MS Windows XP will not load when connected to internet - Page 3

Ried · 03-12-2007, 05:26 AM

Try this. Download the IE6
installation file, and save it to C:\.

Go to Start>Run and copy/paste the following into the run box and click OK:

C:\ie6setup.exe /Q

cul8rman · 03-12-2007, 08:38 PM

Through several attempts of running from the Start menu and rebooting, and almost giving the PC a boot, IE v 6.0.2800.1106.xpsp2.050301-1526 is finally working and I am able to run Panda Activescan. I will be posting later with the log files. It does appear I can go fishing since the scan has found some worms, or whatever the bad stuff is.

Ried · 03-12-2007, 08:41 PM

Nice work--can't wait to see what Panda has found.

cul8rman · 03-12-2007, 11:55 PM

Here is the list, files at end. Sorry about the delay, I let my job get in the way of my home life. Also post too long - did some surgery
your direction is colored, mine is colored as well
************
(click on) WeatherBug Browser Bar - powered by MyWebSearch
"Delete this entry"
Close HijackThis
*** REMOVED ***
-------------------

Using 'My Computer',

C:\Documents and Settings\Duane\Application Data\Ultimate Cleaner
C:\eryvk.exe
C:\loder.exe
C:\Program Files\BHO Plugin
C:\Program Files\Common Files\sagu292
C:\program files\mywebsearch *** Could not find ***
C:\WINDOWS\nnqvcc.dat
C:\WINDOWS\System32\byxwttt.dll
*** COMPLETED ***
--------------------------------------------------------------------

Upload following http://virusscan.jotti.org

C:\WINDOWS\System32\3718845C.exe
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
C:\Program Files\Common Files\wuopry.html
Service
Service load: 0% 100% About 10-15%

File: wuopry.html
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 09cf569bb4d30b18db62dcc43090f84a
Packers detected: -

Scanner results
Scan taken on 13 Mar 2007 05:11:31 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\System32\svchost.exe
Service
Service load: 0% 100% About 10-15%

File: svchost.exe
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 0f7d9c87b0ce1fa520473119752c6f79
Packers detected: -

Scanner results
Scan taken on 13 Mar 2007 05:02:36 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
--------------------------------------------------------------------
Panda Activescan results

Attached as file to preserve formatting
File too long, pasted in next post

--------------------------------------------------------------------
Comboscan

ComboScan v20070306.20 run by Duane on 2007-03-12 at 22:22:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Duane.exe) -----------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-12 22:25:54
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Duane\Desktop\comboscan.exe
C:\Program Files\Hijack This\Duane.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe"
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

-- Files created between 2007-02-12 and 2007-03-12 -----------------------------

2007-03-12 21:01:09 62739 --a------ C:\WINDOWS\System32\setup_66402.exe<SETUP_~1.EXE>
2007-03-12 18:55:59 0 --a------ C:\WINDOWS\System32\eraseme_04754.exe<ERASEM~1.EXE>
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 19:04:07 0 --a------ C:\WINDOWS\System32\setup_11784.exe<SETUP_~4.EXE>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 12:01:17 0 d-------- C:\avenger
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-09 18:42:41 639 --a------ C:\Combo.bat
2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-28 19:24:14 0 d-------- C:\!KillBox
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 21:42:30 129 --a------ C:\fix.bat
2007-02-20 23:22:43 0 d-------- C:\Program Files\backups
2007-02-16 05:28:25 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-02-13 05:48:17 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb<DOCTOR~1>
2007-02-12 21:43:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage<OFFICE~1>

-- Find3M Report ---------------------------------------------------------------

2007-03-12 21:31:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-12 20:03:41 0 d-------- C:\Program Files\Picasa2
2007-03-12 20:01:52 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-12 19:56:46 0 d-------- C:\Program Files\iTunes
2007-03-12 19:55:38 0 d-------- C:\Program Files\Google
2007-03-12 19:53:11 0 d-------- C:\Program Files\BigFix
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-14 10:30:55 0 d-------- C:\Program Files\Sygate
2007-01-14 10:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-11 16:34:25 0 --a------ C:\WINDOWS\System32\3718845C.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>
2006-12-19 16:51:14 142 --a------ C:\Program Files\Common Files\wuopry.html<WUOPRY~1.HTM>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-03-12 at 22:26:14 ------------------------

End of Report,

cul8rman · 03-12-2007, 11:56 PM

Panda Active Scan

ComboScan v20070306.20 run by Duane on 2007-03-12 at 22:22:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Duane.exe) -----------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-12 22:25:54
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Duane\Desktop\comboscan.exe
C:\Program Files\Hijack This\Duane.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe"
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

-- Files created between 2007-02-12 and 2007-03-12 -----------------------------

2007-03-12 21:01:09 62739 --a------ C:\WINDOWS\System32\setup_66402.exe<SETUP_~1.EXE>
2007-03-12 18:55:59 0 --a------ C:\WINDOWS\System32\eraseme_04754.exe<ERASEM~1.EXE>
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 19:04:07 0 --a------ C:\WINDOWS\System32\setup_11784.exe<SETUP_~4.EXE>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 12:01:17 0 d-------- C:\avenger
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-09 18:42:41 639 --a------ C:\Combo.bat
2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-28 19:24:14 0 d-------- C:\!KillBox
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 21:42:30 129 --a------ C:\fix.bat
2007-02-20 23:22:43 0 d-------- C:\Program Files\backups
2007-02-16 05:28:25 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-02-13 05:48:17 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb<DOCTOR~1>
2007-02-12 21:43:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage<OFFICE~1>

-- Find3M Report ---------------------------------------------------------------

2007-03-12 21:31:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-12 20:03:41 0 d-------- C:\Program Files\Picasa2
2007-03-12 20:01:52 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-12 19:56:46 0 d-------- C:\Program Files\iTunes
2007-03-12 19:55:38 0 d-------- C:\Program Files\Google
2007-03-12 19:53:11 0 d-------- C:\Program Files\BigFix
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-14 10:30:55 0 d-------- C:\Program Files\Sygate
2007-01-14 10:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-11 16:34:25 0 --a------ C:\WINDOWS\System32\3718845C.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>
2006-12-19 16:51:14 142 --a------ C:\Program Files\Common Files\wuopry.html<WUOPRY~1.HTM>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-03-12 at 22:26:14 ------------------------

