HSF V92 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Disney's Winnie the Pooh Kindergarten --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\WINNIE~1\DeIsL1.isu -c"C:\Program Files\Disney Interactive\Winnie the Pooh Kindergarten\Code\Saved Games\Uninst.dll
DivX Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Bundle.log
DivX Player 2.1 --> C:\Program Files\DivX\DivX Player 2.1\uninstall.bat
DrawPlus 3.0 --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\DrawPlus\DeIsL1.isu"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eMedia Rock Guitar Starter Lessons --> "C:\Program Files\eMedia Rock Guitar Starter Lessons\Uninstall.exe" "C:\Program Files\eMedia Rock Guitar Starter Lessons\install.log"
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Family Tree Maker 7.0 --> C:\WINDOWS\IsUninst.exe -fC:\FTW\Uninst.isu
Fisher Price ABC 32 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\FPABC32\DeIsL1.isu"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPCCTR --> MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3CB41017-F5CA-4C56-934C-ED02156251E6}
JumpStart 1st Grade 2000 --> C:\WINDOWS\IsUninst.exe -fC:\KA\JS1G2000\DeIsL1.isu
JumpStart Kindergarten 98 v2.5 --> C:\WINDOWS\IsUninst.exe -fC:\KA\KG98\DeIsL1.isu
JumpStart Parent Resource Center --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRC\DeIsL1.isu
JumpStart Pre-K v2.0 --> C:\WINDOWS\uninst.exe -fC:\KA\PRE_K\DeIsL1.isu
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kensington MouseWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57764780-E33B-11D1-96ED-00A024A83A15}\SETUP.EXE" -u
Kid Pix Deluxe 3 --> C:\Program Files\Broderbund\Kid Pix Deluxe 3\uninstal.exe
KODAK EASYSHARE Gallery Easy Upload, v2.1 --> C:\Documents and Settings\Shawn Reagan\Local Settings\Application Data\KodakGallery\EasyShareSetup\$SETUP_140007_126e8836\Setup.exe /APR-REMOVE
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_10009_1c8ade3a\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
MathQuest --> C:\WINDOWS\uninst.exe -fC:\Disney\MathQuest\DeIsL1.isu
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard for Students and Teachers --> MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Photo 2002 --> MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Microsoft Zoo Tycoon --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove
Microtek ScanWizard 5 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Twain_32\ScanWiz5\Uninst.isu
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
Money Matters Deluxe --> MsiExec.exe /I{E3B30C03-9245-481C-8FEE-53EE7E81C5D6}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Palm Desktop --> MsiExec.exe /X{9B52B30C-F65C-4244-ABCE-215E46E27AF0}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
PhotoParade Player --> "C:\Program Files\PhotoParade\Uninstall PhotoParade Player.exe" "PhotoParade.exe"
PocketMirror 3.1.2 (Standard Edition) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Palm\Chapura\PocketMirror\DeIsL1.isu" -cC:\PROGRA~1\Palm\Chapura\POCKET~1\UninstEx.dll
PrintMaster --> C:\WINDOWS\UNINST.EXE -f"C:\PROGRA~1\BRODER~1\PRINTM~1\DeIsL1.isu" -c"C:\PROGRA~1\BRODER~1\PRINTM~1\psfinst.dll"
PRO200WL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Reader Rabbit 1st Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 1st Grade\Uninstall.xml"
Reader Rabbit 2nd Grade --> C:\Program Files\The Learning Company\Reader Rabbit 2nd Grade\uninstal.exe
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RitzPix E-Z Print & Share --> MsiExec.exe /X{CD55BC4A-C299-4632-91A9-88705157EAC2}
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Shockwave Player --> MsiExec.exe /X{95D885F5-B696-11D5-9D1D-0050DAB14E03}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
TP Preview Exclusive Broadside Blast --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2156D3D1-7EBF-11D6-B2FB-0002A5E32BEF}\setup.exe" TP Preview Exclusive Broadside Blast
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Ulead Photo Explorer 7.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E38E1721-7FE7-11D4-A898-0000E83DCDA6}\setup.exe"
VCAMCEN --> MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe -u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Wal-Mart Music Downloads Store --> MsiExec.exe /I{1DB2FBA5-D57A-42A7-8E87-5B3EEBED8283}
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type25349 / Error
Event Submitted/Written: 12/31/2007 04:51:30 PM
Event ID/Source: 100 / AVG7
Event Description:
2007-12-31 22:51:30,218 DELL1 [001640:001648] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2624) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type25257 / Error
Event Submitted/Written: 12/29/2007 09:52:08 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Internet connection not detected.

Event Record #/Type25255 / Error
Event Submitted/Written: 12/29/2007 09:46:56 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Internet connection not detected.

Event Record #/Type25238 / Error
Event Submitted/Written: 12/28/2007 10:02:43 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type25206 / Error
Event Submitted/Written: 12/27/2007 08:18:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29900 / Error
Event Submitted/Written: 01/01/2008 10:18:42 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TrueVector Internet Monitor service failed to start due to the following error:
%%1053

Event Record #/Type29899 / Error
Event Submitted/Written: 01/01/2008 10:18:42 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Event Record #/Type29897 / Error
Event Submitted/Written: 01/01/2008 10:16:35 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1053" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Event Record #/Type29896 / Error
Event Submitted/Written: 01/01/2008 10:16:34 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The LiveUpdate service failed to start due to the following error:
%%1053

Event Record #/Type29895 / Error
Event Submitted/Written: 01/01/2008 10:16:34 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.



-- End of Deckard's System Scanner: finished at 2008-01-01 10:34:26 ------------
  • 0

#14
don77
Posted 01 January 2008 - 04:33 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nice job your log is clean ! :)
How is it running ?
Please use the following suggestion to help prevent reinfection

  • Download the following program, For keeping crap off your system to begin with
    Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
    Download
    Spyware Blaster
    Spyware Guard
    IE-Spyad


  • Online scan
    For an added check run an online virus scan, you can use one of the 2 below,
    TrendMicro's HouseCall
    ActiveScan


  • Clean out Temp Folders
    Be sure and give the Temp folders a cleaning out now and then as well, A handy tool to do this
    Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


  • Updating Java and Clearing Cache:
    • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
    • It will say "Java Plug-in" under the icon.
      Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
    • If you are unable to update you can manually update by going Here
    • After the reboot, go back into the Control Panel and double-click the Java Icon.
    • Under Temporary Internet Files, click the Delete Files button.
    • There are three options in the window to clear the cache - Leave ALL 3 Checked
      • Downloaded Applets
        Downloaded Applications
        Other Files
    • Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.


  • Windows Updates
    Remeber to Check Windows for updates


  • Flush System Restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    2. Restart your computer.

    3. Turn ON System Restore.On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
System Restore will now be active again.


To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
[/list]
  • 0

#15
slreagan
Posted 01 January 2008 - 10:21 PM

slreagan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Thanks for all the help! The machine seems to be running fine now. On my last reboot, I did get an odd message, though, as the system was coming back up. It said: "One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful." I have not had any problems since then nor any warnings from AVG. Any ideas why that might have happened?

I have updated Java, flushed the old restore points and reset a new one, and downloaded Spyware Blaster. Can I now uninstall HijackThis, DSS, OTMoveIt, ComboFix, VundoFix, and Flash_Disinfector? I plan to continue running AVG antivirus and SuperAntiSpyware Free Edition.

Thanks again for all the help!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP