Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page persistent rootkit and messenger service pop-ups
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 02-17-2007, 05:53 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


persistent rootkit and messenger service pop-ups
Hi,

I'm back! I posted here a few months ago and am still having problems. Originally, I sought help with the removal of x-cleaner and then to regain control of my computer back.

I did two clean installs and ran into the same problems both times. First, when connected to the internet, I would get messenger service popups saying I had 55 critical system errors or that my registry was damaged or corrupted. The popups would instruct me to log onto certain websites such as: registryalert.com. helpfix.com, or registrycleanerxp.com to rid me of these popups. Ofcourse, I did not.

I have dial up and it was taking considerable time to download my virus protection and explorer updates. I kept getting kicked off the computer. Once I got trend pc-cillin downloaded, it never worked.

I tried to download ad-aware and run it and my computer went kafluwey! I couldn't connect to the internet anymore and something in my computer was trying to connect by itself.

I had to take it to the shop. After two weeks, all they were able to do was remove the virus' and spyware programs. The said I had some devils, but gave me no particulars.

When I got it home and tried to log on, I was unable to download websites. I would have blank screens. I decided to reinstall again. And I'm still getting messenger service pop-ups and got kicked off the internet when I tried to do the panda scan. Here's what I've been able to do so far:

I downloaded pc-cillin from disk and ran it. It found no virus', but removed some spyware. logs below.

I downloaded ad-aware with the vx2 tool and ran them. Adaware found 2 alexa items and some MRU list items, which I removed with the program. I also downloaded spyware blaster and spygaurd and have them running.

Have tried doing two panda active scans and got kicked off both times. last time things got dicey, I got an "lsass.exe application error" which said "0x77f5234e" memory could not be written. Then my spygaurd program kicked in and said I had a BHO called toolbar trying to download. then i got kicked off. there must have been some changes made to my computer, because I had trouble logging on to the internet again and had to dial up from earthinlinks disk.

I have windows xp with sp1 and I did manage to download sp1a. it took 6 hours, but I didn't get kicked off....

I downloaded comboscan and highjack this and ran them. logs below.

When I was trying to do my panda scan, my pc-cillin was trying to update. the update stopped when i got kicked off, but when i looked at my trend's logs I saw it found two virus right around the time I thought it was updating....(log below).

I will continue, cautiously, to download my updates for pc-cillin and do a panda scan, but I wanted to get this thread in in case I have trouble getting back on.

Here's my logs so far:

Trend: (took one spyware log taken out to shorten per request)

"Virus Scan Logs","2007/02/17","GALAXY"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"19:19","File Monitor","File","BKDR_SDBOT.GAA","C:\WINDOWS\system32\.exe","Quarantine Success",""
"19:57","File Monitor","File","WORM_SDBOT.DYX","C:\WINDOWS\system32\TFTP3172","Quarantine Success",""


"Spyware Scan Logs","2007/02/16","GALAXY"
"Time","Area","Item Name","Detected Resource","Target","Action"
"21:14","Bad Internet Browser Cookies","Cookie_2o7","Internet Explorer Cache","2o7.net","Detected"
"21:14","Bad Internet Browser Cookies","Cookie_Tacoda","Internet Explorer Cache","tacoda.net","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\S-1-5-21-602162358-2052111302-725345543-1004\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:14","Registry","TSPY_Clicker.CP","HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main","Search Page","Detected"
"21:22","Bad Internet Browser Cookies","Cookie_2o7","Internet Explorer Cache","2o7.net","Quarantined"
"21:22","Bad Internet Browser Cookies","Cookie_Tacoda","Internet Explorer Cache","tacoda.net","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\S-1-5-21-602162358-2052111302-725345543-1004\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"21:22","Registry","TSPY_Clicker.CP","HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main","Search Page","Quarantined"
"22:48","Your computer's memory","aawsepersonal.exe","C:\Documents and Settings\deborah stone\Desktop","aawsepersonal.exe","Detected"
"22:53","Your computer's memory","vx2cleaner_inst.exe","C:\Documents and Settings\deborah stone\Desktop","vx2cleaner_inst.exe","Detected"
"23:05","Your computer's memory","spywareblastersetup351.exe","C:\Documents and Settings\deborah stone\Desktop","spywareblastersetup351.exe","Detected"
"23:05","Your computer's memory","is-N71PS.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\is-0NV6C.tmp","is-N71PS.tmp","Detected"
"23:05","Your computer's memory","spywareblaster.exe","C:\Program Files\SpywareBlaster","spywareblaster.exe","Detected"
"23:12","Your computer's memory","spywareguardsetup.exe","C:\Documents and Settings\deborah stone\Desktop","spywareguardsetup.exe","Detected"
"23:12","Your computer's memory","INS6B.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp","INS6B.tmp","Detected"
"23:13","Internet Explorer plug-ins","C:\Program Files\SpywareGuard\dlprotect.dll","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects","{4A368E80-174F-4872-96B5-0B27DDD11DB2}","Detected"
"23:13","Your computer's startup software","C:\Program Files\SpywareGuard\sgmain.exe","C:\Documents and Settings\deborah stone\Start Menu\Programs\StartUp\SpywareGuard.lnk","C:\Program Files\SpywareGuard\sgmain.exe","Detected"
"23:44","Your computer's memory","spybotsd14.exe","C:\Documents and Settings\deborah stone\Desktop","spybotsd14.exe","Detected"
"23:44","Your computer's memory","is-QA8RD.tmp","C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\is-29QJ5.tmp","is-QA8RD.tmp","Detected"
"23:44","Internet Explorer plug-ins","C:\Program Files\Spybot - Search & Destroy\SDHelper.dll","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects","{53707962-6F74-2D53-2644-206D7942484F}","Detected"
"23:45","Your computer's memory","SpybotSD.exe","C:\Program Files\Spybot - Search & Destroy","SpybotSD.exe","Detected"
"23:58","Your computer's memory","update.exe","C:\Program Files\Spybot - Search & Destroy","update.exe","Detected"


comboscan:

ComboScan v20070212.14 run by deborah stone on 2007-02-17 at 19:42:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as deborah stone.com) ------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:42:43 PM, on 2/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\System32\lssas.exe
C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}\Update.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Documents and Settings\deborah stone\Desktop\comboscan.exe
C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\~hrjcqec.tmp\deborah stone.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38739~1\Bar888.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144 (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 aeaudio - system32\drivers\aeaudio.sys
3 ati2mtaa - System32\DRIVERS\ati2mtaa.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys
3 E100B (Intel(R) PRO Adapter Driver) - System32\DRIVERS\e100b325.sys
2 Fallback - System32\DRIVERS\HSF_FALL.sys
2 Fsks - System32\DRIVERS\HSF_FSKS.sys
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys
2 K56 - System32\DRIVERS\HSF_K56K.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0 PCIIde - System32\DRIVERS\pciide.sys
3 Rksample - System32\DRIVERS\HSF_SAMP.sys
3 smwdm - system32\drivers\smwdm.sys
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys
2 SpeakerPhone - System32\DRIVERS\HSF_SPKP.sys
3 tmcfw (Trend Micro Common Firewall Service) - System32\DRIVERS\TM_CFW.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
2 tmmbd (Trend Micro MBD Driver) - System32\DRIVERS\tm_mbd_c.sys
2 Tmpreflt - System32\drivers\Tmpreflt.sys
1 tmtdi (Trend Micro TDI Driver) - System32\DRIVERS\tmtdi.sys
2 tmxpflt - System32\drivers\TmXPFlt.sys
2 Tones - System32\DRIVERS\HSF_TONE.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
2 V124 - System32\DRIVERS\HSF_V124.sys
2 Vsapint - System32\drivers\VsapiNT.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 Client IP-IPX - "C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144
2 PcCtlCom (Trend Micro Central Control Component) - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
3 PcScnSrv (Trend Micro Protection Against Spyware ) - "C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe"
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 Tmntsrv (Trend Micro Real-time Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
2 TmPfw (Trend Micro Personal Firewall) - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
2 tmproxy (Trend Micro Proxy Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Files created between 2007-01-17 and 2007-02-17 ------------------------------

