persistent rootkit and messenger service pop-ups

[dbstone]

Hi,

I'm back! I posted here a few months ago and am still having problems. Originally, I sought help with the removal of x-cleaner and then to regain control of my computer back.

I did two clean installs and ran into the same problems both times. First, when connected to the internet, I would get messenger service popups saying I had 55 critical system errors or that my registry was damaged or corrupted. The popups would instruct me to log onto certain websites such as: registryalert.com. helpfix.com, or registrycleanerxp.com to rid me of these popups. Ofcourse, I did not.

I have dial up and it was taking considerable time to download my virus protection and explorer updates. I kept getting kicked off the computer. Once I got trend pc-cillin downloaded, it never worked.

I tried to download ad-aware and run it and my computer went kafluwey! I couldn't connect to the internet anymore and something in my computer was trying to connect by itself.

I had to take it to the shop. After two weeks, all they were able to do was remove the virus' and spyware programs. The said I had some devils, but gave me no particulars.

When I got it home and tried to log on, I was unable to download websites. I would have blank screens. I decided to reinstall again. And I'm still getting messenger service pop-ups and got kicked off the internet when I tried to do the panda scan. Here's what I've been able to do so far:

I downloaded pc-cillin from disk and ran it. It found no virus', but removed some spyware. logs below.

I downloaded ad-aware with the vx2 tool and ran them. Adaware found 2 alexa items and some MRU list items, which I removed with the program. I also downloaded spyware blaster and spygaurd and have them running.

Have tried doing two panda active scans and got kicked off both times. last time things got dicey, I got an "lsass.exe application error" which said "0x77f5234e" memory could not be written. Then my spygaurd program kicked in and said I had a BHO called toolbar trying to download. then i got kicked off. there must have been some changes made to my computer, because I had trouble logging on to the internet again and had to dial up from earthinlinks disk.

I have windows xp with sp1 and I did manage to download sp1a. it took 6 hours, but I didn't get kicked off....

I downloaded comboscan and highjack this and ran them. logs below.

When I was trying to do my panda scan, my pc-cillin was trying to update. the update stopped when i got kicked off, but when i looked at my trend's logs I saw it found two virus right around the time I thought it was updating....(log below).

I will continue, cautiously, to download my updates for pc-cillin and do a panda scan, but I wanted to get this thread in in case I have trouble getting back on.

Here's my logs so far:

Trend: (took one spyware log taken out to shorten per request)

"Virus Scan Logs","2007/02/17","GALAXY"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"19:19","File Monitor","File","BKDR_SDBOT.GAA","C:\WINDOWS\system32\.exe","Quarantine Success",""
"19:57","File Monitor","File","WORM_SDBOT.DYX","C:\WINDOWS\system32\TFTP3172","Quarantine Success",""


"Spyware Scan Logs","2007/02/16","GALAXY"
"Time","Area","Item Name","Detected Resource","Target","Action"
"21:14","Bad Internet Browser Cookies","Cookie_2o7","Internet Explorer Cache","2o7.net","Detected"
"21:14","Bad Internet Browser Cookies","Cookie_Tacoda","Internet Explorer Cache","tacoda.net","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\S-1-5-21-602162358-2052111302-725345543-1004\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:22","Bad Internet Browser Cookies","Cookie_2o7","Internet Explorer Cache","2o7.net","Quarantined"
"21:22","Bad Internet Browser Cookies","Cookie_Tacoda","Internet Explorer Cache","tacoda.net","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\S-1-5-21-602162358-2052111302-725345543-1004\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"22:48","Your computer's memory","aawsepersonal.exe","C:\Documents and Settings\deborah stone\Desktop","aawsepersonal.exe","Detected"
"22:53","Your computer's memory","vx2cleaner_inst.exe","C:\Documents and Settings\deborah stone\Desktop","vx2cleaner_inst.exe","Detected"
"23:05","Your computer's memory","spywareblastersetup351.exe","C:\Documents and Settings\deborah stone\Desktop","spywareblastersetup351.exe","Detected"
"23:05","Your computer's memory","is-N71PS.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\is-0NV6C.tmp","is-N71PS.tmp","Detected"
"23:05","Your computer's memory","spywareblaster.exe","C:\Program Files\SpywareBlaster","spywareblaster.exe","Detected"
"23:12","Your computer's memory","spywareguardsetup.exe","C:\Documents and Settings\deborah stone\Desktop","spywareguardsetup.exe","Detected"
"23:12","Your computer's memory","INS6B.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp","INS6B.tmp","Detected"
"23:13","Internet Explorer plug-ins","C:\Program Files\SpywareGuard\dlprotect.dll","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects","{4A368E80-174F-4872-96B5-0B27DDD11DB2}","Detected"
"23:13","Your computer's startup software","C:\Program Files\SpywareGuard\sgmain.exe","C:\Documents and Settings\deborah stone\Start Menu\Programs\StartUp\SpywareGuard.lnk","C:\Program Files\SpywareGuard\sgmain.exe","Detected"
"23:44","Your computer's memory","spybotsd14.exe","C:\Documents and Settings\deborah stone\Desktop","spybotsd14.exe","Detected"
"23:44","Your computer's memory","is-QA8RD.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\is-29QJ5.tmp","is-QA8RD.tmp","Detected"
"23:44","Internet Explorer plug-ins","C:\Program Files\Spybot - Search & Destroy\SDHelper.dll","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects","{53707962-6F74-2D53-2644-206D7942484F}","Detected"
"23:45","Your computer's memory","SpybotSD.exe","C:\Program Files\Spybot - Search & Destroy","SpybotSD.exe","Detected"
"23:58","Your computer's memory","update.exe","C:\Program Files\Spybot - Search & Destroy","update.exe","Detected"


comboscan:

ComboScan v20070212.14 run by deborah stone on 2007-02-17 at 19:42:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as deborah stone.com) ------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:42:43 PM, on 2/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\System32\lssas.exe
C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}\Update.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Documents and Settings\deborah stone\Desktop\comboscan.exe
C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\~hrjcqec.tmp\deborah stone.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38739~1\Bar888.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144 (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 aeaudio - system32\drivers\aeaudio.sys
3 ati2mtaa - System32\DRIVERS\ati2mtaa.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys
3 E100B (Intel(R) PRO Adapter Driver) - System32\DRIVERS\e100b325.sys
2 Fallback - System32\DRIVERS\HSF_FALL.sys
2 Fsks - System32\DRIVERS\HSF_FSKS.sys
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys
2 K56 - System32\DRIVERS\HSF_K56K.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0 PCIIde - System32\DRIVERS\pciide.sys
3 Rksample - System32\DRIVERS\HSF_SAMP.sys
3 smwdm - system32\drivers\smwdm.sys
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys
2 SpeakerPhone - System32\DRIVERS\HSF_SPKP.sys
3 tmcfw (Trend Micro Common Firewall Service) - System32\DRIVERS\TM_CFW.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
2 tmmbd (Trend Micro MBD Driver) - System32\DRIVERS\tm_mbd_c.sys
2 Tmpreflt - System32\drivers\Tmpreflt.sys
1 tmtdi (Trend Micro TDI Driver) - System32\DRIVERS\tmtdi.sys
2 tmxpflt - System32\drivers\TmXPFlt.sys
2 Tones - System32\DRIVERS\HSF_TONE.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
2 V124 - System32\DRIVERS\HSF_V124.sys
2 Vsapint - System32\drivers\VsapiNT.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 Client IP-IPX - "C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144
2 PcCtlCom (Trend Micro Central Control Component) - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
3 PcScnSrv (Trend Micro Protection Against Spyware ) - "C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe"
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 Tmntsrv (Trend Micro Real-time Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
2 TmPfw (Trend Micro Personal Firewall) - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
2 tmproxy (Trend Micro Proxy Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Files created between 2007-01-17 and 2007-02-17 ------------------------------

2007-02-17 19:42:39 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-17 19:30:06 0 d-------- C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}<{18739~1>
2007-02-17 19:28:40 0 d-------- C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}<{38739~1>
2007-02-17 19:28:38 2560 --a------ C:\WINDOWS\System32\unsvchosts.exe<UNSVCH~1.EXE><Unsigned: n/a>
2007-02-17 19:28:38 36864 --a------ C:\WINDOWS\System32\svchosts.exe<Unsigned: n/a>
2007-02-17 19:25:52 90437 --a------ C:\WINDOWS\System32\mc-110-12-0000144.exe<MC-110~1.EXE><Unsigned: n/a>
2007-02-17 19:03:32 13728 --a------ C:\WINDOWS\System32\setup_57320.exe<SETUP_~1.EXE><Unsigned: n/a>
2007-02-17 18:17:10 0 d-------- C:\WINDOWS\Prefetch
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1>
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ehome
2007-02-17 18:13:23 450176 -----n--- C:\WINDOWS\System32\drivers\ati2mtag.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 34735 -----n--- C:\WINDOWS\System32\drivers\atinxsxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 29455 -----n--- C:\WINDOWS\System32\drivers\atinxbxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 36463 -----n--- C:\WINDOWS\System32\drivers\atintuxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 21343 -----n--- C:\WINDOWS\System32\drivers\atinttxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 26367 -----n--- C:\WINDOWS\System32\drivers\atinsnxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 63663 -----n--- C:\WINDOWS\System32\drivers\atinrvxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 30671 -----n--- C:\WINDOWS\System32\drivers\atinraxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 12047 -----n--- C:\WINDOWS\System32\drivers\atinpdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 11615 -----n--- C:\WINDOWS\System32\drivers\atinmdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 56591 -----n--- C:\WINDOWS\System32\drivers\atinbtxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:21 921475 -----n--- C:\WINDOWS\System32\ati3d2ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 844675 -----n--- C:\WINDOWS\System32\ati3d1ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 202496 -----n--- C:\WINDOWS\System32\ati2dvag.dll<Signed: ATI Technologies Inc.>
2007-02-17 10:30:48 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-17 10:21:56 1168 --a------ C:\WINDOWS\mozver.dat
2007-02-17 10:07:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-17 1054 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-17 09:11:43 0 d-------- C:\WINDOWS\System32\NtmsData
2007-02-17 08:50:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-02-17 08:49:55 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-16 23:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-16 23:13:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-16 23:05:12 118784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-16 23:05:12 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-16 22:49:13 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Lavasoft
2007-02-16 22:49:08 0 d-------- C:\Program Files\Lavasoft
2007-02-16 22:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-16 22:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-16 21:54:44 0 d-------- C:\WINDOWS\System32\PreInstall<PREINS~1>
2007-02-16 21:54:40 0 d--h----- C:\WINDOWS\$hf_mig$
2007-02-16 21:53:53 0 d-------- C:\WINDOWS\System32\bits
2007-02-16 21:25:46 0 d-------- C:\WINDOWS\SoftwareDistribution<SOFTWA~1>
2007-02-16 21:10:21 101376 --a------ C:\WINDOWS\System32\drivers\tm_mbd_c.sys<Unsigned: Trend Micro Inc.>
2007-02-16 21:10:20 281600 --a------ C:\WINDOWS\System32\drivers\TM_CFW.sys<Signed: Trend Micro Inc.>
2007-02-16 21:09:53 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-02-16 21:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro<TRENDM~1>
2007-02-16 2158 0 d-------- C:\Program Files\Sophos
2007-02-16 21:03:24 0 d---s---- C:\Documents and Settings\deborah stone\UserData
2007-02-16 20:57:30 0 d-------- C:\Documents and Settings\deborah stone\Application Data\EarthLink Toolbar<EARTHL~2>
2007-02-16 20:54:42 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Earthlink<EARTHL~1>
2007-02-16 20:52:24 0 d-------- C:\Program Files\EarthLink TotalAccess<EARTHL~1>
2007-02-16 20:50:28 0 d-------- C:\Program Files\UIU
2007-02-16 20:38:29 0 d-------- C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:37:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:30:35 53248 --a------ C:\WINDOWS\System32\Prounstl.exe<Signed: Intel Corporation>
2007-02-16 20:30:35 23040 --a------ C:\WINDOWS\System32\IntelNic.dll<Signed: Intel Corporation>
2007-02-16 20:30:35 139776 --a------ C:\WINDOWS\System32\drivers\e100b325.sys<Signed: Intel Corporation>
2007-02-16 20:29:38 3744 --a------ C:\WINDOWS\System32\drivers\smsens.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:38 4816 --a------ C:\WINDOWS\System32\drivers\aeaudio.sys<Signed: Andrea Electronics Corporation>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\DSndUp.exe<Unsigned: Analog Devices Inc.>
2007-02-16 20:29:37 545208 --a------ C:\WINDOWS\System32\drivers\smwdm.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\CleanUp.exe<Unsigned: adi>
2007-02-16 20:29:37 720896 --a------ C:\WINDOWS\System32\a3d.dll<Signed: Sensaura Ltd>
2007-02-16 20:29:37 0 d-------- C:\Program Files\Analog Devices<ANALOG~1>
2007-02-16 20:28:58 4557 -----n--- C:\WINDOWS\System32\atiicdxx.sys<Unsigned: ATI Technologies Inc.>
2007-02-16 20:28:45 295168 --a------ C:\WINDOWS\System32\drivers\ati2mtaa.sys<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 1175642 --a------ C:\WINDOWS\System32\atioglaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 98304 --a------ C:\WINDOWS\System32\atiiprxx.exe<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 229376 --a------ C:\WINDOWS\System32\atiiiexx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 102400 --a------ C:\WINDOWS\System32\Atiidtxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 45056 --a------ C:\WINDOWS\System32\atiicpxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 327774 --a------ C:\WINDOWS\System32\atiicdxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 40960 --a------ C:\WINDOWS\System32\Ati2mdxx.exe<Signed: ATI Technologies, Inc.>
2007-02-16 20:28:45 318080 --a------ C:\WINDOWS\System32\ati2dvaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:27:48 0 d--hs---- C:\RECYCLER
2007-02-16 20:25:17 0 d-------- C:\Program Files\Intel
2007-02-16 20:24:57 0 d-------- C:\WINDOWS\System32\ReinstallBackups<REINST~1>
2007-02-16 20:23:43 176128 --a------ C:\WINDOWS\System32\RcdScan.dll<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:43 446464 -ra------ C:\WINDOWS\System32\hhactivex.dll<HHACTI~1.DLL><Unsigned: Blue Sky Software Corporation.>
2007-02-16 20:23:41 89360 --a------ C:\WINDOWS\System32\VB5DB.DLL<Unsigned: Microsoft Corporation>
2007-02-16 20:23:40 13632 -----n--- C:\WINDOWS\System32\drivers\omci.sys<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-16 20:23:34 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-16 20:22:13 0 d--hs---- C:\WINDOWS\Installer<INSTAL~1>
2007-02-16 20:21:57 1310720 --ah----- C:\Documents and Settings\deborah stone\NTUSER.DAT
2007-02-16 20:20:57 0 d--hs---- C:\System Volume Information<SYSTEM~1>
2007-02-16 20:20:56 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-02-16 20:20:55 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-02-16 20:18:12 0 d-------- C:\WINDOWS\System32\xircom
2007-02-16 20:18:12 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-02-16 20:18:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-02-16 20:18:09 0 d-------- C:\DELL
2007-02-16 20:18:00 0 -rahs---- C:\MSDOS.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 -rahs---- C:\IO.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\CONFIG.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\AUTOEXEC.BAT
2007-02-16 20:17:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-02-16 20:16:58 0 dr------- C:\WINDOWS\Offline Web Pages<OFFLIN~1>
2007-02-16 20:16:58 0 d---s---- C:\WINDOWS\Downloaded Program Files<DOWNLO~1>
2007-02-16 20:16:30 0 d-------- C:\WINDOWS\System32\DirectX
2007-02-16 20:15:55 28672 --a------ C:\WINDOWS\System32\isrdbg32.dll<Signed: Intel Corporation>
2007-02-16 20:15:49 0 d---s---- C:\WINDOWS\Tasks
2007-02-16 20:15:46 0 d-------- C:\Program Files\Common Files\MSSoap
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\System32\Macromed
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\srchasst
2007-02-16 20:15:40 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-16 20:15:37 0 d-------- C:\WINDOWS\PCHealth
2007-02-16 20:15:36 0 d-------- C:\WINDOWS\System32\Restore
2007-02-16 20:15:22 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat<EMPTYR~1.DAT>
2007-02-16 20:15:06 0 d-------- C:\WINDOWS\Registration<REGIST~1>
2007-02-16 20:14:37 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-02-16 20:14:37 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-02-16 20:14:31 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-16 20:14:27 0 d-------- C:\Program Files\MSN Gaming Zone<MSNGAM~1>
2007-02-16 20:14:20 489984 --a------ C:\WINDOWS\System32\hypertrm.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:20 44544 --a------ C:\WINDOWS\System32\hticons.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:10 1161 --a------ C:\WINDOWS\System32\usrlogon.cmd
2007-02-16 20:13:57 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\MsDtc
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\Com
2007-02-16 15:09:27 9759 --a------ C:\WINDOWS\System32\HSF_INST.dll<Signed: Conexant>
2007-02-16 15:09:27 488383 --a------ C:\WINDOWS\System32\drivers\HSF_V124.sys<Signed: Conexant>
2007-02-16 15:09:27 50751 --a------ C:\WINDOWS\System32\drivers\HSF_TONE.sys<Signed: Conexant>
2007-02-16 15:09:27 73279 --a------ C:\WINDOWS\System32\drivers\HSF_SPKP.sys<Signed: Conexant>
2007-02-16 15:09:27 44863 --a------ C:\WINDOWS\System32\drivers\HSF_SOAR.sys<Signed: Conexant>
2007-02-16 15:09:27 57471 --a------ C:\WINDOWS\System32\drivers\HSF_SAMP.sys<Signed: Conexant>
2007-02-16 15:09:27 542879 --a------ C:\WINDOWS\System32\drivers\HSF_MSFT.sys<Signed: Conexant>
2007-02-16 15:09:27 391199 --a------ C:\WINDOWS\System32\drivers\HSF_K56K.sys<Signed: Conexant>
2007-02-16 15:09:27 115807 --a------ C:\WINDOWS\System32\drivers\HSF_FSKS.sys<Signed: Conexant>
2007-02-16 15:09:27 199711 --a------ C:\WINDOWS\System32\drivers\HSF_FAXX.sys<Signed: Conexant>
2007-02-16 15:09:27 289887 --a------ C:\WINDOWS\System32\drivers\HSF_FALL.sys<Signed: Conexant>
2007-02-16 15:09:27 67167 --a------ C:\WINDOWS\System32\drivers\HSF_BSC2.sys<Signed: Conexant>
2007-02-16 15:09:27 150239 --a------ C:\WINDOWS\System32\drivers\HSF_AMOS.sys<Signed: Conexant>
2007-02-16 15:08:13 0 d-------- C:\Program Files\Common Files\ODBC
2007-02-16 15:08:10 0 dr------- C:\Program Files<PROGRA~1>
2007-02-16 15:08:10 0 d-------- C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
2007-02-16 15:07:59 24661 --a------ C:\WINDOWS\System32\spxcoins.dll<Signed: Perle Systems Ltd.>
2007-02-16 15:07:59 103424 --a------ C:\WINDOWS\System32\EqnClass.Dll<Signed: Equinox Systems Inc.>
2007-02-16 15:07:59 85020 --a------ C:\WINDOWS\System32\dgsetup.dll<Signed: Digi International>
2007-02-16 15:07:59 176157 --a------ C:\WINDOWS\System32\dgrpsetu.dll<Signed: Digi International, Inc.>
2007-02-16 15:07:49 0 dr------- C:\Documents and Settings\All Users\Documents<DOCUME~1>
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot2
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot
2007-02-16 15:07:15 0 d-------- C:\Documents and Settings<DOCUME~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\WinSxS
2007-02-16 15:03:03 0 dr------- C:\WINDOWS\Web
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\twain_32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wins
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wbem
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\usmt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\spool
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ShellExt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\Setup
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ras
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\oobe
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\npp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\inetsrv
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\IME
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\icsxml
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ias
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\export
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\etc
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\disdn
2007-02-16 15:03:03 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\dhcp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3com_dmi
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3076
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\2052
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1054
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1042
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1041
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1037
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1033
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1031
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1028
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1025
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\security
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Resources<RESOUR~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\repair
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msapps
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msagent
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Media
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\java
2007-02-16 15:03:03 0 d--h----- C:\WINDOWS\inf
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\ime
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Help
2007-02-16 15:03:03 0 dr--s---- C:\WINDOWS\Fonts
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Driver Cache<DRIVER~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Debug
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Cursors
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Connection Wizard<CONNEC~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\AppPatch
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\addins


-- Find3M Report ----------------------------------------------------------------

2007-02-17 10:22:59 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Macromedia<MACROM~1>
2007-02-17 10:07:05 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Mozilla
2007-02-16 22:19:07 0 d---s---- C:\Documents and Settings\deborah stone\Application Data\Microsoft<MICROS~1>
2007-02-16 20:22:10 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Identities<IDENTI~1>
2007-02-16 15:07:49 62 --ahs---- C:\Documents and Settings\deborah stone\Application Data\desktop.ini


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpySweeper"=""
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"Local Security Authority Service"="C:\\WINDOWS\\System32\\lssas.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CLIENT_IP-IPX


-- End of ComboScan: finished at 2007-02-17 at 19:45:14 -------------------------
ComboScan v20070212.14 run by deborah stone on 2007-02-17 at 19:42:31
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 511 MiB / 250.25 MiB
Pagefile Memory (total/avail): 1250.19 MiB / 1037.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2006.11 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.84 GiB total, 52.01 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is unknown.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\deborah stone\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GALAXY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\deborah stone
LOGONSERVER=\\GALAXY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
USERDOMAIN=GALAXY
USERNAME=deborah stone
USERPROFILE=C:\Documents and Settings\deborah stone
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

deborah stone (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bar888 --> C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}\UnInstall.exe
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink Software --> "C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Trend Micro PC-cillin Internet Security 2007 --> msiexec.exe /i {BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}


-- End of ComboScan: finished at 2007-02-17 at 19:45:14

-------------------------
Hope you can help me fix this bug. thanks. db

[amateur]

Hello dbstone & welcome back.


I am sorry to be the bearer of bad news but I must make you aware of the seriousness of one of the infections on your computer.

You have an SDBot infection that drops a RootKit. This combination pretty much gives the infection and the people behind it full control of your computer to do whatever they want with it. As such... and you've probably figured this out... your computer has been totally compromised.

You have two choices...

1. Format your Hard Drive and reinstall Windows. This is probably your wisest choice as it would totally eliminate the infection and any additional damage done by it.

2. We can clean the infections. But even with doing so I, unfortunately, cannot guarantee the security of your computer afterwards as I have no way of knowing what other damage has been done by the RootKit/RAT.

Please read these for more information and let me know which route you wish to go with:

Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

[dbstone]

Hi

ok, i'm puzzled though, I've reinstalled three times and still have this virus. I've also paid good money to a computer shop and still have this virus.

the reinstalls themselves, I believe are problematic as I have dial up. Everytime I reinstall, I wipe out all the protection and updates I've built into my system. then in an effort to download them again, I get reinfected.

Is there any way around this?

db

ps- here is what ive done, or found out since I last wrote:

I got rid of the messenger service popups with a program called "shoot the messenger"...

and pc cillin has found a PE_Generic viurs in my lassas.exe file that it can't remove or quaranteen

[amateur]

Hi again,

Quote:

ok, i'm puzzled though, I've reinstalled three times and still have this virus.................then in an effort to download them again, I get reinfected....Is there any way around this?

It's recommended that you download the antivirus and the firewall applications onto a flash drive or CD before you reformat and reinstall; unplug the computer from the internet; Reformat & reinstall the operating system with all its patches. If you have problems downloading SP2, as it is rather large and you are on dialup, you can order the SP2 CD for 'free' from Microsoft that will save you all the hassles of trying to update online here:

http://www.microsoft.com/windowsxp/d...s/default.mspx

Once you have the Windows installed with all its patches, install the antivirus and the firewall using the flash drive/CD where you've downloaded them earlier, before you connect to the internet. Then, you can connect to the internet and update your system.

If you don't have any sensitive information on the computer and do not use it for banking, we can attempt to clean it. You might like to print these so that you can have access to them at all times:

1. Download AVG Anti-Spyware from HERE

• Install AVG Anti-Spyware
• Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

======================================

Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools menu and click Folder Options
· Select the View Tab
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended) option
· Click Yes to confirm
· Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

======================================

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!

======================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

======================================

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

=======================================

Then, please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

======================================
Next, still in Safe Mode:

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

====================================

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware.

======================================

Please post me a new hijackthis log and the logs from c:\BFU\log.txt , the Report.txt and the AVG Anti Spyware log.

[dbstone]

Hi amateur,

I think I understand from he materials you gave me to read that even if i copy my updates to cd or jump drive, I might be saving the virus or alterations with them. I think i'm going to try getting rid of the virus first. then if need be, reinstall. I'll order a cd of sp2 from microsoft just in case. If need be, how can I save the updates I've downloaded for windows and pc-cillin already? I'm rather new at this.

the only time I use my computer for sensitive stuff is to view my banking account, which I think i've refrained from doing since I've reinstalled. I'll change my passwords and etc later. Is there a danger of someone remotely accessing my e-mail? I have passwords, etc, saved there.

db

[amateur]

Quote:

If need be, how can I save the updates I've downloaded for windows and pc-cillin already?

I am not sure if that's possible. You may have to do the updating online.

Quote:

Is there a danger of someone remotely accessing my e-mail? I have passwords, etc, saved there.

With SDBots, anything is possible.

[dbstone]

Hello,

ok. here are the logs I have. Unfortunately, i can't find a log for bfu. I've searched files and folders for c:\bfu\log.txt and found nothing. I also don't have a log for avg- it said there were no reports although it did find something that had backdoor in the name...and it deleted what it found rather than quaranteening them, even though my chosen action was to quaranteen per your instructions. Here's the logs I do have and hope their helpful.


SDFix: Version 1.66

Run by deborah stone - Sun 02/18/2007 @ 14:04:15.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_57320.exe - Deleted
C:\WINDOWS\system32\TFTP2036 - Deleted
C:\WINDOWS\system32\TFTP3052 - Deleted
C:\WINDOWS\system32\TFTP3568 - Deleted
C:\WINDOWS\system32\TFTP3792 - Deleted
C:\WINDOWS\system32\TFTP396 - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\qirewt.exe
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2D.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT1D.tmp

Add/Remove Programs List:

ATI Display Driver
AVG Anti-Spyware 7.5
EarthLink Software
hp instant support
HP Photo and Imaging 2.0 - hp officejet 6100 series
Lavasoft VX2 Cleaner
Mozilla Firefox (2.0.0.1)
Panda ActiveScan
Intel(R) PRO Ethernet Adapter and Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Trend Micro PC-cillin Internet Security 2007
hp officejet 6100 series
EarthLink Spyware Blocker
ELNBonus
EarthLink Setup
EarthLink Redistributed
EarthLink FastLane
EarthLink Common
EarthLink Toolbar
HP Photo and Imaging 2.0 - All-in-One Drivers
Ad-Aware SE Personal
EarthLink Update Manager
EarthLink MailBox
HP Photo and Imaging 2.0 - All-in-One
EarthLink TaskPanel
HP Memories Disc
Microsoft XML Parser
Trend Micro PC-cillin Internet Security 2007
Dell ResourceCD
EarthLink IM
EarthLink Webspace
Deal Info
SoundMAX
EarthLink Accelerator

Finished


Logfile of HijackThis v1.99.1
Scan saved at 2:29:33 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

thanks. I'll be staying offline as much as possible until I hear from you that I am cleared.

db

[amateur]

Hi,
Thanks for the logs. SDFix seems to have worked.

Quote:

Unfortunately, i can't find a log for bfu.

Let's not worry about that now, but I would like to have the AVG Anti Spyware log. A copy of each report is saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\. If you still cannot find it, we'll give it another go.

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

You have the following O6 line indicating some restriction on the IE/Control Panel access rights. Unless that is intentional by an administrator or program like Spybot or StartPage Guard , you can check that line too if you wish.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Make sure that all windows/applications, etc are closed before you click on "fix checked". Exit HijackThis.

=============================

Update AVG Anti Spyware before you boot into Safe Mode.

=============================

Boot into Safe Mode following my earlier instructions.

=============================

Using Windows Explorer (right click on start, click on Explore) navigate to the following file and delete it if found. (Make sure that your hidden files are still visible).

C:\WINDOWS\system32\qirewt.exe

==============================

Still in Safe Mode, scan with AVG Anti Spyware (if you were unable to find the previous report).

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• Wh