Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-Backdoor.gen, EICAR-AV-TEST, Troj/Virtum-Gen [RESOLVED]

Started by Gunner19 , May 06 2008 05:36 PM

  • This topic is locked This topic is locked

#1
Gunner19
Posted 06 May 2008 - 05:36 PM

Gunner19

    New Member

  • Member
  • Pip
  • 4 posts
I get a windows security alert telling me someone is trying to hack my computer. i also get a notification of spyware and viruses infecting my computer. Here's a Log from Hijack This.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24, on 2008-05-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\Application Data\Opera\Opera\profile\cache4\temporary_download\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DVA Gate - {7A6FD945-14B0-41F8-84FB-74DEF17528BB} - C:\WINDOWS\qnmargolxgn.dll (file missing)
O3 - Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Policies\Explorer\Run: [uxnCvkAohL] C:\Documents and Settings\All Users\Application Data\kjkpqdyr\etupenez.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.runescape.com
O20 - Winlogon Notify: rqRHwXRj - rqRHwXRj.dll (file missing)
O21 - SSODL: vadokmxt - {C2781D49-2DBF-4001-909F-E9A459BA025C} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {28D5F124-32C1-4401-85E4-1A68FF84D3C8} - C:\WINDOWS\wdpoefan.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5342 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 07 May 2008 - 10:12 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Gunner19
Posted 08 May 2008 - 12:01 AM

Gunner19

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here are the 3 logs produced from the 2 programs


SDFix: Version 1.180
Run by Administrator on Mon 05/05/2008 at 10:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\dpevflbg.dll - Deleted
C:\WINDOWS\olgdqarf.exe - Deleted
C:\WINDOWS\system32\akttzn.exe - Deleted
C:\WINDOWS\system32\anticipator.dll - Deleted
C:\WINDOWS\system32\awtoolb.dll - Deleted
C:\WINDOWS\system32\bdn.com - Deleted
C:\WINDOWS\system32\dpcproxy.exe - Deleted
C:\WINDOWS\system32\h@tkeysh@@k.dll - Deleted
C:\WINDOWS\system32\hoproxy.dll - Deleted
C:\WINDOWS\system32\hxiwlgpm.dat - Deleted
C:\WINDOWS\system32\hxiwlgpm.exe - Deleted
C:\WINDOWS\system32\medup012.dll - Deleted
C:\WINDOWS\system32\medup020.dll - Deleted
C:\WINDOWS\system32\msgp.exe - Deleted
C:\WINDOWS\system32\msnbho.dll - Deleted
C:\WINDOWS\system32\mssecu.exe - Deleted
C:\WINDOWS\system32\msvchost.exe - Deleted
C:\WINDOWS\system32\mtr2.exe - Deleted
C:\WINDOWS\system32\mwin32.exe - Deleted
C:\WINDOWS\system32\netode.exe - Deleted
C:\WINDOWS\system32\newsd32.exe - Deleted
C:\WINDOWS\system32\ps1.exe - Deleted
C:\WINDOWS\system32\psof1.exe - Deleted
C:\WINDOWS\system32\psoft1.exe - Deleted
C:\WINDOWS\system32\regc64.dll - Deleted
C:\WINDOWS\system32\regm64.dll - Deleted
C:\WINDOWS\system32\Rundl1.exe - Deleted
C:\WINDOWS\system32\sncntr.exe - Deleted
C:\WINDOWS\system32\ssvchost.com - Deleted
C:\WINDOWS\system32\ssvchost.exe - Deleted
C:\WINDOWS\system32\sysreq.exe - Deleted
C:\WINDOWS\system32\taack.dat - Deleted
C:\WINDOWS\system32\taack.exe - Deleted
C:\WINDOWS\system32\temp#01.exe - Deleted
C:\WINDOWS\system32\thun.dll - Deleted
C:\WINDOWS\system32\thun32.dll - Deleted
C:\WINDOWS\system32\VBIEWER.OCX - Deleted
C:\WINDOWS\system32\vbsys2.dll - Deleted
C:\WINDOWS\system32\vcatchpi.dll - Deleted
C:\WINDOWS\system32\winlogonpc.exe - Deleted
C:\WINDOWS\system32\winsystem.exe - Deleted
C:\WINDOWS\system32\WINWGPX.EXE - Deleted
C:\WINDOWS\vadokmxt.dll - Deleted
C:\WINDOWS\wdpoefan.dll - Deleted
C:\WINDOWS\wxvgsdbq.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 22:32:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 9 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 1 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 5 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT33.tmp"

Finished!