2007-02-17 19:42:39 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-17 19:30:06 0 d-------- C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}<{18739~1>
2007-02-17 19:28:40 0 d-------- C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}<{38739~1>
2007-02-17 19:28:38 2560 --a------ C:\WINDOWS\System32\unsvchosts.exe<UNSVCH~1.EXE><Unsigned: n/a>
2007-02-17 19:28:38 36864 --a------ C:\WINDOWS\System32\svchosts.exe<Unsigned: n/a>
2007-02-17 19:25:52 90437 --a------ C:\WINDOWS\System32\mc-110-12-0000144.exe<MC-110~1.EXE><Unsigned: n/a>
2007-02-17 19:03:32 13728 --a------ C:\WINDOWS\System32\setup_57320.exe<SETUP_~1.EXE><Unsigned: n/a>
2007-02-17 18:17:10 0 d-------- C:\WINDOWS\Prefetch
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1>
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ehome
2007-02-17 18:13:23 450176 -----n--- C:\WINDOWS\System32\drivers\ati2mtag.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 34735 -----n--- C:\WINDOWS\System32\drivers\atinxsxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 29455 -----n--- C:\WINDOWS\System32\drivers\atinxbxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 36463 -----n--- C:\WINDOWS\System32\drivers\atintuxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 21343 -----n--- C:\WINDOWS\System32\drivers\atinttxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 26367 -----n--- C:\WINDOWS\System32\drivers\atinsnxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 63663 -----n--- C:\WINDOWS\System32\drivers\atinrvxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 30671 -----n--- C:\WINDOWS\System32\drivers\atinraxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 12047 -----n--- C:\WINDOWS\System32\drivers\atinpdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 11615 -----n--- C:\WINDOWS\System32\drivers\atinmdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 56591 -----n--- C:\WINDOWS\System32\drivers\atinbtxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:21 921475 -----n--- C:\WINDOWS\System32\ati3d2ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 844675 -----n--- C:\WINDOWS\System32\ati3d1ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 202496 -----n--- C:\WINDOWS\System32\ati2dvag.dll<Signed: ATI Technologies Inc.>
2007-02-17 10:30:48 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-17 10:21:56 1168 --a------ C:\WINDOWS\mozver.dat
2007-02-17 10:07:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-17 1054 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-17 09:11:43 0 d-------- C:\WINDOWS\System32\NtmsData
2007-02-17 08:50:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-02-17 08:49:55 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-16 23:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-16 23:13:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-16 23:05:12 118784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-16 23:05:12 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-16 22:49:13 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Lavasoft
2007-02-16 22:49:08 0 d-------- C:\Program Files\Lavasoft
2007-02-16 22:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-16 22:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-16 21:54:44 0 d-------- C:\WINDOWS\System32\PreInstall<PREINS~1>
2007-02-16 21:54:40 0 d--h----- C:\WINDOWS\$hf_mig$
2007-02-16 21:53:53 0 d-------- C:\WINDOWS\System32\bits
2007-02-16 21:25:46 0 d-------- C:\WINDOWS\SoftwareDistribution<SOFTWA~1>
2007-02-16 21:10:21 101376 --a------ C:\WINDOWS\System32\drivers\tm_mbd_c.sys<Unsigned: Trend Micro Inc.>
2007-02-16 21:10:20 281600 --a------ C:\WINDOWS\System32\drivers\TM_CFW.sys<Signed: Trend Micro Inc.>
2007-02-16 21:09:53 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-02-16 21:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro<TRENDM~1>
2007-02-16 2158 0 d-------- C:\Program Files\Sophos
2007-02-16 21:03:24 0 d---s---- C:\Documents and Settings\deborah stone\UserData
2007-02-16 20:57:30 0 d-------- C:\Documents and Settings\deborah stone\Application Data\EarthLink Toolbar<EARTHL~2>
2007-02-16 20:54:42 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Earthlink<EARTHL~1>
2007-02-16 20:52:24 0 d-------- C:\Program Files\EarthLink TotalAccess<EARTHL~1>
2007-02-16 20:50:28 0 d-------- C:\Program Files\UIU
2007-02-16 20:38:29 0 d-------- C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:37:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:30:35 53248 --a------ C:\WINDOWS\System32\Prounstl.exe<Signed: Intel Corporation>
2007-02-16 20:30:35 23040 --a------ C:\WINDOWS\System32\IntelNic.dll<Signed: Intel Corporation>
2007-02-16 20:30:35 139776 --a------ C:\WINDOWS\System32\drivers\e100b325.sys<Signed: Intel Corporation>
2007-02-16 20:29:38 3744 --a------ C:\WINDOWS\System32\drivers\smsens.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:38 4816 --a------ C:\WINDOWS\System32\drivers\aeaudio.sys<Signed: Andrea Electronics Corporation>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\DSndUp.exe<Unsigned: Analog Devices Inc.>
2007-02-16 20:29:37 545208 --a------ C:\WINDOWS\System32\drivers\smwdm.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\CleanUp.exe<Unsigned: adi>
2007-02-16 20:29:37 720896 --a------ C:\WINDOWS\System32\a3d.dll<Signed: Sensaura Ltd>
2007-02-16 20:29:37 0 d-------- C:\Program Files\Analog Devices<ANALOG~1>
2007-02-16 20:28:58 4557 -----n--- C:\WINDOWS\System32\atiicdxx.sys<Unsigned: ATI Technologies Inc.>
2007-02-16 20:28:45 295168 --a------ C:\WINDOWS\System32\drivers\ati2mtaa.sys<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 1175642 --a------ C:\WINDOWS\System32\atioglaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 98304 --a------ C:\WINDOWS\System32\atiiprxx.exe<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 229376 --a------ C:\WINDOWS\System32\atiiiexx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 102400 --a------ C:\WINDOWS\System32\Atiidtxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 45056 --a------ C:\WINDOWS\System32\atiicpxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 327774 --a------ C:\WINDOWS\System32\atiicdxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 40960 --a------ C:\WINDOWS\System32\Ati2mdxx.exe<Signed: ATI Technologies, Inc.>
2007-02-16 20:28:45 318080 --a------ C:\WINDOWS\System32\ati2dvaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:27:48 0 d--hs---- C:\RECYCLER
2007-02-16 20:25:17 0 d-------- C:\Program Files\Intel
2007-02-16 20:24:57 0 d-------- C:\WINDOWS\System32\ReinstallBackups<REINST~1>
2007-02-16 20:23:43 176128 --a------ C:\WINDOWS\System32\RcdScan.dll<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:43 446464 -ra------ C:\WINDOWS\System32\hhactivex.dll<HHACTI~1.DLL><Unsigned: Blue Sky Software Corporation.>
2007-02-16 20:23:41 89360 --a------ C:\WINDOWS\System32\VB5DB.DLL<Unsigned: Microsoft Corporation>
2007-02-16 20:23:40 13632 -----n--- C:\WINDOWS\System32\drivers\omci.sys<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-16 20:23:34 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-16 20:22:13 0 d--hs---- C:\WINDOWS\Installer<INSTAL~1>
2007-02-16 20:21:57 1310720 --ah----- C:\Documents and Settings\deborah stone\NTUSER.DAT
2007-02-16 20:20:57 0 d--hs---- C:\System Volume Information<SYSTEM~1>
2007-02-16 20:20:56 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-02-16 20:20:55 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-02-16 20:18:12 0 d-------- C:\WINDOWS\System32\xircom
2007-02-16 20:18:12 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-02-16 20:18:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-02-16 20:18:09 0 d-------- C:\DELL
2007-02-16 20:18:00 0 -rahs---- C:\MSDOS.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 -rahs---- C:\IO.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\CONFIG.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\AUTOEXEC.BAT
2007-02-16 20:17:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-02-16 20:16:58 0 dr------- C:\WINDOWS\Offline Web Pages<OFFLIN~1>
2007-02-16 20:16:58 0 d---s---- C:\WINDOWS\Downloaded Program Files<DOWNLO~1>
2007-02-16 20:16:30 0 d-------- C:\WINDOWS\System32\DirectX
2007-02-16 20:15:55 28672 --a------ C:\WINDOWS\System32\isrdbg32.dll<Signed: Intel Corporation>
2007-02-16 20:15:49 0 d---s---- C:\WINDOWS\Tasks
2007-02-16 20:15:46 0 d-------- C:\Program Files\Common Files\MSSoap
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\System32\Macromed
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\srchasst
2007-02-16 20:15:40 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-16 20:15:37 0 d-------- C:\WINDOWS\PCHealth
2007-02-16 20:15:36 0 d-------- C:\WINDOWS\System32\Restore
2007-02-16 20:15:22 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat<EMPTYR~1.DAT>
2007-02-16 20:15:06 0 d-------- C:\WINDOWS\Registration<REGIST~1>
2007-02-16 20:14:37 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-02-16 20:14:37 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-02-16 20:14:31 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-16 20:14:27 0 d-------- C:\Program Files\MSN Gaming Zone<MSNGAM~1>
2007-02-16 20:14:20 489984 --a------ C:\WINDOWS\System32\hypertrm.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:20 44544 --a------ C:\WINDOWS\System32\hticons.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:10 1161 --a------ C:\WINDOWS\System32\usrlogon.cmd
2007-02-16 20:13:57 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\MsDtc
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\Com
2007-02-16 15:09:27 9759 --a------ C:\WINDOWS\System32\HSF_INST.dll<Signed: Conexant>
2007-02-16 15:09:27 488383 --a------ C:\WINDOWS\System32\drivers\HSF_V124.sys<Signed: Conexant>
2007-02-16 15:09:27 50751 --a------ C:\WINDOWS\System32\drivers\HSF_TONE.sys<Signed: Conexant>
2007-02-16 15:09:27 73279 --a------ C:\WINDOWS\System32\drivers\HSF_SPKP.sys<Signed: Conexant>
2007-02-16 15:09:27 44863 --a------ C:\WINDOWS\System32\drivers\HSF_SOAR.sys<Signed: Conexant>
2007-02-16 15:09:27 57471 --a------ C:\WINDOWS\System32\drivers\HSF_SAMP.sys<Signed: Conexant>
2007-02-16 15:09:27 542879 --a------ C:\WINDOWS\System32\drivers\HSF_MSFT.sys<Signed: Conexant>
2007-02-16 15:09:27 391199 --a------ C:\WINDOWS\System32\drivers\HSF_K56K.sys<Signed: Conexant>
2007-02-16 15:09:27 115807 --a------ C:\WINDOWS\System32\drivers\HSF_FSKS.sys<Signed: Conexant>
2007-02-16 15:09:27 199711 --a------ C:\WINDOWS\System32\drivers\HSF_FAXX.sys<Signed: Conexant>
2007-02-16 15:09:27 289887 --a------ C:\WINDOWS\System32\drivers\HSF_FALL.sys<Signed: Conexant>
2007-02-16 15:09:27 67167 --a------ C:\WINDOWS\System32\drivers\HSF_BSC2.sys<Signed: Conexant>
2007-02-16 15:09:27 150239 --a------ C:\WINDOWS\System32\drivers\HSF_AMOS.sys<Signed: Conexant>
2007-02-16 15:08:13 0 d-------- C:\Program Files\Common Files\ODBC
2007-02-16 15:08:10 0 dr------- C:\Program Files<PROGRA~1>
2007-02-16 15:08:10 0 d-------- C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
2007-02-16 15:07:59 24661 --a------ C:\WINDOWS\System32\spxcoins.dll<Signed: Perle Systems Ltd.>
2007-02-16 15:07:59 103424 --a------ C:\WINDOWS\System32\EqnClass.Dll<Signed: Equinox Systems Inc.>
2007-02-16 15:07:59 85020 --a------ C:\WINDOWS\System32\dgsetup.dll<Signed: Digi International>
2007-02-16 15:07:59 176157 --a------ C:\WINDOWS\System32\dgrpsetu.dll<Signed: Digi International, Inc.>
2007-02-16 15:07:49 0 dr------- C:\Documents and Settings\All Users\Documents<DOCUME~1>
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot2
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot
2007-02-16 15:07:15 0 d-------- C:\Documents and Settings<DOCUME~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\WinSxS
2007-02-16 15:03:03 0 dr------- C:\WINDOWS\Web
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\twain_32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wins
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wbem
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\usmt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\spool
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ShellExt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\Setup
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ras
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\oobe
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\npp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\inetsrv
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\IME
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\icsxml
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ias
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\export
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\etc
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\disdn
2007-02-16 15:03:03 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\dhcp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3com_dmi
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3076
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\2052
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1054
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1042
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1041
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1037
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1033
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1031
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1028
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1025
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\security
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Resources<RESOUR~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\repair
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msapps
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msagent
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Media
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\java
2007-02-16 15:03:03 0 d--h----- C:\WINDOWS\inf
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\ime
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Help
2007-02-16 15:03:03 0 dr--s---- C:\WINDOWS\Fonts
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Driver Cache<DRIVER~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Debug
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Cursors
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Connection Wizard<CONNEC~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\AppPatch
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\addins