Ried · 03-13-2007, 08:38 AM

Hi cul8rman,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

We need to run one more tool:

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Click Start>Run and copy/paste the following text into the Run box and and click OK:

regsvr32 /u occache.dll

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders

c:\windows\downloaded program files\ f3initialsetup1.0.0.15.inf
c:\windows\ NDNuninstall7_14.exe
C:\ !KillBox
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine <--Empty this folder.
C:\ avenger
C:\Program Files\Common Files\ wuopry.html

--------------------------------------------------------------------

Now, click Start>Run and copy/paste the following text into the Run box and click OK:

regsvr32 occache.dll

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_CURRENT_USER\CLSID\{da9a0b0f-9b7b-11d3-b8a4-00c04f79641c}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.

Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Run another online scan at Panda and save the results.

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
C:\SDFix\Report.txt

cul8rman · 03-13-2007, 09:55 PM

All was going well until Regedit -
Your Step My Result

Double click on the delete.reg file and choose Yes to merge/add it to the
registry. You may delete the file afterwards.
**** Yes to merge, came back with error:
Cannot import C:\REGEDI~1.REG: Not all data was
successfully written to the registry. Some keys are
open by the system or other processes.

Stopped doing fixes here - what to do next?

Was this to be done in Safe or regular mode? I never saw direction to return to safe mode so I did everything up to this step in safe mode.

Am I to be in Safe Mode for just the step that Safe mode is brought up?

Ried · 03-13-2007, 10:19 PM

Yes, you were supposed to be in Safe Mode all the way through the running of SDFix. That tool will reboot and you'd be back in Normal Mode.

Skip the registry fix for now. Go into Safe Mode and run SDFix and post the report.txt here please.

cul8rman · 03-16-2007, 10:24 PM

sorry about the delay, my system is acting strange, really slow, IE is hit and miss, Panda will run but then I go to report and it is gone. I will try Panda again, here is what I have so far.

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export
and save the registry somewhere as a backup. Close the Registry Editor now.
file saved as regedit 3.13.07
Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}]

[-HKEY_CURRENT_USER\CLSID\{da9a0b0f-9b7b-11d3-b8a4-00c04f79641c}]

Save the file as "delete.reg". Make sure to save it with the quotes.
Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the
registry. You may delete the file afterwards.
**** Yes to merge, came back with error:
Cannot import C:\REGEDI~1.REG: Not all data was
successfully written to the registry. Some keys are
open by the system or other processes.

Was able to complete after a reboot.
--------------------------------------------------------------------
Press the CleanUp! button to start the program.
Completed
--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat

Done - Report.txt inserted below

SDFix: Version 1.69

Run by Duane - Tue 03/13/2007 @ 22:33:37.14

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Duane\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\eraseme_04754.exe - Deleted
C:\WINDOWS\system32\firewall.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_11784.exe - Deleted
C:\WINDOWS\system32\setup_63001.exe - Deleted
C:\WINDOWS\system32\setup_66402.exe - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\Common Files\csshare\shell\us\shellext.dll
C:\My Games\Action Ball\actionball.exe
C:\My Games\Adventure Ball\AdventureBall.exe
C:\My Games\Aqua Pearls\pearls.exe
C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe
C:\My Games\Clash 'N Slash\Clash N Slash.exe
C:\My Games\Flying Leo\FlyingLeo.exe
C:\My Games\Icy Spell\IcySpell.exe
C:\My Games\Impact\Impact.exe
C:\My Games\Inspheration\Inspheration.exe
C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe
C:\My Games\Mirror Magic\mirrormagic.exe
C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe
C:\My Games\Phlinx to Go\PhlinxToGo.exe
C:\My Games\Rainbow Web\RainbowWeb.exe
C:\My Games\Snowy - Space Trip\SpaceTrip.exe
C:\My Games\Turtle Odyssey\Game.exe
C:\My Games\Wheel of Fortune\Wheel of Fortune.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\CompuServe 7.0\csphx.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\CompuServe 7.0\RBM.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\system32\qtstv.tmp
C:\WINDOWS\system32\config\system.tmp.LOG

Add/Remove Programs List:

