Before I begin I should tell you that someone just gave me your site after I had done a lot of things on my own. I had SpywareDoctor w/Antivirus running when this occured. After lengthy questioning of my grandson (who was using the computer immediatly before all this started happening) he finally admitted that something did happen when he was on my computer. He said a window popped up and prompted him to download the latest Java update. When he got off the computer is when I noticed the big sign on my desktop. Attaching jpg of that file to this post.
There was also a couple of programs in the systray. One was an antivirus the other a spyware cleaner. They kept popping up and running saying I had spyware on my computer then prompting me to buy thier product. I clicked on start and all programs looking for these two programs on the list. The WinSpyware was on the list but the other one wasn't. It had an uninstall link so I used that several times and it said it uninstalled but the programs were still in my systray. So being the impatient person I am I went to ad remove programs but they weren't listed there so I went to program files folder and started putting anything that I didn't know what it was in the recycle bin lol I'm gonna attach just the top portion of the box that was popping up from one of the programs so you can see the name. I went to my restore wizard to try to restore the puter to a time before my grandson got on it and there were no restore points there. I know there were lots because a couple of weeks ago I restored the computer but I can't think of why I did it that time. Since my desktop was changed I went to the display settings under control panel and tryed to put my background and font settings back to the way they were. When I got there I noticed there was no longer any way to change the screen savers which btw I normally have turned off cause it bugs me. It let me change my background color but not the fonts for some reason. But the sign was still on my desktop.
Occassionally a blue screen would pop up and tell me that windows was being shut down to protect my computer. But I noticed that when it supposedly restarted windows that spyware doctor was still doing a scan on my puter and it didn't take me to my sign in screen like it normally does.
In the meantime I was frantically contacting Spyware Doctor tech support and was trying to run a scan on Spyware doctor. I guess the best way to tell you from here what I did is to copy all the msgs I posted at spyware doctors tech support site. I'm gonna make them a diff color font in case you want to skip them and go right to the reports.
10:14:51 PM
Wed, Jul 2nd 2008
Quote [Spyware Doctor] Technical Support
--------------------------------------------------------------------------------
I've got a huge sign on my desktop saying I'm infected. There were a couple of programs showing in the system tray
scanning for spyware supposedly and finding thousands of threats. Prompting me to buy the software. It was
actually on my programs list but wouldn't uninstall even though it had an uninstall option. I put one of the folers in
my recycle bin and the popping up stopped for now. There are no longer any restore points on my computer. I know
I had restore points at least 2 weeks ago because I restored it then. This all started happening after one of my
grandchildren was on the computer. I have no idea where it came from and of course the children are denying any
problems while they were on the computer. grrrrrr I ran the malware thing but it wants me to provide a support
number to finish. Could you please help me. All my desktop display setting have been changed as well.
------
I provided description when I got the ticket number. I finally got spyware doctorto run and it detected a malware
and said it removed it however the sign is still on my desktop. I was so frustrated that I had already deleted a file
that I knew was not on my computer the day before. It was listed under program files and it was the program that I
mentioned before that was an xpantivirus program that had an uninstall link but didn't work the numerous times I
tryed to uninstall it. Appreciate any suggestions or help you can give me. I have the antivirus activated in spyware
doctor. I didn't realize it had an antivirus on my copy. I musta have purchased the antivirus portion when I renewed
last year ?
SD Version: 5.5.1.322
DB Version: 5.10160e
log.zip ( 69 KB)
6:04:44 PM
Thu, Jul 3rd 2008
Quote More info
--------------------------------------------------------------------------------
I went to safe mode and run sypware doctor. It didn't want to but I did it anyways. It found something, a threat that
it had found before but when puter booted up that big sign was still on my deskstop. So I ran spyware doctor again.
It found FakeThreat and I had it fix it and the big sign is now gone off my desktop. Iwonder though why it didn't
find this threat to begin with? I'm still getting the blue screens saying windows has been shut down due to a
problem. It restarts windows though and eventually loads it up.
Carla Hensley
Customer
1:50:08 PM
Thu, Jul 3rd 2008
Quote More information
--------------------------------------------------------------------------------
I was just told by someone I sent an email to yesterday that when they opened my email they had pop ups going off
and from that point on every email they opened did the same thing. They are currently running Norton Antivirus
and they have the one with all the bells and whistles and evidently it hasn't caught this beast either.