Log 2 Main from DSS

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-05 22:56:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-05-06 05:56:25 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-05-06 00:34:57 UTC - RP3 - System Checkpoint
2: 2008-05-04 18:34:18 UTC - RP2 - April 06, 2008 Getting Rid of Trojans
1: 2008-05-04 06:25:03 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:58, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.runescape.com
O20 - Winlogon Notify: rqRHwXRj - rqRHwXRj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4400 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)

S3 SQTECH905C (Dual Camera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\idsdefs\20080429.001\symidsco.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-05 22:58:00 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 22:57:42 0 d-------- C:\Program Files\Trend Micro
2008-05-05 22:21:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-30 22:02:41 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\CyberLink
2008-04-30 21:07:27 68096 --a------ C:\WINDOWS\zip.exe
2008-04-30 21:07:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-30 21:07:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-30 21:07:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-30 21:07:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-30 21:07:27 98816 --a------ C:\WINDOWS\sed.exe
2008-04-30 21:07:27 80412 --a------ C:\WINDOWS\grep.exe
2008-04-30 21:07:27 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 06:55:10 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Webroot
2008-04-29 06:52:12 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Identities
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\WINDOWS
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Templates
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Start Menu
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\SendTo
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Recent
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\PrintHood
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\NetHood
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\My Documents
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Local Settings
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Favorites
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Desktop
2008-04-29 06:52:11 0 d---s---- C:\Documents and Settings\Administrator.YOUR-34734D0667\Cookies
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\SampleView
2008-04-29 06:52:11 0 d---s---- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Microsoft
2008-04-29 06:52:10 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-34734D0667\NTUSER.DAT
2008-04-29 06:51:48 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-25 23:08:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-25 23:02:44 0 d-------- C:\Program Files\Webroot
2008-04-25 23:02:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-25 23:02:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-24 19:56:00 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-24 18:40:54 0 d-------- C:\Documents and Settings\All Users\Application Data\kjkpqdyr
2008-04-22 22:48:45 0 d-------- C:\Program Files\SymNetDrv
2008-04-16 20:24:35 0 d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-05 22:28:51 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2008-05-03 16:28:28 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-03 16:23:01 0 d-------- C:\Program Files\Symantec
2008-05-03 16:21:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-03 16:20:46 0 d-------- C:\Program Files\Common Files
2008-05-03 16:19:34 0 d-------- C:\Program Files\PhoTags Express
2008-05-03 15:34:22 0 d-------- C:\Program Files\LimeWire
2008-04-23 00:34:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-11 23:51:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-11 23:48:04 2758 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-07 00:27:51 0 d-------- C:\Program Files\Pure Networks
2008-04-07 00:27:50 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-05 22:29:16 0 d-------- C:\Program Files\iTunes
2008-04-05 22:25:01 0 d-------- C:\Program Files\QuickTime
2008-03-30 01:54:52 0 d-------- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-03-30 01:53:39 0 d-------- C:\Program Files\Outspark
2008-03-30 01:53:23 0 d-------- C:\Program Files\Ahead
2008-03-30 01:00:02 0 d-------- C:\Program Files\MixMeister Fusion
2008-03-29 19:48:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-29 11:10:49 0 d-------- C:\Documents and Settings\Owner\Application Data\FileMaker
2008-03-29 11:09:24 0 d-------- C:\Program Files\PhotoByte® v5.2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 16:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 16:47]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [2004-04-26 03:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHwXRj]
rqRHwXRj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{528be243-955c-11dc-990a-00038a000015}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc1c68f1-0060-11dd-9945-00e0b892710b}]
AutoRun\command- G:\ONSPCLCK.exe




-- End of Deckard's System Scanner: finished at 2008-05-05 22:59:00 ------------



Log 3 Extra from DSS

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.40GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 502.42 MiB / 211.55 MiB
Pagefile Memory (total/avail): 1226.13 MiB / 972.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.85 MiB