1Click DVD Copy 4.2.9.2
3D Snowy Cottage Screen Saver
Ad-Aware SE Personal
Adobe Acrobat 4.0
Agfa ePhoto CL18 Digital Camera Driver
America Online
AOL Instant Messenger (SM)
AOL Coach Version 1.0(Build:20020823.1)
AVG 7.5
AVG Anti-Spyware 7.5
BadCopy Pro
Belarc Advisor 7.0
BigFix
Calm Before the Storm Screen Saver
Chess Live 4.2
Cinema Tycoon(TM) Gold
CleanUp!
Conexant SoftK56 Modem(M)
CompuServe
Codec Pack - All In 1 6.0.2.7
Cox Online Support Controls
EPSON Printer Software
EZBack-it-up 2.0.1
Fiber Twig 2: Restoration of Magic Garden
Fish Tycoon
Fortune Tiles(TM) Gold
FREE Hi-Q Recorder 1.9
Gem Shop
Google Desktop Search
Gum Droppers
Hexalot
High Flying Act - Interactive Storybook
HijackThis 1.99.1
ICQ
iTunes
Karu
Microsoft Data Access Components KB870669
Lavasoft VX2 Cleaner
LEGO Chess
Macromedia Shockwave Player
CloneDVD 4.0
Micro Innovations Wireless Keyboard
Micro Innovations Wireless Optical Mouse
Mozilla Firefox (2.0.0.2)
MSN Music Assistant
Netscape 6 (6.2.1)
Panda ActiveScan
PC Pitstop Optimize 1.5
Picasa 2
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM)
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit(R) I Can Read! With Phonics
RealArcade
RealPlayer
RegistryFix v3.0
Reader Rabbit's 2nd Grade
Sandlot Games Client Services
Macromedia Flash Player 8
SimCity 3000
Splash
Spybot - Search & Destroy 1.4
IncBack +
SurferNETWORK Player
SyncBackSE
Viewpoint Media Player (Remove Only)
WeatherBug
Winamp (remove only)
Yahoo! Toolbar
Yahoo! Toolbar
Zulu Gems
Microsoft Money 2003
Microsoft Money 2003 System Pack
PC Inspector File Recovery
The Sims Deluxe Edition
Norton WMI Update
Google Toolbar for Internet Explorer
Java(TM) SE Runtime Environment 6
DataRobot Premium
Stomp Backup MyPC
MaxBlast 4
PowerDVD
Windows Backup Utility
EPSON Web-To-Page
Mirror Magic
NetZero For Riverdeep
iTunes
Intel(R) Extreme Graphics Driver
Microsoft Office Excel Viewer 2003
Microsoft Office Word Viewer 2003
Adobe Reader 7.0.7
DV 4100M
HP Software Update
Ulead Photo Express 4.0 SE
Texas Hold 'Em: High Stakes Poker
Ulead Photo Explorer 8.0 SE Basic
Disney's Phonics Quest
Greeting Card Factory Express
Sygate Personal Firewall
Microsoft Works 6.0
HP Deskjet 3740
Realtek AC'97 Audio
Multimedia Keyboard Driver

Finished

Running Panda, will see if I get results, if so will post in about 90 min, I hope

**** End of post ****

cul8rman · 03-16-2007, 11:22 PM

Finally, a Panda posting.

Incident Status Location

Virus:W32/Sdbot.KAE.worm Disinfected Operating system
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/antivirus-gold Not disinfected Windows Registry
Adware:adware/easysearch Not disinfected Windows Registry
Adware:adware/adtomi Not disinfected Windows Registry
Adware:adware/browseraid Not disinfected Windows Registry
Adware:Adware/SpySheriff Not disinfected C:\csfjged.exe
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.mediaplex.com/]
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2NWD09G9\agmjxkuurb[1].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2NWD09G9\rgkueobcmi[1].htm
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8HA7WPE3\zspzmwkg[1].htm
Adware:Adware/RegistryCleaner Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QI1KLMWX\kqwgtddn[1].htm
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\Molly\Application Data\Install.dat
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/]
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\jxxvoqo.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll
Adware:Adware/RegistryCleaner Not disinfected C:\qrxgijet.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\uqjqg.exe
Virus:W32/Sdbot.KAE.worm Disinfected C:\WINDOWS\dmrproc.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Virus:Trj/Disablekey.BF Disinfected C:\WINDOWS\system32\max1d1641.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_63800.exe
Virus:Trj/Disablekey.BF Disinfected C:\WINDOWS\temp\ma1x1dd1.game

Ried · 03-17-2007, 09:25 AM

Was this Panda scan run after you ran SDFix?

Let's use this tool for cleaning--it seems to work better at cleaning the Firefox cookies:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only[list]
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

-------------------------------------------------------

Delete the following:

C:\qrxgijet.exe
C:\uqjqg.exe
C:\csfjged.exe
C:\Documents and Settings\Molly\Application Data\Install.dat

----------------------------------------------------------

Try to run the regfix I gave you earlier.

----------------------------------------------------------

Run another online scan at Panda and save the results.

----------------------------------------------------------

Run ComboScan.exe and post the ComboScan.txt here along with the Panda results.

Is IE still giving you problems?

cul8rman · 03-17-2007, 12:46 PM

Everything finished except Combofix, next post.

Was this Panda scan run after you ran SDFix?
yes, panda scan was the after SDFix

ATF was run
Files were deleted
Reg fix (regedit) ran with no problems
Results of Panda scan
-----------------------
Using Explorer, Went to C: to open Panda file and AVG warnings

tujsjsqk.exe came up in AVG threat
jxxvoqo.exe came up in AVG threat

I did not do anything with the warnings, just let the time run out

-----------------------

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/antivirus-gold Not disinfected Windows Registry
Adware:adware/easysearch Not disinfected Windows Registry
Adware:adware/adtomi Not disinfected Windows Registry
Adware:adware/browseraid Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Cookies\duane@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Cookies\duane@doubleclick[1].txt
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/]
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\jxxvoqo.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll
Adware:Adware/SpySheriff Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc1.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc2.exe
Adware:Adware/RegistryCleaner Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc3.exe
Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc4.dat
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Virus:W32/Sdbot.KAE.worm Disinfected C:\WINDOWS\dmrproc.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

have to close browser, combo scan in next posting

Thank you

cul8rman · 03-17-2007, 12:56 PM

Combo Scan report

ComboScan v20070306.20 run by Duane on 2007-03-17 at 11:46:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Duane.exe) -----------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-17 11:49:53
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\dmrproc.exe
C:\Documents and Settings\Duane\Desktop\comboscan.exe
C:\Program Files\Hijack This\Duane.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe"
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - "C:\WINDOWS\dmrproc.exe"
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

-- Files created between 2007-02-17 and 2007-03-17 -----------------------------

2007-03-17 10:29:32 53 --a------ C:\WINDOWS\System32\pfdnnt_actions.sys<PFDNNT~1.SYS>
2007-03-17 10:29:32 8704 --a------ C:\WINDOWS\System32\pfdnnt.exe
2007-03-17 09:52:03 84992 -----n--- C:\WINDOWS\dmrproc.exe
2007-03-16 17:21:13 1024 --a------ C:\jxxvoqo.exe
2007-03-15 23:24:50 0 --a------ C:\WINDOWS\System32\setup_84508.exe<SETUP_~2.EXE>
2007-03-15 18:10:26 0 --a------ C:\WINDOWS\System32\setup_25062.exe<SETUP_~1.EXE>
2007-03-14 22:35:19 7200 --a------ C:\tujsjsqk.exe
2007-03-14 21:52:31 30720 --a------ C:\WINDOWS\System32\rpcc.dll
2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat
2007-03-13 19:34:53 148 --a------ C:\delete.reg
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-09 18:42:41 639 --a------ C:\Combo.bat
2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 21:42:30 129 --a------ C:\fix.bat
2007-02-20 23:22:43 0 d-------- C:\Program Files\backups