-- Find3M Report ----------------------------------------------------------------

2007-02-17 10:22:59 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Macromedia<MACROM~1>
2007-02-17 10:07:05 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Mozilla
2007-02-16 22:19:07 0 d---s---- C:\Documents and Settings\deborah stone\Application Data\Microsoft<MICROS~1>
2007-02-16 20:22:10 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Identities<IDENTI~1>
2007-02-16 15:07:49 62 --ahs---- C:\Documents and Settings\deborah stone\Application Data\desktop.ini


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpySweeper"=""
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"Local Security Authority Service"="C:\\WINDOWS\\System32\\lssas.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_CLIENT_IP-IPX


-- End of ComboScan: finished at 2007-02-17 at 19:45:14 -------------------------
ComboScan v20070212.14 run by deborah stone on 2007-02-17 at 19:42:31
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 511 MiB / 250.25 MiB
Pagefile Memory (total/avail): 1250.19 MiB / 1037.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2006.11 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.84 GiB total, 52.01 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is unknown.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\deborah stone\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GALAXY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\deborah stone
LOGONSERVER=\\GALAXY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
USERDOMAIN=GALAXY
USERNAME=deborah stone
USERPROFILE=C:\Documents and Settings\deborah stone
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

deborah stone (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bar888 --> C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}\UnInstall.exe
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink Software --> "C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Trend Micro PC-cillin Internet Security 2007 --> msiexec.exe /i {BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}


-- End of ComboScan: finished at 2007-02-17 at 19:45:14

-------------------------
Hope you can help me fix this bug. thanks. db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 02-18-2007, 07:10 AM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hello dbstone & welcome back.


I am sorry to be the bearer of bad news but I must make you aware of the seriousness of one of the infections on your computer.

You have an SDBot infection that drops a RootKit. This combination pretty much gives the infection and the people behind it full control of your computer to do whatever they want with it. As such... and you've probably figured this out... your computer has been totally compromised.

You have two choices...

1. Format your Hard Drive and reinstall Windows. This is probably your wisest choice as it would totally eliminate the infection and any additional damage done by it.

2. We can clean the infections. But even with doing so I, unfortunately, cannot guarantee the security of your computer afterwards as I have no way of knowing what other damage has been done by the RootKit/RAT.

Please read these for more information and let me know which route you wish to go with:

Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 07:47 AM   #3 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


Hi

ok, i'm puzzled though, I've reinstalled three times and still have this virus. I've also paid good money to a computer shop and still have this virus.

the reinstalls themselves, I believe are problematic as I have dial up. Everytime I reinstall, I wipe out all the protection and updates I've built into my system. then in an effort to download them again, I get reinfected.

Is there any way around this?

db

ps- here is what ive done, or found out since I last wrote:

I got rid of the messenger service popups with a program called "shoot the messenger"...

and pc cillin has found a PE_Generic viurs in my lassas.exe file that it can't remove or quaranteen
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 08:52 AM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi again,

Quote:
ok, i'm puzzled though, I've reinstalled three times and still have this virus.................then in an effort to download them again, I get reinfected....Is there any way around this?
It's recommended that you download the antivirus and the firewall applications onto a flash drive or CD before you reformat and reinstall; unplug the computer from the internet; Reformat & reinstall the operating system with all its patches. If you have problems downloading SP2, as it is rather large and you are on dialup, you can order the SP2 CD for 'free' from Microsoft that will save you all the hassles of trying to update online here:

http://www.microsoft.com/windowsxp/d...s/default.mspx

Once you have the Windows installed with all its patches, install the antivirus and the firewall using the flash drive/CD where you've downloaded them earlier, before you connect to the internet. Then, you can connect to the internet and update your system.

If you don't have any sensitive information on the computer and do not use it for banking, we can attempt to clean it. You might like to print these so that you can have access to them at all times:

1. Download AVG Anti-Spyware from HERE
  • Install AVG Anti-Spyware
  • Double-click the icon on Desktop to launch AVG Anti-Spyware
You will need to update AVG Anti-Spyware to the latest definition files.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

======================================

Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools menu and click Folder Options
· Select the View Tab
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended) option
· Click Yes to confirm
· Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

======================================

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!

======================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

======================================

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
=======================================

Then, please go to Start > My Computer and navigate to the C:BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let the program do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

======================================
Next, still in Safe Mode:
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
====================================

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.

======================================

Please post me a new hijackthis log and the logs from c:\BFU\log.txt , the Report.txt and the AVG Anti Spyware log.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 10:10 AM   #5 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


Hi amateur,

I think I understand from he materials you gave me to read that even if i copy my updates to cd or jump drive, I might be saving the virus or alterations with them. I think i'm going to try getting rid of the virus first. then if need be, reinstall. I'll order a cd of sp2 from microsoft just in case. If need be, how can I save the updates I've downloaded for windows and pc-cillin already? I'm rather new at this.

the only time I use my computer for sensitive stuff is to view my banking account, which I think i've refrained from doing since I've reinstalled. I'll change my passwords and etc later. Is there a danger of someone remotely accessing my e-mail? I have passwords, etc, saved there.

db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 10:48 AM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Quote:
If need be, how can I save the updates I've downloaded for windows and pc-cillin already?
I am not sure if that's possible. You may have to do the updating online.

Quote:
Is there a danger of someone remotely accessing my e-mail? I have passwords, etc, saved there.
With SDBots, anything is possible.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 12:07 PM   #7 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


Hello,

ok. here are the logs I have. Unfortunately, i can't find a log for bfu. I've searched files and folders for c:\bfu\log.txt and found nothing. I also don't have a log for avg- it said there were no reports although it did find something that had backdoor in the name...and it deleted what it found rather than quaranteening them, even though my chosen action was to quaranteen per your instructions. Here's the logs I do have and hope their helpful.


SDFix: Version 1.66

Run by deborah stone - Sun 02/18/2007 @ 14:04:15.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX

Path:
"C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000144

Client IP-IPX Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_57320.exe - Deleted
C:\WINDOWS\system32\TFTP2036 - Deleted
C:\WINDOWS\system32\TFTP3052 - Deleted
C:\WINDOWS\system32\TFTP3568 - Deleted
C:\WINDOWS\system32\TFTP3792 - Deleted
C:\WINDOWS\system32\TFTP396 - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\qirewt.exe
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\1.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2D.tmp
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT1D.tmp

Add/Remove Programs List:

ATI Display Driver
AVG Anti-Spyware 7.5
EarthLink Software
hp instant support
HP Photo and Imaging 2.0 - hp officejet 6100 series
Lavasoft VX2 Cleaner
Mozilla Firefox (2.0.0.1)
Panda ActiveScan
Intel(R) PRO Ethernet Adapter and Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Trend Micro PC-cillin Internet Security 2007
hp officejet 6100 series
EarthLink Spyware Blocker
ELNBonus
EarthLink Setup
EarthLink Redistributed
EarthLink FastLane
EarthLink Common
EarthLink Toolbar
HP Photo and Imaging 2.0 - All-in-One Drivers
Ad-Aware SE Personal
EarthLink Update Manager
EarthLink MailBox
HP Photo and Imaging 2.0 - All-in-One
EarthLink TaskPanel
HP Memories Disc
Microsoft XML Parser
Trend Micro PC-cillin Internet Security 2007
Dell ResourceCD
EarthLink IM
EarthLink Webspace
Deal Info
SoundMAX
EarthLink Accelerator

Finished


Logfile of HijackThis v1.99.1
Scan saved at 2:29:33 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

thanks. I'll be staying offline as much as possible until I hear from you that I am cleared.

db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 12:54 PM   #8 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi,
Thanks for the logs. SDFix seems to have worked.
Quote:
Unfortunately, i can't find a log for bfu.
Let's not worry about that now, but I would like to have the AVG Anti Spyware log. A copy of each report is saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\. If you still cannot find it, we'll give it another go.