I downloaded Avasti? antivirus for free to run a check and it started and then said I had an active infection and
should run it at startup/ boot up. So I did that and so far here are the files that are affected
First the system files all located in directory c:\windows\system32
kernel32.dll
winsock.dll
wsock32.dll
I put all the files it would let me into the "chest" quarantine in avasti
infected files
.dll c:\program files
.tt3.tmp.vbs
_addon.exe
Ao238854.dll
a0238855.dll
ao238856.exe
ao238861.exe
ao238862.exe
a0238863.exe
ao238864.exe
ao238865.exe
ao238866.exe
a0238867.exe
ao238868.exe
ao238869.exe
ao238870.exe
ao238871.exe
ao238871.dll
ao238872.exe
atmadm2.exe
carnivores2-dm{1}.exe
deerdrive-dm{1}.exe
kgqfweltlkb.dll
lphcph1j0ev0a.exe
lprn32.exe
nflheadcoachprimaofficial ???
okmdepgb.dll
pphcph1j0ev0a.exe
startersordersetup-dm[1].exe
steeltide-dm[1].exe
trz26.tmp
ultimateduckhunting-dm[1].exe
dh2004setup-dm[1].exe
The following is a list of the assorted virus names
Win32:Adware-gen[Adw] most are infected with this one
Win32:Trojan-gen [other]
Win32:Agent-ZND [Trj]
VBS:Malware-gen
Win32:Vapsup-EB [Adw]
Win32:Agent-LTS [Trj]
Win32:Fraudo [Trj]
Hope the additional information helps Let me know if you need anything else. I hope the puter will stay on for the
time being. I wonder if its safe to email myself the family photos etc that are stored on the hard drive? I'm also
getting a blue screen occassionally that says window has shut down because of a problem and to reboot and go to
safe mode to find the problem but it always dissapears after a minute or two and loads up windows so I don't know
if thats a fake screen or the real thing.
11:11:06 PM
Thu, Jul 3rd 2008
Quote oops Still Getting the Blue Screen
--------------------------------------------------------------------------------
This afternoon while I was running spyware doctor scan again the blue screen popped up and said windows needed
to be closed. There is lots of writing on this blue screen it tells you to check newly installed programs etc and says it
is going to reboot the computer. However, when it does reboot the computer it goes straight back to desktop instead
of the log in screen you would normally get if you rebooted the computer yourself. So I have feeling this blue screen
is fake as well but spyware doctor is not finding anymore infections.
At the top of the blue screen it show something different usually each time as the reason it is closing windows. Here
are 3 that I thought to write down.
SYSINTERALS_GREAT_SITE
BAD_POOL_HEADER
NO_MORE_IRP_STACK_LOCATION
none of those seem like legitimate reasons to close windows but then I don't know a whole lot either. Can you give
me some input here as to whether those blue screens actually mean anything or if they are part of a trojan or virus
that remains on my computer ?
Ok now, when I followed your directions and went to Panda for some reason it wouldn't clean the things it found on my system and it did find some things. It said opps a technical problem we are working on it. So naturally I thought I had done something wrong after another while of deleting more programs and junk I had on my puter so I went and run the Panda thing again. Same thing happened... I got the reports but it wouldn't remove what it found. I'm going to attach both of those because this is getting long lol I'm also uploading the extra.txt thing and now I'm posting the main.txt document
Deckard's System Scanner v20071014.68
Run by Sue Hensley on 2008-07-04 14:05:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 5 Restore Point(s) --
19: 2008-07-04 17:56:25 UTC - RP959 - Deckard's System Scanner Restore Point
18: 2008-07-04 17:44:47 UTC - RP958 - Software Distribution Service 3.0
17: 2008-07-04 02:54:45 UTC - RP957 - Software Distribution Service 3.0
16: 2008-07-04 02:32:56 UTC - RP956 - Software Distribution Service 3.0
15: 2008-07-03 09:33:18 UTC - RP955 - Removed Java(TM) 6 Update 5
-- First Restore Point --
1: 2008-07-03 01:40:21 UTC - RP941 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 511 MiB (512 MiB recommended).