-- Find3M Report ---------------------------------------------------------------

2007-03-17 11:46:53 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-03-17 11:36:11 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-17 10:18:10 0 d-------- C:\Program Files\Picasa2
2007-03-17 10:16:21 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-17 10:11:15 0 d-------- C:\Program Files\iTunes
2007-03-17 10:10:02 0 d-------- C:\Program Files\Google
2007-03-17 10:07:36 0 d-------- C:\Program Files\BigFix
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-11 16:34:25 0 --a------ C:\WINDOWS\System32\3718845C.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-03-17 at 11:50:12 ------------------------

IE did not come up after running the scan, I tried Icon on desktop and from programs list. I will see how it works after powering off pc

cul8rman · 03-17-2007, 03:33 PM

IE was slow but did come up.

Ried · 03-17-2007, 10:57 PM

Ok, let's see if we can knock all of this out at once.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Delete your current version of CombFix.exe and download it again:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:

@echo off
sc stop "Windows DMR Service"
sc delete "Windows DMR Service"
exit

Double click FixServices.bat. A window will open and close. This is normal.

-------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you named and located at C:\ComboFix2.txt. I'll need that in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Restart your system into Safe Mode.

--------------------------------------------------------------------

Delete the following files and folder if they still exist:

C:\ jxxvoqo.exe
C:\ tujsjsqk.exe
C:\WINDOWS\ dmrproc.exe
C:\WINDOWS\System32\ 3718845C.exe
C:\WINDOWS\system32\ i
C:\WINDOWS\system32\ jjkmp.tmp
C:\WINDOWS\system32\ qtstv.tmp
C:\WINDOWS\System32\ setup_25062.exe
C:\WINDOWS\System32\ setup_84508.exe

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Run ComboFix.exe again (not to be confused with ComboScan)

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:
@echo off
sc stop "Windows DMR Service"
sc delete "Windows DMR Service"
exit

Double click FixServices.bat. A window will open and close. This is normal.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you named and located at C:\ComboFix2.txt. I'll need that in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

--------------------------------------------------------------------

Restart your system into Safe Mode.

--------------------------------------------------------------------

Delete the following files and folder if they still exist:

C:\jxxvoqo.exe
C:\tujsjsqk.exe
C:\WINDOWS\dmrproc.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\system32\qtstv.tmp
C:\WINDOWS\System32\setup_25062.exe
C:\WINDOWS\System32\setup_84508.exe

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Run another online scan at Panda and save the report.

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Run ComboFix.exe again (not to be confused with ComboScan)

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix2.txt
Panda results
C:\ComboFix.txt
New HijackThis log

cul8rman · 03-18-2007, 01:03 PM

-------------------------------------------------------------------

Delete the following files and folder if they still exist:

C:\jxxvoqo.exe
C:\tujsjsqk.exe
C:\WINDOWS\dmrproc.exe
**** File was not present ****
C:\WINDOWS\System32\3718845C.exe
C:\WINDOWS\system32\i
**** This was a file ****
** Contents
I can not find, looks like it was deleted
It did contain an IP address **
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\system32\qtstv.tmp
C:\WINDOWS\System32\setup_25062.exe
C:\WINDOWS\System32\setup_84508.exe

--------------------------------------------------------------------
second most recent combofix

"Duane" - 07-03-17 23:58:38 Service Pack 1
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-17 to 2007-03-17 ))))))))))))))))))))))))))))))))))

2007-03-17 23:57 552 --a------ C:\Combo.bat
2007-03-17 23:53 0 --a------ C:\WINDOWS\system32\setup_42102.exe
2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg
2007-03-17 20:20 62,739 --a------ C:\WINDOWS\system32\setup_43327.exe
2007-03-17 17:55 62,739 --a------ C:\WINDOWS\system32\setup_45052.exe
2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg
2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat
2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg
2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe
2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun
2007-03-10 11:31 <DIR> d-------- C:\Rustbfix
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-17 11:46 -------- d-------- C:\Program Files\hijack this
2007-03-17 10:18 -------- d-------- C:\Program Files\picasa2
2007-03-17 10:16 -------- d-------- C:\Program Files\messenger
2007-03-17 10:11 -------- d-------- C:\Program Files\itunes
2007-03-17 10:10 -------- d-------- C:\Program Files\google
2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-17 23:59:44
C:\ComboFix2.txt ... 07-03-17 23:57
C:\ComboFix3.txt ... 07-03-17 23:31

--------------------------------------
********* Panda Scan **************

Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\FunWebProducts.DataControl.1
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/antivirus-gold Not disinfected Windows Registry
Adware:adware/easysearch Not disinfected Windows Registry
Adware:adware/adtomi Not disinfected Windows Registry
Adware:adware/browseraid Not disinfected Windows Registry
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Cookies\duane@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Cookies\duane@doubleclick[1].txt
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll
Virus:W32/Sdbot.ftp.worm Disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc1
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\Contents of i.txt
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_41663.exe
Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_43327.exe
Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_45052.exe
------------------------------------------

Will post new combo and HJT soon.

cul8rman · 03-18-2007, 04:07 PM

Results of last Combofix scan

"Duane" - 07-03-18 14:46:56 Service Pack 1
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-18 to 2007-03-18 ))))))))))))))))))))))))))))))))))

2007-03-18 12:06 552 --a------ C:\Combo.bat
2007-03-18 11:16 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2007-03-18 11:16 237 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-03-18 09:51 77 --a------ C:\delete.reg
2007-03-18 09:40 51,955,192 --a------ C:\regedit 3.18.07.reg
2007-03-18 09:26 0 --a------ C:\WINDOWS\system32\setup_10548.exe
2007-03-17 23:53 0 --a------ C:\WINDOWS\system32\setup_42102.exe
2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg
2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg
2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat
2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg
2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe
2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun
2007-03-10 11:31 <DIR> d-------- C:\Rustbfix
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-18 10:52 -------- d-------- C:\Program Files\picasa2
2007-03-18 10:50 -------- d-------- C:\Program Files\messenger
2007-03-18 10:45 -------- d-------- C:\Program Files\itunes
2007-03-18 10:44 -------- d-------- C:\Program Files\google
2007-03-17 11:46 -------- d-------- C:\Program Files\hijack this
2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-18 14:48:01
C:\ComboFix2.txt ... 07-03-18 12:06
C:\ComboFix3.txt ... 07-03-18 09:22

HJT file

Logfile of HijackThis v1.99.1
Scan saved at 3:04:02 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of posts,
Please let me know what to do next, thank you

Ried · 03-18-2007, 09:45 PM

Hi,

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop and double-click gmer.exe

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

cul8rman · 03-18-2007, 11:54 PM

greetings from toasty AZ. I have posted the log file of the last scan

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-18 22:49:03
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPTransmit + 887 EE331341 6 Bytes CALL F7412E50 Teefer.sys
.text tcpip.sys!IPTransmit + 904A EE339B04 6 Bytes CALL F7412E50 Teefer.sys
.text tcpip.sys!IPSetIPSecStatus + 1142 EE346DA8 6 Bytes CALL F7412E50 Teefer.sys
.text wanarp.sys F772B0C1 4 Bytes CALL F7412FA0 Teefer.sys
.text wanarp.sys F772B0C6 2 Bytes [ 90, 90 ]
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys

---- EOF - GMER 1.0.12 ----
IE is still taking a long time to load and saving a file can be tricky when trying to change the location to save it.

Thank you for your help.

Ried · 03-19-2007, 06:41 AM

Run SDFix once again:

Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post the contents of the Report.txt.

------------------------------------------------

Navigate to this folder:

C:\Windows\System32 and look for files similar to the following:

C:\WINDOWS\system32\setup_ (some random number).exe

If you see any, please list them here for me and if possible, do not reboot your system until I reply.

03-12-2007, 05:26 AM	#41 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Try this. Download the IE6 installation file, and save it to C:\. Go to Start>Run and copy/paste the following into the run box and click OK: C:\ie6setup.exe /Q __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-12-2007, 08:38 PM	#42 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Through several attempts of running from the Start menu and rebooting, and almost giving the PC a boot, IE v 6.0.2800.1106.xpsp2.050301-1526 is finally working and I am able to run Panda Activescan. I will be posting later with the log files. It does appear I can go fishing since the scan has found some worms, or whatever the bad stuff is.

03-12-2007, 08:41 PM	#43 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Nice work--can't wait to see what Panda has found. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-12-2007, 11:56 PM	#45 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Panda Active Scan ComboScan v20070306.20 run by Duane on 2007-03-12 at 22:22:53 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Duane.exe) ----------------------------------------------- HijackThis failed to provide a log after three minutes; running clone instead. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-03-12 22:25:54 Platform: Windows XP Service Pack 1 (5.01.2600) MSIE: Internet Explorer (6.0.2800.1106) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE C:\Program Files\Micro Innovations\Mouse\mouse32a.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Duane\Desktop\comboscan.exe C:\Program Files\Hijack This\Duane.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2} O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe" O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs -- Files created between 2007-02-12 and 2007-03-12 ----------------------------- 2007-03-12 21:01:09 62739 --a------ C:\WINDOWS\System32\setup_66402.exe<SETUP_~1.EXE> 2007-03-12 18:55:59 0 --a------ C:\WINDOWS\System32\eraseme_04754.exe<ERASEM~1.EXE> 2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe 2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1> 2007-03-11 19:04:07 0 --a------ C:\WINDOWS\System32\setup_11784.exe<SETUP_~4.EXE> 2007-03-11 09:25:11 0 d-------- C:\Program Files\Java 2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java 2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun 2007-03-10 12:01:17 0 d-------- C:\avenger 2007-03-10 11:31:19 0 d-------- C:\Rustbfix 2007-03-09 18:42:41 639 --a------ C:\Combo.bat 2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT 2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe 2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe 2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe 2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe 2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE> 2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat 2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat 2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe 2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe 2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe 2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe 2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe 2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat 2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat 2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe 2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE 2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe 2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg 2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe 2007-02-28 19:24:14 0 d-------- C:\!KillBox 2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe 2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1> 2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys 2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys 2007-02-21 21:42:30 129 --a------ C:\fix.bat 2007-02-20 23:22:43 0 d-------- C:\Program Files\backups 2007-02-16 05:28:25 0 d-------- C:\Program Files\Hijack This<HIJACK~1> 2007-02-13 05:48:17 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb<DOCTOR~1> 2007-02-12 21:43:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage<OFFICE~1> -- Find3M Report --------------------------------------------------------------- 2007-03-12 21:31:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1> 2007-03-12 20:03:41 0 d-------- C:\Program Files\Picasa2 2007-03-12 20:01:52 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-03-12 19:56:46 0 d-------- C:\Program Files\iTunes 2007-03-12 19:55:38 0 d-------- C:\Program Files\Google 2007-03-12 19:53:11 0 d-------- C:\Program Files\BigFix 2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1> 2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg 2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7 2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft 2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM> 2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1> 2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG> 2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1> 2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD 2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL> 2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso 2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log 2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys 2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf 2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat 2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe 2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft 2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft 2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF> 2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE> 2007-01-14 10:30:55 0 d-------- C:\Program Files\Sygate 2007-01-14 10:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll 2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe 2007-01-11 16:34:25 0 --a------ C:\WINDOWS\System32\3718845C.exe 2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat 2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat 2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll 2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat 2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE> 2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat 2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI> 2006-12-19 16:51:14 142 --a------ C:\Program Files\Common Files\wuopry.html<WUOPRY~1.HTM> -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe" "PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of ComboScan: finished at 2007-03-12 at 22:26:14 ------------------------

03-13-2007, 09:55 PM	#47 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet All was going well until Regedit - Your Step My Result Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. **** Yes to merge, came back with error: Cannot import C:\REGEDI~1.REG: Not all data was successfully written to the registry. Some keys are open by the system or other processes. Stopped doing fixes here - what to do next? Was this to be done in Safe or regular mode? I never saw direction to return to safe mode so I did everything up to this step in safe mode. Am I to be in Safe Mode for just the step that Safe mode is brought up?