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

You have the following O6 line indicating some restriction on the IE/Control Panel access rights. Unless that is intentional by an administrator or program like Spybot or StartPage Guard , you can check that line too if you wish.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Make sure that all windows/applications, etc are closed before you click on "fix checked". Exit HijackThis.

=============================

Update AVG Anti Spyware before you boot into Safe Mode.

=============================

Boot into Safe Mode following my earlier instructions.

=============================

Using Windows Explorer (right click on start, click on Explore) navigate to the following file and delete it if found. (Make sure that your hidden files are still visible).

C:\WINDOWS\system32\qirewt.exe

==============================

Still in Safe Mode, scan with AVG Anti Spyware (if you were unable to find the previous report).

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================================

Please download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log and the AVG AS report in your next reply.
Please make sure that the HijackThis log is taken from Normal Mode. The last one seems to have been taken while in Safe Mode.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-18-2007, 04:31 PM   #9 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


ok,

I never found a log for the first avg scan...just as well, because this one turned up much more:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:32:39 PM 2/18/2007

+ Scan result:



C:\Program Files\Ipwindows\ipwins.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP22\A0001769.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\deborah stone\Local Settings\Temporary Internet Files\Content.IE5\0ZAHNU7S\122[1].net -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}\Bar888.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mc-110-12-0000144.exe -> Adware.Toolbar888 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23\A0001915.exe -> Backdoor.Rbot.bdu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23\A0001916.exe -> Backdoor.Rbot.bdu : Cleaned with backup (quarantined).


::Report end


never found C:\windows\system32\qirewt.exe

Dr. web's site found no virus' in the short scan, but wait till you see what came up in the long scan..:

system.dll;C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001};Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc1;Trojan.DownLoader.17799;Deleted.;
system.dll;C:\RECYCLER\S-1-5-18\Dc2;Trojan.DownLoader.17799;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0001857.exe;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Tool.Prockill;Incurable.Moved.;
A0001877.exe;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Win32.HLLW.MyBot;Deleted.;
A0001938.exe;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Tool.Prockill;Incurable.Moved.;
A0001967.exe;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Tool.Prockill;Incurable.Moved.;
A0002061.dll;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Adware.Lucky;Incurable.Moved.;
A0002062.dll;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Adware.Maxifiles;Incurable.Moved.;
A0002080.dll;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Trojan.DownLoader.17799;Deleted.;
A0002081.dll;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Trojan.DownLoader.17799;Deleted.;
A0002082.dll;C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23;Trojan.DownLoader.17799;Deleted.;
TFTP2876;C:\WINDOWS\system32;Win32.IRC.Bot;Deleted.;


and here's the hijack this log from after the other two scans (and in normal mode):

Logfile of HijackThis v1.99.1
Scan saved at 7:20:56 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

waiting further instructions....db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 06:02 AM   #10 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi,

Log is looking good. You can go ahead and delete BFU and SDFix from your desktop and the the following folders: C:\SDFix and c:\BFU

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it. Do not scan with it yet.

=================================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

================================================

Reboot in Normal Mode.

================================================
  • Please create a folder on your desktop called Sysclean.
  • Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
  • Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.
  • This file will be called lptXXX.zip (XXX represents the version number)
  • Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.
  • Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.
  • Turn off/disable temporarily your antivirus which is installed on your system because it can interfere with the Sysclean-scan. Make sure to turn it on again when finished.
  • Reboot in Safe Mode.
  • Open the sysclean-folder and double-click sysclean.com.
  • Check: "Automatically clean or delete detected files."
  • Click "Scan".
  • When the scan is finished, select: "View log".
  • Copy and paste this log in your next reply along with another fresh HijackThis log and also let me know how the computer is running now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 08:31 AM   #11 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


hello.

can you give me more info re: which file pattern I'm looking on the trend webpage. not finding anything with LPTXXX....and there are lots of files to choose from.

also. fyi. my pc-cillin has been going crazy since it downloaded it's updates today giving me messages that I have a trojan virus called xpack.ba in file: msksvrvs.exe. says it cannot remove or quaranteen the virus.
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 09:28 AM   #12 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


well....

I think I found the file and had started to download it, but got kicked off, definitely by something taking over my system. it also blocked my trend's update just before i got kicked off.

if worse comes to worse, i'll download the file from my office at work and bring it home tonight to apply your instructions. I'll check back on this thread before I leave to see if you've sent any further instructions.

db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 11:23 AM   #13 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi,

Quote:
also. fyi. my pc-cillin has been going crazy since it downloaded it's updates today giving me messages that I have a trojan virus called xpack.ba in file: msksvrvs.exe. says it cannot remove or quaranteen the virus.
Does it give you the file path? Let me know the file path if you can. It seems to be a fairly new backdoor trojan first seen on Feb7, 2007 according to Prevx.

Let's try this tool:

Download ComboScan to your Desktop.
  1. Close all applications and windows.
  2. Double-click on comboscan.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - ComboScan.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
  5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  6. Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

=======================================
Quote:
if worse comes to worse, i'll download the file from my office at work and bring it home tonight to apply your instructions.
Good idea, please do that but make sure that you transfer them to the infected machine exactly the way it's supposed to be, unzipped properly and placed in the same folder on your desktop. Keep the machine off the internet. Disable your resident antivirus. Boot into Safe Mode. Run sysclean. Save the log to post later. Reboot in Normal Mode. Remember to re-enable your antivirus before connecting to the Internet.

Please post back:

ComboScan.txt
Supplementary.txt.
Sysclean log
a fresh HijackThis log please.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 02-19-2007 at 11:36 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 04:21 PM   #14 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


Hi,

Well, I was able to download the file from home for system clean.

Things were running very slowly before I ran comboscan. when i tried to open wordpad to copy your instructions to print, my computer frooxe and I had to reboot. I unplugged my connection to run the comboscan and was able to do so successfully.

i had trouble reconnecting to the internet.windows installer would come up, then a box saying it was configuring earthlink task panel, then a box saying the feature I was trying to use is on a cd rom. then, it connected to the internet anyway, but I got kicked off. a box appeared and said I was being disconnected by NT authority sytem and there was a file name in the box: c:\windows32\lsass.exe.

I rebooted again, but couldn't connect until I reinstalled earthlink from disk, and here we are.

I was able to open wordpad without it freezing after running comboscan.

and internet explorer won't open.

and I don't want to play anymore.