C: is Fixed (NTFS) - 49.04 GiB total, 23.13 GiB free.
D: is Fixed (FAT32) - 6.83 GiB total, 4 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 49.04 GiB - C:
\PARTITION1 - Unknown - 6.84 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Spy Sweeper with AntiVirus v5.5.7.103 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-34734D0667
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-34734D0667
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-34734D0667
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator.YOUR-34734D0667 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A70000000000}
Adobe Reader Multimedia Package --> MsiExec.exe /I{AC76BA86-7AD7-EF45-47A7-7E8A45000002}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Alien Skin Exposure 2 Demo --> C:\PROGRA~1\Adobe\ADOBEP~1\Plug-Ins\ALIENS~1\EXPOSU~1\Unwise32.exe C:\PROGRA~1\Adobe\ADOBEP~1\Plug-Ins\ALIENS~1\EXPOSU~1\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Conexant AC-Link 2 Channel Audio --> CIAunwdm.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\Application Data\Opera\Opera\profile\cache4\temporary_download\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MyDSC2 --> C:\Program Files\InstallShield Installation Information\{83d96ed0-98aa-4515-8ddc-816f3efdd104}\setup.exe
MyDSC2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B9622D9-5A0C-4610-B346-32FA6E14BBFA}\Setup.exe" -l0x9
Opera 9.23 --> MsiExec.exe /X{E9EEE4CB-CB2B-4273-9AF5-7E12022B444B}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_0360107B\HXFSETUP.EXE -U -IVEN_8086&DEV_24C6&SUBSYS_0360107B
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8E50332B-772C-4AEA-BF56-94DE6A1D5F10} /l1033
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3496 / Error
Event Submitted/Written: 05/05/2008 09:23:47 AM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (660) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type3495 / Error
Event Submitted/Written: 05/05/2008 09:23:35 AM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (660) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type3494 / Error
Event Submitted/Written: 05/05/2008 09:18:12 AM
Event ID/Source: 485 / ESENT
Event Description:
wuauclt (3256) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type3493 / Error
Event Submitted/Written: 05/05/2008 09:18:00 AM
Event ID/Source: 490 / ESENT
Event Description:
wuauclt (3256) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type3492 / Error
Event Submitted/Written: 05/05/2008 09:17:45 AM
Event ID/Source: 454 / ESENT
Event Description:
wuauclt (3256) Database recovery/restore failed with unexpected error -510.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11697 / Error
Event Submitted/Written: 05/05/2008 10:30:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type11693 / Error
Event Submitted/Written: 05/05/2008 10:21:12 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SYMTDI
Tcpip

Event Record #/Type11692 / Error
Event Submitted/Written: 05/05/2008 10:21:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type11691 / Error
Event Submitted/Written: 05/05/2008 10:21:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Event Record #/Type11690 / Error
Event Submitted/Written: 05/05/2008 10:21:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-05 22:59:00 ------------
  • 0

#4
Rorschach112
Posted 08 May 2008 - 05:08 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - Winlogon Notify: rqRHwXRj - rqRHwXRj.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\Documents and Settings\All Users\Application Data\kjkpqdyr
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{528be243-955c-11dc-990a-00038a000015}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc1c68f1-0060-11dd-9945-00e0b892710b}
G:\ONSPCLCK.exe
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Reboot and post a new DSS log and tell me how your PC is running
  • 0

#5
Gunner19
Posted 08 May 2008 - 08:57 PM

Gunner19

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
OTMoveIt2 Log

Explorer killed successfully
C:\Documents and Settings\All Users\Application Data\kjkpqdyr moved successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{528be243-955c-11dc-990a-00038a000015} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{528be243-955c-11dc-990a-00038a000015}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc1c68f1-0060-11dd-9945-00e0b892710b} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc1c68f1-0060-11dd-9945-00e0b892710b}\\ deleted successfully.
File/Folder G:\ONSPCLCK.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_193954



Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.12
Database version: 734

Scan type: Quick Scan
Objects scanned: 33385
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0263d762-b6e5-4dcf-91a5-e1283d25e850} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{dc33216e-1322-437e-9d55-2dd312f190c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4005c168-1692-4cfd-b21b-03f29dc530d4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aeb838dd-2819-4a77-8bf8-e75405b85f6f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Tencent (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Plugin (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\ProtHand (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Tencent\QQ Games\configSave.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\InstallHelper.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\QQGamesD.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\vistaQG.bat (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\config (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\defaultlogin.swf (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\PositionInfo.data (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\Account.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Dynamic\LocalVersion.cfg (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\config\Original\BossKey.ini (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Tencent\QQ Games\ProtHand\GmpbProt.map (Adware.Agent) -> Quarantined and deleted successfully.
  • 0