03-13-2007, 10:19 PM	#48 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Yes, you were supposed to be in Safe Mode all the way through the running of SDFix. That tool will reboot and you'd be back in Normal Mode. Skip the registry fix for now. Go into Safe Mode and run SDFix and post the report.txt here please. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-16-2007, 10:24 PM	#49 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet sorry about the delay, my system is acting strange, really slow, IE is hit and miss, Panda will run but then I go to report and it is gone. I will try Panda again, here is what I have so far. -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. file saved as regedit 3.13.07 Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote: REGEDIT4 [-hkey_classes_root\clsid\{07B18EA9-A523-4961-B6BB-170DE4475CCA}] [-HKEY_CURRENT_USER\CLSID\{da9a0b0f-9b7b-11d3-b8a4-00c04f79641c}] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this: Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. **** Yes to merge, came back with error: Cannot import C:\REGEDI~1.REG: Not all data was successfully written to the registry. Some keys are open by the system or other processes. Was able to complete after a reboot. -------------------------------------------------------------------- Press the CleanUp! button to start the program. Completed -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat Done - Report.txt inserted below SDFix: Version 1.69 Run by Duane - Tue 03/13/2007 @ 22:33:37.14 Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Duane\Desktop\SDFix Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\system32\eraseme_04754.exe - Deleted C:\WINDOWS\system32\firewall.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\setup_11784.exe - Deleted C:\WINDOWS\system32\setup_63001.exe - Deleted C:\WINDOWS\system32\setup_66402.exe - Deleted ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : C:\Program Files\Common Files\aolshare\shell\us\shellext.dll C:\Program Files\Common Files\csshare\shell\us\shellext.dll C:\My Games\Action Ball\actionball.exe C:\My Games\Adventure Ball\AdventureBall.exe C:\My Games\Aqua Pearls\pearls.exe C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe C:\My Games\Clash 'N Slash\Clash N Slash.exe C:\My Games\Flying Leo\FlyingLeo.exe C:\My Games\Icy Spell\IcySpell.exe C:\My Games\Impact\Impact.exe C:\My Games\Inspheration\Inspheration.exe C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe C:\My Games\Mirror Magic\mirrormagic.exe C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe C:\My Games\Phlinx to Go\PhlinxToGo.exe C:\My Games\Rainbow Web\RainbowWeb.exe C:\My Games\Snowy - Space Trip\SpaceTrip.exe C:\My Games\Turtle Odyssey\Game.exe C:\My Games\Wheel of Fortune\Wheel of Fortune.exe C:\Program Files\America Online 8.0\aolphx.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\America Online 8.0\RBM.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\America Online 8.0\COMIT\cswitch.exe C:\Program Files\CompuServe 7.0\csphx.exe C:\Program Files\CompuServe 7.0\cstray.exe C:\Program Files\CompuServe 7.0\RBM.exe C:\Program Files\CompuServe 7.0\wcs2000.exe C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe C:\Program Files\Picasa2\setup.exe C:\WINDOWS\system32\jjkmp.tmp C:\WINDOWS\system32\qtstv.tmp C:\WINDOWS\system32\config\system.tmp.LOG Add/Remove Programs List: 1Click DVD Copy 4.2.9.2 3D Snowy Cottage Screen Saver Ad-Aware SE Personal Adobe Acrobat 4.0 Agfa ePhoto CL18 Digital Camera Driver America Online AOL Instant Messenger (SM) AOL Coach Version 1.0(Build:20020823.1) AVG 7.5 AVG Anti-Spyware 7.5 BadCopy Pro Belarc Advisor 7.0 BigFix Calm Before the Storm Screen Saver Chess Live 4.2 Cinema Tycoon(TM) Gold CleanUp! Conexant SoftK56 Modem(M) CompuServe Codec Pack - All In 1 6.0.2.7 Cox Online Support Controls EPSON Printer Software EZBack-it-up 2.0.1 Fiber Twig 2: Restoration of Magic Garden Fish Tycoon Fortune Tiles(TM) Gold FREE Hi-Q Recorder 1.9 Gem Shop Google Desktop Search Gum Droppers Hexalot High Flying Act - Interactive Storybook HijackThis 1.99.1 ICQ iTunes Karu Microsoft Data Access Components KB870669 Lavasoft VX2 Cleaner LEGO Chess Macromedia Shockwave Player CloneDVD 4.0 Micro Innovations Wireless Keyboard Micro Innovations Wireless Optical Mouse Mozilla Firefox (2.0.0.2) MSN Music Assistant Netscape 6 (6.2.1) Panda ActiveScan PC Pitstop Optimize 1.5 Picasa 2 QuickTime Reader Rabbit 1st Grade Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM) Reader Rabbit Thinking Adventures Ages 4-6 Reader Rabbit(R) I Can Read! With Phonics RealArcade RealPlayer RegistryFix v3.0 Reader Rabbit's 2nd Grade Sandlot Games Client Services Macromedia Flash Player 8 SimCity 3000 Splash Spybot - Search & Destroy 1.4 IncBack + SurferNETWORK Player SyncBackSE Viewpoint Media Player (Remove Only) WeatherBug Winamp (remove only) Yahoo! Toolbar Yahoo! Toolbar Zulu Gems Microsoft Money 2003 Microsoft Money 2003 System Pack PC Inspector File Recovery The Sims Deluxe Edition Norton WMI Update Google Toolbar for Internet Explorer Java(TM) SE Runtime Environment 6 DataRobot Premium Stomp Backup MyPC MaxBlast 4 PowerDVD Windows Backup Utility EPSON Web-To-Page Mirror Magic NetZero For Riverdeep iTunes Intel(R) Extreme Graphics Driver Microsoft Office Excel Viewer 2003 Microsoft Office Word Viewer 2003 Adobe Reader 7.0.7 DV 4100M HP Software Update Ulead Photo Express 4.0 SE Texas Hold 'Em: High Stakes Poker Ulead Photo Explorer 8.0 SE Basic Disney's Phonics Quest Greeting Card Factory Express Sygate Personal Firewall Microsoft Works 6.0 HP Deskjet 3740 Realtek AC'97 Audio Multimedia Keyboard Driver Finished Running Panda, will see if I get results, if so will post in about 90 min, I hope ** End of post **