-- HijackThis (run as Sue Hensley.exe) -----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:39 PM, on 7/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Sue Hensley\Desktop\dss.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sue Hensley.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: nqgpedlr - {EC4A1CF6-AE63-45C3-B7C7-E427DA6CBFD9} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} -
https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -
http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsu...?1140831913671
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsof...?1140854436781
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) -
http://www.igl.net/clo/install/CLOAc...allerProj1.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -
http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) -
http://hoylegames.sierra.com/cab/WON...herControl.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
http://install.wildtangent.com/bgn/p...er/install.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) -
http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) -
http://game07.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) -
https://disney.go.com/games/download...ameManager.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -
https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) -
http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} -
http://plato.fcps.net/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) -
http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: awtuuTmK - awtuuTmK.dll (file missing)
O21 - SSODL: axrfgvek - {972459E8-CE12-4289-88DF-F4228E52271F} - C:\WINDOWS\axrfgvek.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: Desktop Uninstall - (no file)
--
End of file - 13047 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 HWFProt (Hywave File Protector HWFProt) - c:\windows\system32\drivers\hwfprot.sys <Not Verified; HyWave Corporation; HyWave (TM) 2003 for Windows NT/2K>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
S2 SoftFax - c:\windows\system32\drivers\hsf_faxx.sys
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
S3 GoogleDesktopManager - "c:\program files\google\google desktop search\googledesktopmanager.exe" (file missing)
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-07-04 03:49:30 434 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8AFCF9BF-A0FB-423C-831D-FF810EDC87C1}.job
-- Files created between 2008-06-04 and 2008-07-04 -----------------------------
2008-07-04 14:07:25 0 d-------- C:\Program Files\Trend Micro
2008-07-04 13:26:20 0 d-------- C:\Program Files\MWSnap
2008-07-03 23:21:14 0 d-------- C:\WINDOWS\Prefetch
2008-07-03 23:11:40 0 d-------- C:\WINDOWS\system32\scripting
2008-07-03 23:11:38 0 d-------- C:\WINDOWS\l2schemas
2008-07-03 23:11:37 0 d-------- C:\WINDOWS\system32\en
2008-07-03 20:57:29 0 d-------- C:\Program Files\Panda Security
2008-07-03 05:17:40 259584 --a------ C:\WINDOWS\system32\xtbaksm.dll
2008-07-03 05:17:39 510 --a------ C:\WINDOWS\system32\xtupdate.dat
2008-07-03 05:17:39 259584 --a------ C:\WINDOWS\system32\xtbaksm.dat
2008-07-03 04:04:41 0 dr-h----- C:\Documents and Settings\Sue Hensley\Recent
2008-07-03 00:30:11 0 d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-02 22:17:16 0 d-------- C:\Program Files\Alwil Software
2008-07-02 15:36:34 863 --ahs---- C:\WINDOWS\system32\VDcbLRqr.ini2
2008-07-02 15:35:45 62910 --a------ C:\Program Files\Uninstall.exe <Not Verified; $PROGRAMNAME; $PROGRAMNAME>
2008-07-02 15:35:45 0 --a------ C:\Program Files\uninstall.dat
2008-07-02 14:24:14 28288 --a------ C:\WINDOWS\system32\jkkHAtuS.dll
2008-07-02 14:20:35 0 d-------- C:\Documents and Settings\Sue Hensley\Application Data\rhcth1j0ev0a
2008-07-02 14:19:55 155648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-02 14:19:55 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-02 14:19:55 94208 --a------ C:\WINDOWS\epnv.exe
2008-07-02 14:19:55 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-02 14:19:41 60928 --a------ C:\WINDOWS\system32\blphcph1j0ev0a.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-06-27 16:00:22 0 d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-06-21 17:12:22 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-21 17:11:21 0 d-------- C:\Program Files\Common Files\PC Tools
2008-06-21 17:09:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-06-21 17:09:21 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-06-19 10:40:55 88296 --a------ C:\Documents and Settings\Sue Hensley\Application Data\GDIPFONTCACHEV1.DAT
-- Find3M Report ---------------------------------------------------------------
2008-07-03 23:12:04 0 d-------- C:\Program Files\Messenger
2008-07-03 23:11:37 0 d-------- C:\Program Files\Movie Maker
2008-07-03 23:08:32 0 d-------- C:\Program Files\Windows NT
2008-07-03 06:56:21 0 d-------- C:\Program Files\Spyware Doctor
2008-07-03 06:24:13 0 d-------- C:\Program Files\Common Files\AOL
2008-07-03 05:34:21 0 d-------- C:\Program Files\Java
2008-07-03 03:37:28 0 d-------- C:\Program Files\Common Files
2008-07-03 03:25:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-03 03:22:45 0 d-------- C:\Program Files\Windows Live
2008-07-02 21:41:06 0 d-------- C:\Program Files\Amazon
2008-07-02 21:41:06 0 d-------- C:\Documents and Settings\Sue Hensley\Application Data\Amazon
2008-06-21 16:37:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-20 11:38:00 0 d-------- C:\Program Files\MySpace
2008-06-20 01:56:45 0 d-------- C:\Program Files\Sony
2008-06-20 01:32:09 0 d-------- C:\Program Files\Shockwave.com
2008-05-06 19:23:41 0 d-------- C:\Program Files\Avery Wizard 3.1
2008-05-06 18:33:03 0 d-------- C:\Program Files\Common Files\Avery
2008-04-13 14:58:25 848 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-06 15:32:28 0 --a------ C:\Documents and Settings\Sue Hensley\Application Data\AVSDVDPlayer.m3u
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/06/2003 03:16 PM]
"nwiz"="nwiz.exe" [10/06/2003 03:16 PM C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/08/2007 03:35 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 07:19 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/20/2008 02:29 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)
"ForceActiveDesktopOn"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"axrfgvek"= {972459E8-CE12-4289-88DF-F4228E52271F} - C:\WINDOWS\axrfgvek.dll [07/02/2008 12:30 PM 180224]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuuTmK]
awtuuTmK.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^StupAssist.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\StupAssist.lnk
backup=C:\WINDOWS\pss\StupAssist.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sue Hensley^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sue Hensley\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HuntingUnl4.exe]
C:\DOWNLO~1\HUNTIN~1.EXE /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect]
"C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc
-- End of Deckard's System Scanner: finished at 2008-07-04 14:13:17 ------------
I've been reading off and on today on your forum and I'm noticing that in a lot of the reports people are posting that one of the last 5 restore points on thier computers are an update to java. I had something similar to this happen to me about a year ago on my puter. It happened immediatly after I accepted an update to adobe reader. All restore points were gone, my internet connection wouldn't work.. it was a mess and ended up having to reformat everything after spending 2 days on the phone with a tech from Dell in India and I lost a lot of stuff I couldnt replace. Thats why when I seen that uninstall wasn't working I went through and started deleteing things in my program files trying to get the dang virus off my puter before it destroyed something that would cause me to have to reformat again.
oh now I remember why I had to restore a couple of weeks ago. There was a storm and our lights went out and afterwards the CPU fan wouldn't work on this computer and when windows booted up it said it couldn't find it or something. So I tryed restore to see if it would find it then but that didn't work. So knowing that a hot cpu would burn up my puter I gave up and turned it off and called Dell and bought a brand new XPS... sweet little puter let me tell ya... then low and behold a miracle happened. I turned on this old puter to quickly send some emails with files I wanted on the new puter and this time it found the CPU fan and the fan was working lol I looked in the back and sure enough it was running. I think my computer was as attached to me as I am to it lol So being the creature of habit that I am I have continued to use this old computer while my new one is sitting 4 foot away from me collecting dust.
btw I have run spyware doctor lots of times in the past couple of days and it always finds something but I noticed it keeps finding the same things over and over again even though they were supposedly fixed the time before.
Right now the only problem I'm having is that dang blue screen popping up but it only pops up when the puter has been idle for a few minutes so I'm pretty sure its a screen saver or something like that.
Appreciate any help you can give me to get this mess completly cleaned up. I'm really concerned about that kernel32 and the winsock files that showed up in the antivirus scanned as being affected by the virus/spyware. I haven't unplugged my connection to the internet since this started I don't think. I have cable so whether the computer is on or off its connected. I wonder if I turned on my cable modem if I would have a problem connecting again.
Happy 4th of July. I'll be checking back for a reply in the next couple of days. I know you must be very busy and if push comes to shove I can always dust off my new baby (XPS) and get online there.