#6
Rorschach112
Posted 09 May 2008 - 06:20 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Post a new DSS log
  • 0

#7
Gunner19
Posted 09 May 2008 - 10:37 PM

Gunner19

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-07 21:36:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36, on 2008-05-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner\Application Data\Opera\Opera\profile\cache4\temporary_download\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.runescape.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4674 bytes

-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-06 19:44:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-06 19:44:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 19:44:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 18:34:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Snapfish
2008-05-05 22:57:42 0 d-------- C:\Program Files\Trend Micro
2008-05-05 22:21:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-30 22:02:41 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\CyberLink
2008-04-30 21:07:27 68096 --a------ C:\WINDOWS\zip.exe
2008-04-30 21:07:27 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-30 21:07:27 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-30 21:07:27 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-30 21:07:27 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-30 21:07:27 98816 --a------ C:\WINDOWS\sed.exe
2008-04-30 21:07:27 80412 --a------ C:\WINDOWS\grep.exe
2008-04-30 21:07:27 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 06:55:10 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Webroot
2008-04-29 06:52:12 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Identities
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\WINDOWS
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Templates
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Start Menu
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\SendTo
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Recent
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\PrintHood
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\NetHood
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\My Documents
2008-04-29 06:52:11 0 d--h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Local Settings
2008-04-29 06:52:11 0 dr------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Favorites
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Desktop
2008-04-29 06:52:11 0 d---s---- C:\Documents and Settings\Administrator.YOUR-34734D0667\Cookies
2008-04-29 06:52:11 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data
2008-04-29 06:52:11 0 d-------- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\SampleView
2008-04-29 06:52:11 0 d---s---- C:\Documents and Settings\Administrator.YOUR-34734D0667\Application Data\Microsoft
2008-04-29 06:52:10 786432 --ah----- C:\Documents and Settings\Administrator.YOUR-34734D0667\NTUSER.DAT
2008-04-29 06:51:48 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-25 23:08:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-25 23:02:44 0 d-------- C:\Program Files\Webroot
2008-04-25 23:02:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-25 23:02:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-24 19:56:00 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-22 22:48:45 0 d-------- C:\Program Files\SymNetDrv
2008-04-16 20:24:35 0 d-------- C:\Documents and Settings\All Users\Application Data\ALM


-- Find3M Report ---------------------------------------------------------------

2008-05-06 21:12:47 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-03 16:23:01 0 d-------- C:\Program Files\Symantec
2008-05-03 16:21:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-03 16:20:46 0 d-------- C:\Program Files\Common Files
2008-05-03 16:19:34 0 d-------- C:\Program Files\PhoTags Express
2008-05-03 15:34:22 0 d-------- C:\Program Files\LimeWire
2008-04-23 00:34:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-11 23:51:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-11 23:48:04 2758 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-07 00:27:51 0 d-------- C:\Program Files\Pure Networks
2008-04-07 00:27:50 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-05 22:29:16 0 d-------- C:\Program Files\iTunes
2008-04-05 22:28:51 0 d-------- C:\Program Files\iPod
2008-04-05 22:25:01 0 d-------- C:\Program Files\QuickTime
2008-03-30 01:54:52 0 d-------- C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-03-30 01:53:39 0 d-------- C:\Program Files\Outspark
2008-03-30 01:53:23 0 d-------- C:\Program Files\Ahead
2008-03-30 01:00:02 0 d-------- C:\Program Files\MixMeister Fusion
2008-03-29 19:48:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-29 11:10:49 0 d-------- C:\Documents and Settings\Owner\Application Data\FileMaker
2008-03-29 11:09:24 0 d-------- C:\Program Files\PhotoByte® v5.2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 16:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 16:47]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [2004-04-26 03:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dada4e82-6fde-11dc-98fd-806d6172696f}]
AutoRun\command- E:\dvd_rom.exe




-- End of Deckard's System Scanner: finished at 2008-05-07 21:36:29 ------------
  • 0

#8
Rorschach112
Posted 10 May 2008 - 05:26 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html




Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
Rorschach112
Posted 14 May 2008 - 05:28 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP