Malware Help Please!

peter_maurin · 01-11-2008, 01:31 PM

Running XP with 4 users at home. Only on one user's desktop does the problem occur. Constant pop-ups regarding worm.win32.netsky virus, red X in system tray and redirects from IE to virus clean-up web sites and the "Error Cleaner", "Privacy Protector" & "Spyware & Malware Protection" icons also appear on this user's desktop. The link bar on all users contain "Remove Popups" "Scan Spyware" "Security Test" and "Spam Protection". "The ensfolr" link bar appears in the link bar drop down list. I ran the SmitfraudFix in addition to AVG and I think that the malware may still be present. I attempted to run the Panda ActiveScan software but it never ran; it just sat there (~ 20 minutes) without showing any status of execution.

Attached are the main.txt and extra.txt files output from DSS:

Deckard's System Scanner v20071014.68
Run by Daddy on 2008-01-11 14:56:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
5: 2008-01-11 19:56:49 UTC - RP40 - Deckard's System Scanner Restore Point
4: 2008-01-11 17:53:28 UTC - RP39 - Restore Operation
3: 2008-01-11 08:13:56 UTC - RP38 - System Checkpoint
2: 2008-01-10 08:00:18 UTC - RP37 - Software Distribution Service 3.0
1: 2008-01-08 03:03:29 UTC - RP36 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-11 14:58:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Daddy\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - C:\WINDOWS\dxpvqlmqng.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6867 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-07 22:32:48 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Daddy.job

-- Files created between 2007-12-11 and 2008-01-11 -----------------------------

2008-01-11 14:09:08 0 d-------- C:\WINDOWS\LastGood
2008-01-11 13:10:47 2814 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-11 11:16:07 0 d-------- C:\Documents and Settings\Daddy\Application Data\Grisoft
2008-01-11 10:54:38 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-11 03:13:53 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-01-11 03:13:53 1572864 --a------ C:\Documents and Settings\Daddy\ntuser.dat
2008-01-06 23:26:41 81920 --a------ C:\WINDOWS\foxflpd.exe
2008-01-06 23:26:41 176128 --a------ C:\WINDOWS\ensfolr.dll <Not Verified; ; ensfolr Module>
2008-01-06 23:26:41 253952 --a------ C:\WINDOWS\dxpvqlmqng.dll <Not Verified; ; dxpvqlmqng>
2008-01-02 12:25:49 0 d-------- C:\Documents and Settings\Daddy\Application Data\acccore
2007-12-30 10:00:32 0 d-------- C:\Downloads
2007-12-27 00:12:28 0 d-------- C:\Documents and Settings\Mommy\Application Data\acccore
2007-12-24 11:29:58 0 d-------- C:\Documents and Settings\Mommy\Application Data\Macromedia
2007-12-24 11:29:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Adobe
2007-12-23 19:59:43 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Viewpoint
2007-12-20 10:24:15 0 d-------- C:\Documents and Settings\Lindsay\Application Data\acccore
2007-12-20 03:00:26 0 d-------- C:\Program Files\MSXML 4.0
2007-12-18 22:01:01 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore
2007-12-18 21:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-18 21:55:33 0 d-------- C:\Program Files\Common Files\AOL
2007-12-18 21:55:30 0 d-------- C:\Program Files\AIM6
2007-12-18 21:54:59 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Macromedia
2007-12-18 21:54:46 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Adobe
2007-12-18 19:46:53 0 d-------- C:\Documents and Settings\Daddy\Application Data\SierraHome
2007-12-18 19:38:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SierraHome
2007-12-18 19:32:25 0 d-------- C:\Program Files\Common Files\Nova Development
2007-12-18 19:32:06 0 d-------- C:\Program Files\SierraHome
2007-12-18 16:56:33 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Macromedia
2007-12-17 20:36:51 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Adobe
2007-12-17 20:36:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Symantec
2007-12-17 20:35:50 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Symantec
2007-12-17 20:34:34 0 d-------- C:\Documents and Settings\Mommy\Application Data\Symantec
2007-12-17 20:13:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-12-17 20:13:30 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-17 20

51 0 d-------- C:\Documents and Settings\Daddy\Application Data\AdobeUM
2007-12-17 20:02:33 0 d-------- C:\Documents and Settings\Daddy\Application Data\Symantec
2007-12-17 20:01:12 0 d-------- C:\Program Files\Windows Sidebar
2007-12-17 20:00:30 0 d-------- C:\Program Files\Norton Internet Security
2007-12-17 19:59:48 0 d-------- C:\Program Files\Symantec
2007-12-17 19:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-17 19:24:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-17 19:24:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-17 19:03:32 0 d-------- C:\Documents and Settings\Daddy\Application Data\Macromedia
2007-12-17 18:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-12-17 18:38:16 0 d-------- C:\Program Files\Hewlett-Packard
2007-12-17 18:34:43 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-17 18:34:43 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows>
2007-12-17 18:34:43 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl>
2007-12-17 18:34:43 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML>
2007-12-17 18:34:43 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows>
2007-12-17 18:34:43 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl>
2007-12-17 18:34:42 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-12-17 18:33:13 3979 -----n--- C:\WINDOWS\hphmdl08.dat
2007-12-17 18:33:13 80793 --a------ C:\WINDOWS\HPHins08.dat
2007-12-17 18:32:09 0 d-------- C:\Documents and Settings\Daddy\Application Data\HP
2007-12-17 18:28:18 0 d-------- C:\Documents and Settings\Daddy\Application Data\Adobe
2007-12-17 18:18:49 0 d-------- C:\Program Files\HP
2007-12-17 18:18:47 0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-17 11:21:42 0 d-------- C:\Documents and Settings\Mommy\Application Data\CyberLink
2007-12-17 10:50:48 0 d-------- C:\Documents and Settings\Mommy\Application Data\Grisoft
2007-12-17 10:50:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Identities
2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Templates
2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Start Menu
2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\SendTo
2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\Recent
2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\PrintHood
2007-12-17 10:50:32 1572864 --a------ C:\Documents and Settings\Mommy\ntuser.dat
2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\NetHood
2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\My Documents
2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Local Settings
2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Favorites
2007-12-17 10:50:32 0 d-------- C:\Documents and Settings\Mommy\Desktop
2007-12-17 10:50:32 0 d--hs---- C:\Documents and Settings\Mommy\Cookies
2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\Application Data
2007-12-17 10:50:32 0 d---s---- C:\Documents and Settings\Mommy\Application Data\Microsoft
2007-12-17 10:40:29 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Grisoft
2007-12-17 10:40:11 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Identities
2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Templates
2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Start Menu
2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\SendTo
2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Recent
2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\PrintHood
2007-12-17 10:39:59 1048576 --a------ C:\Documents and Settings\Lindsay\ntuser.dat
2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\NetHood
2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\My Documents
2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Local Settings
2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Favorites
2007-12-17 10:39:59 0 d-------- C:\Documents and Settings\Lindsay\Desktop
2007-12-17 10:39:59 0 d--hs---- C:\Documents and Settings\Lindsay\Cookies
2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Application Data
2007-12-17 10:39:59 0 d---s---- C:\Documents and Settings\Lindsay\Application Data\Microsoft
2007-12-17 10:37:03 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Grisoft
2007-12-17 10:36:57 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Identities
2007-12-17 10:36:48 0 dr------- C:\Documents and Settings\Alyssa\Favorites
2007-12-17 10:36:48 0 d-------- C:\Documents and Settings\Alyssa\Desktop
2007-12-17 10:36:48 0 d--hs---- C:\Documents and Settings\Alyssa\Cookies
2007-12-17 10:36:48 0 dr-h----- C:\Documents and Settings\Alyssa\Application Data
2007-12-17 10:36:48 0 d---s---- C:\Documents and Settings\Alyssa\Application Data\Microsoft
2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Templates
2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\Start Menu
2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\SendTo
2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\Recent
2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\PrintHood
2007-12-17 10:36:47 1572864 --a------ C:\Documents and Settings\Alyssa\ntuser.dat
2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\NetHood
2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\My Documents
2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Local Settings
2007-12-17 10:30:59 0 d-------- C:\Documents and Settings\Daddy\Application Data\Identities
2007-12-17 10:30:47 0 dr-h----- C:\Documents and Settings\Daddy\Application Data
2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Templates
2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Start Menu
2007-12-17 10:30:46 0 dr-h----- C:\Documents and Settings\Daddy\SendTo
2007-12-17 10:30:46 0 dr-h----- C:\Documents and Settings\Daddy\Recent
2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\PrintHood
2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\NetHood
2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\My Documents
2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Local Settings
2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Favorites
2007-12-17 10:30:46 0 d-------- C:\Documents and Settings\Daddy\Desktop
2007-12-17 10:30:46 0 d--hs---- C:\Documents and Settings\Daddy\Cookies
2007-12-17 10:27:06 0 d-------- C:\Program Files\TurboTax
2007-12-17 10:26:31 0 d-------- C:\Program Files\iTunes
2007-12-17 10:26:17 0 d-------- C:\Program Files\ItsDeductible2006
2007-12-15 14:38:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 14:31:26 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-12-15 14:30:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-12-15 14:30:17 364544 -----n--- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2007-12-15 14:30:17 471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-15 14:30:17 262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-15 14:30:17 1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-15 14:30:16 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-12-15 14:30:16 38912 -----n--- C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2007-12-15 14:30:14 0 d-------- C:\Program Files\Common Files\Ahead
2007-12-15 14:30:10 0 d-------- C:\Program Files\Ahead
2007-12-15 14:28:56 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-15 14:28:51 0 d-------- C:\Program Files\CyberLink
2007-12-15 14:18:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-15 14:18:19 0 d-------- C:\WINDOWS\SHELLNEW
2007-12-15 14:15:06 0 dr-h----- C:\MSOCache
2007-12-15 14

38 0 d-------- C:\WINDOWS\network diagnostic
2007-12-15 13:46:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-15 13:41:58 0 d-------- C:\WINDOWS\system32\PreInstall
2007-12-15 13:39:39 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-12-15 13:30:16 0 d-------- C:\Program Files\Broadcom
2007-12-15 13:26:42 0 d-------- C:\WINDOWS\Drivers
2007-12-15 13:24:40 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2007-12-15 13:24:40 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2007-12-15 13:24:40 0 d-------- C:\Program Files\Analog Devices
2007-12-15 13:23:02 0 d-------- C:\Program Files\Intel
2007-12-15 13:22:32 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-12-15 13:22:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-15 13:22:22 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-15 13:22:02 0 d-------- C:\dell
2007-12-15 13:01:37 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-12-15 13:01:36 0 d-------- C:\WINDOWS\Prefetch
2007-12-15 13:01:35 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-12-15 13:01:34 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-12-15 13:01:34 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-12-15 13:01:34 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-12-15 13:01:34 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-12-15 13:01:04 225280 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-12-15 13:01:04 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-12-15 13:01:04 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-12-15 13:01:04 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-12-15 13:01:04 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-12-15 12:58:44 0 d-------- C:\WINDOWS\system32\xircom
2007-12-15 12:58:44 0 d-------- C:\Program Files\microsoft frontpage
2007-12-15 12:58:42 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-12-15 12:58:40 0 d--h----- C:\WINDOWS\$hf_mig$
2007-12-15 12:58:25 0 -rahs---- C:\MSDOS.SYS
2007-12-15 12:58:25 0 -rahs---- C:\IO.SYS
2007-12-15 12:58:25 0 --a------ C:\CONFIG.SYS
2007-12-15 12:58:25 0 --a------ C:\AUTOEXEC.BAT
2007-12-15 12:57:36 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-12-15 12:57:27 0 dr------- C:\WINDOWS\Offline Web Pages
2007-12-15 12:57:27 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-12-15 12:57:18 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-15 12:56:59 0 d-------- C:\WINDOWS\system32\DirectX
2007-12-15 12:56:27 0 d---s---- C:\WINDOWS\Tasks
2007-12-15 12:56:26 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-15 12:56:22 0 d-------- C:\WINDOWS\srchasst
2007-12-15 12:56:21 0 d-------- C:\WINDOWS\system32\Macromed
2007-12-15 12:56:12 0 d-------- C:\Program Files\Movie Maker
2007-12-15 12:56:04 0 d-------- C:\WINDOWS\system32\Restore
2007-12-15 12:55:43 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-15 12:55:30 0 d-------- C:\WINDOWS\Registration
2007-12-15 12:55:07 0 d-------- C:\Program Files\Online Services
2007-12-15 12:55:03 0 d-------- C:\Program Files\Messenger
2007-12-15 12:54:59 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-15 12:54:22 0 d-------- C:\Program Files\Windows NT
2007-12-15 12:54:19 0 d-------- C:\WINDOWS\system32\MsDtc
2007-12-15 12:54:17 0 d-------- C:\WINDOWS\system32\Com
2007-12-15 07:49:11 0 d--hs---- C:\WINDOWS\Installer
2007-12-15 07:49:10 0 d-------- C:\Program Files\Common Files\ODBC
2007-12-15 07:49:07 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-15 07:49:06 0 dr------- C:\Program Files
2007-12-15 07:49:06 0 d-------- C:\Program Files\Common Files
2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-12-15 07:48:43 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-12-15 07:48:43 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-12-15 07:48:43 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\All Users\Documents
2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-12-15 07:48:31 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-12-15 07:48:31 0 d-------- C:\WINDOWS\system32\CatRoot
2007-12-15 07:48:26 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-12-15 07:48:26 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-12-15 07:48:25 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-12-15 07:48:25 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-12-15 07:48:02 0 d--hs---- C:\System Volume Information
2007-12-15 07:48:02 0 d-------- C:\Documents and Settings
2007-12-15 07:41:31 0 d-------- C:\WINDOWS
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\WinSxS
2007-12-15 07:41:31 0 dr------- C:\WINDOWS\Web
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\twain_32
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\wins
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\wbem
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\usmt