Here are my logs. I'm including the logs from trend pc-cillin virus scans for the last three days. you'll see that I just keep accumulating more and more virus':

"Virus Scan Logs", "2007/02/19","GALAXY"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"08:44","File Monitor","File","PE_Generic","C:\WINDOWS\system32\jyfy.exe","Clean Fail","Quarantine Success"
"10:40","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"10:40","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"10:40","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"10:41","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:08","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:09","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:10","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:11","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:12","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Fail",""
"11:13","File Monitor","File","TROJ_XPACK.BA","C:\WINDOWS\system32\MSKSVRVS.EXE","Quarantine Success",""
"12:10","File Monitor","File","BKDR_SDBOT.GAA","C:\WINDOWS\system32\.exe","Quarantine Success",""
"12:17","File Monitor","File","WORM_RBOT.BWL","C:\WINDOWS\system32\z.exe","Quarantine Success",""
"12:51","File Monitor","File","WORM_RBOT.BWL","C:\WINDOWS\system32\z.exe","Quarantine Success",""
"12:54","File Monitor","File","TROJ_POEBOT.JW","C:\WINDOWS\system32\jqtz.exe","Quarantine Success",""
"13:04","File Monitor","File","WORM_SDBOT.DYX","C:\WINDOWS\system32\TFTP3676","Quarantine Success",""
"15:09","File Monitor","File","WORM_NACHI.H","C:\WINDOWS\system32\TFTP3012","Quarantine Success",""
"15:11","File Monitor","File","BKDR_POEBOT.IV","C:\WINDOWS\system32\lplvyd.exe","Quarantine Success",""


"Virus Scan Logs", "2007/02/18","GALAXY"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"07:26","File Monitor","File","PE_Generic","C:\WINDOWS\SYSTEM32\LSSAS.EXE","Clean Fail","Quarantine Fail"
"07:40","Manual Scan","File","PE_Generic","C:\WINDOWS\system32\lssas.exe","Clean Fail","Quarantine Fail"
"10:29","File Monitor","File","PE_Generic","C:\WINDOWS\System32\lssas.exe","Clean Fail","Quarantine Success"
"10:29","File Monitor","File","BAT_BATTEN.A","C:\a.bat","Quarantine Success",""
"11:09","Manual Scan","File","PE_Generic","C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23\A0001795.exe","Clean Fail","Quarantine Success"
"12:49","File Monitor","File","BAT_BATTEN.A","C:\a.bat","Quarantine Success",""
"14:08","File Monitor","File","BAT_BATTEN.A","C:\a.bat","Quarantine Success",""
"19:43","File Monitor","File","BKDR_SDBOT.GAA","C:\WINDOWS\system32\.exe","Quarantine Success",""


"Virus Scan Logs", "2007/02/17","GALAXY"
"Time","Security Feature","Source Type","Virus Name","File Name","First Action","Second Action"
"19:19","File Monitor","File","BKDR_SDBOT.GAA","C:\WINDOWS\system32\.exe","Quarantine Success",""
"19:57","File Monitor","File","WORM_SDBOT.DYX","C:\WINDOWS\system32\TFTP3172","Quarantine Success",""
"20:12","File Monitor","File","BAT_BATTEN.A","C:\a.bat","Quarantine Success",""
"20:12","File Monitor","File","BAT_BATTEN.A","C:\a.bat","Quarantine Success",""
"22:30","File Monitor","File","PE_Generic","C:\WINDOWS\System32\lssas.exe","Clean Fail","Quarantine Fail"
"22:31","File Monitor","File","PE_Generic","C:\WINDOWS\System32\lssas.exe","Clean Fail","Quarantine Fail"
"22:32","File Monitor","File","PE_Generic","C:\WINDOWS\SYSTEM32\LSSAS.EXE","Clean Fail","Quarantine Fail"
"22:32","File Monitor","File","PE_Generic","C:\WINDOWS\SYSTEM32\LSSAS.EXE","Clean Fail","Quarantine Fail"
"22:33","File Monitor","File","PE_Generic","C:\WINDOWS\system32\lssas.exe","Clean Fail","Quarantine Fail"
"22:34","File Monitor","File","PE_Generic","C:\WINDOWS\System32\lssas.exe","Clean Fail","Quarantine Fail"
"22:34","File Monitor","File","PE_Generic","C:\WINDOWS\system32\lssas.exe","Clean Fail","Quarantine Fail"


ComboScan v20070212.14 run by deborah stone on 2007-02-19 at 18:33:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as deborah stone.com) ------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:33:18 PM, on 2/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\deborah stone\Desktop\comboscan.exe
C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\~qtlocse.tmp\deborah stone.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


-- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) --------------

backup-20070218-174420-358 R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
backup-20070218-174420-868 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 aeaudio - system32\drivers\aeaudio.sys
3 ati2mtaa - System32\DRIVERS\ati2mtaa.sys
1 AVG Anti-Spyware Driver - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys
3 E100B (Intel(R) PRO Adapter Driver) - System32\DRIVERS\e100b325.sys
2 Fallback - System32\DRIVERS\HSF_FALL.sys
2 Fsks - System32\DRIVERS\HSF_FSKS.sys
3 HPZid412 (IEEE-1284.4 Driver HPZid412) - System32\DRIVERS\HPZid412.sys
3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - System32\DRIVERS\HPZipr12.sys
3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - System32\DRIVERS\HPZius12.sys
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys
2 K56 - System32\DRIVERS\HSF_K56K.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0 PCIIde - System32\DRIVERS\pciide.sys
3 Rksample - System32\DRIVERS\HSF_SAMP.sys
3 smwdm - system32\drivers\smwdm.sys
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys
2 SpeakerPhone - System32\DRIVERS\HSF_SPKP.sys
3 tmcfw (Trend Micro Common Firewall Service) - System32\DRIVERS\TM_CFW.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
2 tmmbd (Trend Micro MBD Driver) - System32\DRIVERS\tm_mbd_c.sys
2 Tmpreflt - System32\drivers\Tmpreflt.sys
1 tmtdi (Trend Micro TDI Driver) - System32\DRIVERS\tmtdi.sys
2 tmxpflt - System32\drivers\TmXPFlt.sys
2 Tones - System32\DRIVERS\HSF_TONE.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
2 V124 - System32\DRIVERS\HSF_V124.sys
2 Vsapint - System32\drivers\VsapiNT.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 PcCtlCom (Trend Micro Central Control Component) - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
3 PcScnSrv (Trend Micro Protection Against Spyware ) - "C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe"
3 Pml Driver HPZ12 - C:\WINDOWS\System32\HPZipm12.exe
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 Tmntsrv (Trend Micro Real-time Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
2 TmPfw (Trend Micro Personal Firewall) - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
2 tmproxy (Trend Micro Proxy Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-17 22:55:09 418 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1171770793.job<FRUTAS~1.JOB>


-- Files created between 2007-01-19 and 2007-02-19 ------------------------------

2007-02-19 14:59:59 32768 --ah----- C:\WINDOWS\System32\mubl.exe<Unsigned: n/a>
2007-02-19 14:47:41 0 --ah----- C:\Documents and Settings\deborah stone\Application Data\hpothb07.dat
2007-02-19 14:47:38 391 --ah----- C:\hpothb07.dat
2007-02-19 14:44:29 149 --ah----- C:\Program Files\hpothb07.dat
2007-02-19 10:57:31 0 d-------- C:\Program Files\CCleaner
2007-02-18 18:37:05 0 d-------- C:\Documents and Settings\deborah stone\DoctorWeb<DOCTOR~1>
2007-02-18 13:27:44 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-18 13:27:42 0 d-------- C:\Program Files\Grisoft
2007-02-18 07:20:22 0 d-------- C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}<{18739~1>
2007-02-17 22:55:14 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Hewlett-Packard<HEWLET~1>
2007-02-17 22:52:55 82380 --a------ C:\WINDOWS\System32\drivers\AFS2K.SYS<Unsigned: Oak Technology Inc.>
2007-02-17 22:49:42 57344 -ra------ C:\WINDOWS\System32\HPZisn12.dll<Signed: HP>
2007-02-17 22:49:42 94208 -ra------ C:\WINDOWS\System32\HPZipt12.dll<Signed: HP>
2007-02-17 22:49:42 65795 -ra------ C:\WINDOWS\System32\HPZipm12.exe<Signed: HP>
2007-02-17 22:49:42 61699 -ra------ C:\WINDOWS\System32\HPZinw12.exe<Signed: HP>
2007-02-17 22:49:41 167936 -ra------ C:\WINDOWS\System32\HPZipr12.dll<Signed: HP>
2007-02-17 22:49:41 233528 -ra------ C:\WINDOWS\System32\HPZidr12.dll<Signed: HP>
2007-02-17 22:49:41 16080 -ra------ C:\WINDOWS\System32\drivers\HPZipr12.sys<Signed: HP>
2007-02-17 22:49:39 51024 -ra------ C:\WINDOWS\System32\drivers\hpzid412.sys<Signed: HP>
2007-02-17 22:49:11 21456 -ra------ C:\WINDOWS\System32\drivers\HPZius12.sys<Signed: HP>
2007-02-17 22:45:41 16618 -----n--- C:\WINDOWS\hpomdl01.dat
2007-02-17 22:45:41 20454 --a------ C:\WINDOWS\hpoins01.dat
2007-02-17 20:32:47 0 d-------- C:\Program Files\Ipwindows<IPWIND~1>
2007-02-17 19:42:39 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-17 19:28:40 0 d-------- C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}<{38739~1>
2007-02-17 19:28:38 2560 --a------ C:\WINDOWS\System32\unsvchosts.exe<UNSVCH~1.EXE><Unsigned: n/a>
2007-02-17 18:17:10 0 d-------- C:\WINDOWS\Prefetch
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1>
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ehome
2007-02-17 18:13:23 450176 -----n--- C:\WINDOWS\System32\drivers\ati2mtag.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 34735 -----n--- C:\WINDOWS\System32\drivers\atinxsxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 29455 -----n--- C:\WINDOWS\System32\drivers\atinxbxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 36463 -----n--- C:\WINDOWS\System32\drivers\atintuxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 21343 -----n--- C:\WINDOWS\System32\drivers\atinttxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 26367 -----n--- C:\WINDOWS\System32\drivers\atinsnxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 63663 -----n--- C:\WINDOWS\System32\drivers\atinrvxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 30671 -----n--- C:\WINDOWS\System32\drivers\atinraxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 12047 -----n--- C:\WINDOWS\System32\drivers\atinpdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 11615 -----n--- C:\WINDOWS\System32\drivers\atinmdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 56591 -----n--- C:\WINDOWS\System32\drivers\atinbtxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:21 921475 -----n--- C:\WINDOWS\System32\ati3d2ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 844675 -----n--- C:\WINDOWS\System32\ati3d1ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 202496 -----n--- C:\WINDOWS\System32\ati2dvag.dll<Signed: ATI Technologies Inc.>
2007-02-17 10:30:48 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-17 10:21:56 1168 --a------ C:\WINDOWS\mozver.dat
2007-02-17 10:07:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-17 1054 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-17 09:11:43 0 d-------- C:\WINDOWS\System32\NtmsData
2007-02-17 08:50:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-02-17 08:49:55 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-16 23:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-16 23:13:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-16 23:05:12 118784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-16 23:05:12 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-16 22:49:13 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Lavasoft
2007-02-16 22:49:08 0 d-------- C:\Program Files\Lavasoft
2007-02-16 22:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-16 22:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-16 21:54:44 0 d-------- C:\WINDOWS\System32\PreInstall<PREINS~1>
2007-02-16 21:54:40 0 d--h----- C:\WINDOWS\$hf_mig$
2007-02-16 21:53:53 0 d-------- C:\WINDOWS\System32\bits
2007-02-16 21:25:46 0 d-------- C:\WINDOWS\SoftwareDistribution<SOFTWA~1>
2007-02-16 21:10:21 101376 --a------ C:\WINDOWS\System32\drivers\tm_mbd_c.sys<Unsigned: Trend Micro Inc.>
2007-02-16 21:10:20 281600 --a------ C:\WINDOWS\System32\drivers\TM_CFW.sys<Signed: Trend Micro Inc.>
2007-02-16 21:09:53 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-02-16 21:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro<TRENDM~1>
2007-02-16 2158 0 d-------- C:\Program Files\Sophos
2007-02-16 21:03:24 0 d---s---- C:\Documents and Settings\deborah stone\UserData
2007-02-16 20:57:30 0 d-------- C:\Documents and Settings\deborah stone\Application Data\EarthLink Toolbar<EARTHL~2>
2007-02-16 20:54:42 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Earthlink<EARTHL~1>
2007-02-16 20:52:24 0 d-------- C:\Program Files\EarthLink TotalAccess<EARTHL~1>
2007-02-16 20:50:28 0 d-------- C:\Program Files\UIU
2007-02-16 20:38:29 0 d-------- C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:37:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:30:35 53248 --a------ C:\WINDOWS\System32\Prounstl.exe<Signed: Intel Corporation>
2007-02-16 20:30:35 23040 --a------ C:\WINDOWS\System32\IntelNic.dll<Signed: Intel Corporation>
2007-02-16 20:30:35 139776 --a------ C:\WINDOWS\System32\drivers\e100b325.sys<Signed: Intel Corporation>
2007-02-16 20:29:38 3744 --a------ C:\WINDOWS\System32\drivers\smsens.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:38 4816 --a------ C:\WINDOWS\System32\drivers\aeaudio.sys<Signed: Andrea Electronics Corporation>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\DSndUp.exe<Unsigned: Analog Devices Inc.>
2007-02-16 20:29:37 545208 --a------ C:\WINDOWS\System32\drivers\smwdm.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\CleanUp.exe<Unsigned: adi>
2007-02-16 20:29:37 720896 --a------ C:\WINDOWS\System32\a3d.dll<Signed: Sensaura Ltd>
2007-02-16 20:29:37 0 d-------- C:\Program Files\Analog Devices<ANALOG~1>
2007-02-16 20:28:58 4557 -----n--- C:\WINDOWS\System32\atiicdxx.sys<Unsigned: ATI Technologies Inc.>