03-16-2007, 11:22 PM	#50 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Finally, a Panda posting. Incident Status Location Virus:W32/Sdbot.KAE.worm Disinfected Operating system Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D} Adware:adware/savenow Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/antivirus-gold Not disinfected Windows Registry Adware:adware/easysearch Not disinfected Windows Registry Adware:adware/adtomi Not disinfected Windows Registry Adware:adware/browseraid Not disinfected Windows Registry Adware:Adware/SpySheriff Not disinfected C:\csfjged.exe Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.mediaplex.com/] Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2NWD09G9\agmjxkuurb[1].txt Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2NWD09G9\rgkueobcmi[1].htm Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8HA7WPE3\zspzmwkg[1].htm Adware:Adware/RegistryCleaner Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QI1KLMWX\kqwgtddn[1].htm Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\Molly\Application Data\Install.dat Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/] Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/] Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/] Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/] Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/] Potentially unwanted tool:Application/KillApp.A Not disinfected C:\jxxvoqo.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll Adware:Adware/RegistryCleaner Not disinfected C:\qrxgijet.exe Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\uqjqg.exe Virus:W32/Sdbot.KAE.worm Disinfected C:\WINDOWS\dmrproc.exe Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i Virus:Trj/Disablekey.BF Disinfected C:\WINDOWS\system32\max1d1641.exe Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_63800.exe Virus:Trj/Disablekey.BF Disinfected C:\WINDOWS\temp\ma1x1dd1.game

03-17-2007, 09:25 AM	#51 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Was this Panda scan run after you ran SDFix? Let's use this tool for cleaning--it seems to work better at cleaning the Firefox cookies: Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only[list] Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------- Delete the following: C:\qrxgijet.exe C:\uqjqg.exe C:\csfjged.exe C:\Documents and Settings\Molly\Application Data\Install.dat ---------------------------------------------------------- Try to run the regfix I gave you earlier. ---------------------------------------------------------- Run another online scan at Panda and save the results. ---------------------------------------------------------- Run ComboScan.exe and post the ComboScan.txt here along with the Panda results. Is IE still giving you problems? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-17-2007, 12:46 PM	#52 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Everything finished except Combofix, next post. Was this Panda scan run after you ran SDFix? yes, panda scan was the after SDFix ATF was run Files were deleted Reg fix (regedit) ran with no problems Results of Panda scan ----------------------- Using Explorer, Went to C: to open Panda file and AVG warnings tujsjsqk.exe came up in AVG threat jxxvoqo.exe came up in AVG threat I did not do anything with the warnings, just let the time run out ----------------------- Incident Status Location Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D} Adware:adware/savenow Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/antivirus-gold Not disinfected Windows Registry Adware:adware/easysearch Not disinfected Windows Registry Adware:adware/adtomi Not disinfected Windows Registry Adware:adware/browseraid Not disinfected Windows Registry Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Cookies\duane@atdmt[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Cookies\duane@doubleclick[1].txt Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/] Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/] Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/] Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/] Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/] Potentially unwanted tool:Application/KillApp.A Not disinfected C:\jxxvoqo.exe Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll Adware:Adware/SpySheriff Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc1.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc2.exe Adware:Adware/RegistryCleaner Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc3.exe Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc4.dat Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe Virus:W32/Sdbot.KAE.worm Disinfected C:\WINDOWS\dmrproc.exe Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe have to close browser, combo scan in next posting Thank you

03-17-2007, 03:33 PM	#54 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet IE was slow but did come up.