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\spool
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ShellExt
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\Setup
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ras
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\oobe
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\npp
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\mui
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\inetsrv
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\IME
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\icsxml
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ias
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\export
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-12-15 07:41:31 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\dhcp
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\config
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\3076
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\2052
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1054
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1042
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1041
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1037
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1033
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1031
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1028
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1025
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\security
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Resources
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\repair
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Provisioning
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\PeerNet
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\pchealth
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\mui
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\msapps
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\msagent
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Media
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\java
2007-12-15 07:41:31 0 d--h----- C:\WINDOWS\inf
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\ime
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Help
2007-12-15 07:41:31 0 dr--s---- C:\WINDOWS\Fonts
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Driver Cache
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Debug
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Cursors
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Connection Wizard
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Config
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\AppPatch
2007-12-15 07:41:31 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2007-12-15 07:48:43 62 --ahs---- C:\Documents and Settings\Daddy\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}]
01/05/2008 09:06 AM 253952 --a------ C:\WINDOWS\dxpvqlmqng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 10:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
12/17/2007 08:01 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 10:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51 AM]
"UIUCU"="C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [07/11/2006 03:27 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/18/2005 10:00 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 12:07 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 11:53 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [8/18/2005 10:20:30 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-01-11 14:59:27 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1021.98 MiB / 662.74 MiB
Pagefile Memory (total/avail): 2464.88 MiB / 2059.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.06 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 218.8 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-63MHB5 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - HP Photosmart 8200 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Daddy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-F19CFDDA2B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Daddy
LOGONSERVER=\\USER-F19CFDDA2B
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Daddy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Daddy\LOCALS~1\Temp
USERDOMAIN=USER-F19CFDDA2B
USERNAME=Daddy
USERPROFILE=C:\Documents and Settings\Daddy
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Alyssa (admin)
Daddy (admin)
Lindsay (admin)
Mommy (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Print Artist Gold 21 --> MsiExec.exe /I{D8262480-2A04-407C-B2F7-1439B789C349}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

-- Application Event Log -------------------------------------------------------

Event Record #/Type2295 / Error
Event Submitted/Written: 01/11/2008 01

30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2076 / Error
Event Submitted/Written: 01/09/2008 03:42:32 PM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
Information Level: error

Initialization of the COM subsystem failed. Error code: 0x8007041D.

Event Record #/Type1951 / Error
Event Submitted/Written: 01/07/2008 09:17:26 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1883 / Error
Event Submitted/Written: 01/06/2008 11:23:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1723 / Error
Event Submitted/Written: 01/04/2008 08

37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type3075 / Error
Event Submitted/Written: 01/11/2008 01:16:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type3074 / Error
Event Submitted/Written: 01/11/2008 01:14:46 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type3073 / Error
Event Submitted/Written: 01/11/2008 01:10:45 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
eeCtrl
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SPBBCDrv
SRTSPX
SYMTDI
Tcpip

Event Record #/Type3072 / Error
Event Submitted/Written: 01/11/2008 01:10:45 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type3071 / Error
Event Submitted/Written: 01/11/2008 01:10:45 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

-- End of Deckard's System Scanner: finished at 2008-01-11 14:59:27 ------------

Output of AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:14:29 PM 1/11/2008

+ Scan result:

C:\Documents and Settings\Alyssa\Cookies\alyssa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@scrippshgtv.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Alyssa\Cookies\alyssa@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Daddy\Cookies\daddy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mommy\Cookies\mommy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Output of SmitFraudFix:

SmitFraudFix v2.274

Scan done at 13:10:41.21, Fri 01/11/2008
Run from C:\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Your help is greatly appreciated.

Pete

peter_maurin · 01-11-2008, 01:41 PM

I failed to mention that after running SmitFraudFix and AVG when I access the affected user's desktop, error notifications regarding a file that cannot be located in directory "c:/windows/..../privacy_protection" occurs as well as the "Error Cleaner", "Privacy Protector" and "Spyware & Malware Protection" icons are still there but the icons are of the generic type as opposed to the ones that were there previously.

peter_maurin · 01-16-2008, 08:12 AM

No response from Friday, 1/11 bump.

tetonbob · 01-16-2008, 06:21 PM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:

Double click on peek.bat & allow it to run. A notepad file will open. Post the contents of that file in your next reply, and close the file.

peter_maurin · 01-17-2008, 04:53 PM

Sorry for the long delay.

Since I am located on the East Coast of the United States and this is for my home computer I can only work on the problem in the evenings.

Contents of look.txt:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Since last Friday, I have run a slew of AntiVirus programs and it appears that I have eliminated the "ensfolr" toolbar but now the following error message appears regularly in only the offending desktop:

Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm'

Any assistance would be greatly appreciated.

Thanx,
Pete

tetonbob · 01-17-2008, 05:47 PM

Ok, I understand you're wanting to take care of things as quickly as possible. For now, please hold off on doing any more self-help, as it will just make my task more difficult.

Please run DSS once again from the Daddy account, and post it's log, so I can see the current state of the machine.

peter_maurin · 01-17-2008, 06:44 PM

I only received the main.txt file - no extra.txt file was generated. Here's the contents of main.txt:

Deckard's System Scanner v20071014.68
Run by Daddy on 2008-01-17 20:37:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Daddy.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:37:32 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Daddy\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Daddy.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: (no name) - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Servic

01-11-2008, 01:41 PM	#2 (permalink)
peter_maurin Registered User Join Date: Jan 2008 Posts: 15 OS: Windows XP (SP2)	Re: Malware Help Please! I failed to mention that after running SmitFraudFix and AVG when I access the affected user's desktop, error notifications regarding a file that cannot be located in directory "c:/windows/..../privacy_protection" occurs as well as the "Error Cleaner", "Privacy Protector" and "Spyware & Malware Protection" icons are still there but the icons are of the generic type as opposed to the ones that were there previously.

01-16-2008, 08:12 AM	#3 (permalink)
peter_maurin Registered User Join Date: Jan 2008 Posts: 15 OS: Windows XP (SP2)	Re: Malware Help Please! No response from Friday, 1/11 bump.

01-17-2008, 04:53 PM	#5 (permalink)
peter_maurin Registered User Join Date: Jan 2008 Posts: 15 OS: Windows XP (SP2)	Re: Malware Help Please! Sorry for the long delay. Since I am located on the East Coast of the United States and this is for my home computer I can only work on the problem in the evenings. Contents of look.txt: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect Since last Friday, I have run a slew of AntiVirus programs and it appears that I have eliminated the "ensfolr" toolbar but now the following error message appears regularly in only the offending desktop: Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm' Any assistance would be greatly appreciated. Thanx, Pete

01-17-2008, 05:47 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,758 OS: 2000 Pro; XP Pro; XP Home	Re: Malware Help Please! Ok, I understand you're wanting to take care of things as quickly as possible. For now, please hold off on doing any more self-help, as it will just make my task more difficult. Please run DSS once again from the Daddy account, and post it's log, so I can see the current state of the machine. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.