03-18-2007, 01:03 PM	#56 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet ------------------------------------------------------------------- Delete the following files and folder if they still exist: C:\jxxvoqo.exe C:\tujsjsqk.exe C:\WINDOWS\dmrproc.exe ** File was not present C:\WINDOWS\System32\3718845C.exe C:\WINDOWS\system32\i This was a file Contents I can not find, looks like it was deleted It did contain an IP address ** C:\WINDOWS\system32\jjkmp.tmp C:\WINDOWS\system32\qtstv.tmp C:\WINDOWS\System32\setup_25062.exe C:\WINDOWS\System32\setup_84508.exe -------------------------------------------------------------------- second most recent combofix "Duane" - 07-03-17 23:58:38 Service Pack 1 ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-02-17 to 2007-03-17 )))))))))))))))))))))))))))))))))) 2007-03-17 23:57 552 --a------ C:\Combo.bat 2007-03-17 23:53 0 --a------ C:\WINDOWS\system32\setup_42102.exe 2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg 2007-03-17 20:20 62,739 --a------ C:\WINDOWS\system32\setup_43327.exe 2007-03-17 17:55 62,739 --a------ C:\WINDOWS\system32\setup_45052.exe 2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg 2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat 2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg 2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe 2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java 2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun 2007-03-10 11:31 <DIR> d-------- C:\Rustbfix 2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat 2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe 2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe 2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE 2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat 2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe 2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe 2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe 2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe 2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe 2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe 2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg 2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe 2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe 2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat 2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe 2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe 2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe 2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat 2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix 2007-02-21 21:42 129 --a------ C:\fix.bat 2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-17 11:46 -------- d-------- C:\Program Files\hijack this 2007-03-17 10:18 -------- d-------- C:\Program Files\picasa2 2007-03-17 10:16 -------- d-------- C:\Program Files\messenger 2007-03-17 10:11 -------- d-------- C:\Program Files\itunes 2007-03-17 10:10 -------- d-------- C:\Program Files\google 2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com 2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log 2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations 2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd 2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe 2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat 2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys 2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log 2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf 2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso 2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft 2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft 2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf 2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe 2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll 2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat 2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll 2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat 2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe 2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat 2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe" "PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 **************************************************************** Completion time: 07-03-17 23:59:44 C:\ComboFix2.txt ... 07-03-17 23:57 C:\ComboFix3.txt ... 07-03-17 23:31 -------------------------------------- ***** Panda Scan ************ Incident Status Location Adware:adware/savenow Not disinfected Windows Registry Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\FunWebProducts.DataControl.1 Adware:adware/wupd Not disinfected Windows Registry Adware:adware/antivirus-gold Not disinfected Windows Registry Adware:adware/easysearch Not disinfected Windows Registry Adware:adware/adtomi Not disinfected Windows Registry Adware:adware/browseraid Not disinfected Windows Registry Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.advertising.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Cookies\duane@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Cookies\duane@doubleclick[1].txt Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox\KillBox.exe Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Duane\Desktop\killbox.zip[KillBox.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/] Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/] Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/] Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/] Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/] Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/] Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/] Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/] Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll Virus:W32/Sdbot.ftp.worm Disinfected C:\RECYCLER\S-1-5-21-1784762916-2740901186-3389046013-1005\Dc1 Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\Contents of i.txt Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_41663.exe Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_43327.exe Virus:W32/Sdbot.IQM.worm Disinfected C:\WINDOWS\system32\setup_45052.exe ------------------------------------------ Will post new combo and HJT soon.

03-18-2007, 04:07 PM	#57 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Results of last Combofix scan "Duane" - 07-03-18 14:46:56 Service Pack 1 ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-02-18 to 2007-03-18 )))))))))))))))))))))))))))))))))) 2007-03-18 12:06 552 --a------ C:\Combo.bat 2007-03-18 11:16 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe 2007-03-18 11:16 237 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys 2007-03-18 09:51 77 --a------ C:\delete.reg 2007-03-18 09:40 51,955,192 --a------ C:\regedit 3.18.07.reg 2007-03-18 09:26 0 --a------ C:\WINDOWS\system32\setup_10548.exe 2007-03-17 23:53 0 --a------ C:\WINDOWS\system32\setup_42102.exe 2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg 2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg 2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat 2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg 2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe 2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java 2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun 2007-03-10 11:31 <DIR> d-------- C:\Rustbfix 2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat 2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe 2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe 2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE 2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat 2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe 2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe 2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe 2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe 2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe 2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe 2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg 2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe 2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe 2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat 2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe 2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe 2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe 2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat 2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix 2007-02-21 21:42 129 --a------ C:\fix.bat 2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-18 10:52 -------- d-------- C:\Program Files\picasa2 2007-03-18 10:50 -------- d-------- C:\Program Files\messenger 2007-03-18 10:45 -------- d-------- C:\Program Files\itunes 2007-03-18 10:44 -------- d-------- C:\Program Files\google 2007-03-17 11:46 -------- d-------- C:\Program Files\hijack this 2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com 2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log 2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations 2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd 2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe 2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat 2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys 2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log 2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf 2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso 2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft 2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft 2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf 2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe 2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll 2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat 2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll 2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat 2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe 2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat 2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe" "PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-18 14:48:01 C:\ComboFix2.txt ... 07-03-18 12:06 C:\ComboFix3.txt ... 07-03-18 09:22 HJT file Logfile of HijackThis v1.99.1 Scan saved at 3:04:02 PM, on 3/18/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE C:\Program Files\Micro Innovations\Mouse\mouse32a.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\WINDOWS\System32\cmd.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\System32\cmd.exe C:\Program Files\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of posts, Please let me know what to do next, thank you

03-18-2007, 09:45 PM	#58 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Hi, Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop and double-click gmer.exe Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-18-2007, 11:54 PM	#59 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet greetings from toasty AZ. I have posted the log file of the last scan GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-03-18 22:49:03 Windows 5.1.2600 Service Pack 1 ---- System - GMER 1.0.12 ---- SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.12 ---- .text tcpip.sys!IPTransmit + 887 EE331341 6 Bytes CALL F7412E50 Teefer.sys .text tcpip.sys!IPTransmit + 904A EE339B04 6 Bytes CALL F7412E50 Teefer.sys .text tcpip.sys!IPSetIPSecStatus + 1142 EE346DA8 6 Bytes CALL F7412E50 Teefer.sys .text wanarp.sys F772B0C1 4 Bytes CALL F7412FA0 Teefer.sys .text wanarp.sys F772B0C6 2 Bytes [ 90, 90 ] .text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA .text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445 .text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329 .text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8 ---- Devices - GMER 1.0.12 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F76F7220] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F76F7480] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F76F75A0] wpsdrvnt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B1885A] avgtdi.sys ---- EOF - GMER 1.0.12 ---- IE is still taking a long time to load and saving a file can be tricky when trying to change the location to save it. Thank you for your help.

03-19-2007, 06:41 AM	#60 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,613 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Run SDFix once again: Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Post the contents of the Report.txt. ------------------------------------------------ Navigate to this folder: C:\Windows\System32 and look for files similar to the following: C:\WINDOWS\system32\setup_ (some random number).exe If you see any, please list them here for me and if possible, do not reboot your system until I reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 03-19-2007 at 06:43 AM. Reason: open bb tag