2007-02-16 20:28:45 295168 --a------ C:\WINDOWS\System32\drivers\ati2mtaa.sys<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 1175642 --a------ C:\WINDOWS\System32\atioglaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 98304 --a------ C:\WINDOWS\System32\atiiprxx.exe<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 229376 --a------ C:\WINDOWS\System32\atiiiexx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 102400 --a------ C:\WINDOWS\System32\Atiidtxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 45056 --a------ C:\WINDOWS\System32\atiicpxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 327774 --a------ C:\WINDOWS\System32\atiicdxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 40960 --a------ C:\WINDOWS\System32\Ati2mdxx.exe<Signed: ATI Technologies, Inc.>
2007-02-16 20:28:45 318080 --a------ C:\WINDOWS\System32\ati2dvaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:27:48 0 d--hs---- C:\RECYCLER
2007-02-16 20:25:17 0 d-------- C:\Program Files\Intel
2007-02-16 20:24:57 0 d-------- C:\WINDOWS\System32\ReinstallBackups<REINST~1>
2007-02-16 20:23:43 176128 --a------ C:\WINDOWS\System32\RcdScan.dll<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:43 446464 -ra------ C:\WINDOWS\System32\hhactivex.dll<HHACTI~1.DLL><Unsigned: Blue Sky Software Corporation.>
2007-02-16 20:23:41 89360 --a------ C:\WINDOWS\System32\VB5DB.DLL<Unsigned: Microsoft Corporation>
2007-02-16 20:23:40 13632 -----n--- C:\WINDOWS\System32\drivers\omci.sys<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-16 20:23:34 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-16 20:22:13 0 d--hs---- C:\WINDOWS\Installer<INSTAL~1>
2007-02-16 20:21:57 1835008 --ah----- C:\Documents and Settings\deborah stone\NTUSER.DAT
2007-02-16 20:20:57 0 d--hs---- C:\System Volume Information<SYSTEM~1>
2007-02-16 20:20:56 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-02-16 20:20:55 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-02-16 20:18:12 0 d-------- C:\WINDOWS\System32\xircom
2007-02-16 20:18:12 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-02-16 20:18:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-02-16 20:18:09 0 d-------- C:\DELL
2007-02-16 20:18:00 0 -rahs---- C:\MSDOS.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 -rahs---- C:\IO.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\CONFIG.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\AUTOEXEC.BAT
2007-02-16 20:17:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-02-16 20:16:58 0 dr------- C:\WINDOWS\Offline Web Pages<OFFLIN~1>
2007-02-16 20:16:58 0 d---s---- C:\WINDOWS\Downloaded Program Files<DOWNLO~1>
2007-02-16 20:16:30 0 d-------- C:\WINDOWS\System32\DirectX
2007-02-16 20:15:55 28672 --a------ C:\WINDOWS\System32\isrdbg32.dll<Signed: Intel Corporation>
2007-02-16 20:15:49 0 d---s---- C:\WINDOWS\Tasks
2007-02-16 20:15:46 0 d-------- C:\Program Files\Common Files\MSSoap
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\System32\Macromed
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\srchasst
2007-02-16 20:15:40 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-16 20:15:37 0 d-------- C:\WINDOWS\PCHealth
2007-02-16 20:15:36 0 d-------- C:\WINDOWS\System32\Restore
2007-02-16 20:15:22 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat<EMPTYR~1.DAT>
2007-02-16 20:15:06 0 d-------- C:\WINDOWS\Registration<REGIST~1>
2007-02-16 20:14:37 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-02-16 20:14:37 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-02-16 20:14:31 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-16 20:14:27 0 d-------- C:\Program Files\MSN Gaming Zone<MSNGAM~1>
2007-02-16 20:14:20 489984 --a------ C:\WINDOWS\System32\hypertrm.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:20 44544 --a------ C:\WINDOWS\System32\hticons.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:10 1161 --a------ C:\WINDOWS\System32\usrlogon.cmd
2007-02-16 20:13:57 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\MsDtc
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\Com
2007-02-16 15:09:27 9759 --a------ C:\WINDOWS\System32\HSF_INST.dll<Signed: Conexant>
2007-02-16 15:09:27 488383 --a------ C:\WINDOWS\System32\drivers\HSF_V124.sys<Signed: Conexant>
2007-02-16 15:09:27 50751 --a------ C:\WINDOWS\System32\drivers\HSF_TONE.sys<Signed: Conexant>
2007-02-16 15:09:27 73279 --a------ C:\WINDOWS\System32\drivers\HSF_SPKP.sys<Signed: Conexant>
2007-02-16 15:09:27 44863 --a------ C:\WINDOWS\System32\drivers\HSF_SOAR.sys<Signed: Conexant>
2007-02-16 15:09:27 57471 --a------ C:\WINDOWS\System32\drivers\HSF_SAMP.sys<Signed: Conexant>
2007-02-16 15:09:27 542879 --a------ C:\WINDOWS\System32\drivers\HSF_MSFT.sys<Signed: Conexant>
2007-02-16 15:09:27 391199 --a------ C:\WINDOWS\System32\drivers\HSF_K56K.sys<Signed: Conexant>
2007-02-16 15:09:27 115807 --a------ C:\WINDOWS\System32\drivers\HSF_FSKS.sys<Signed: Conexant>
2007-02-16 15:09:27 199711 --a------ C:\WINDOWS\System32\drivers\HSF_FAXX.sys<Signed: Conexant>
2007-02-16 15:09:27 289887 --a------ C:\WINDOWS\System32\drivers\HSF_FALL.sys<Signed: Conexant>
2007-02-16 15:09:27 67167 --a------ C:\WINDOWS\System32\drivers\HSF_BSC2.sys<Signed: Conexant>
2007-02-16 15:09:27 150239 --a------ C:\WINDOWS\System32\drivers\HSF_AMOS.sys<Signed: Conexant>
2007-02-16 15:08:13 0 d-------- C:\Program Files\Common Files\ODBC
2007-02-16 15:08:10 0 dr------- C:\Program Files<PROGRA~1>
2007-02-16 15:08:10 0 d-------- C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
2007-02-16 15:07:59 24661 --a------ C:\WINDOWS\System32\spxcoins.dll<Signed: Perle Systems Ltd.>
2007-02-16 15:07:59 103424 --a------ C:\WINDOWS\System32\EqnClass.Dll<Signed: Equinox Systems Inc.>
2007-02-16 15:07:59 85020 --a------ C:\WINDOWS\System32\dgsetup.dll<Signed: Digi International>
2007-02-16 15:07:59 176157 --a------ C:\WINDOWS\System32\dgrpsetu.dll<Signed: Digi International, Inc.>
2007-02-16 15:07:49 0 dr------- C:\Documents and Settings\All Users\Documents<DOCUME~1>
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot2
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot
2007-02-16 15:07:15 0 d-------- C:\Documents and Settings<DOCUME~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\WinSxS
2007-02-16 15:03:03 0 dr------- C:\WINDOWS\Web
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\twain_32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wins
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wbem
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\usmt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\spool
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ShellExt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\Setup
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ras
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\oobe
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\npp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\inetsrv
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\IME
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\icsxml
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ias
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\export
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\etc
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\disdn
2007-02-16 15:03:03 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\dhcp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3com_dmi
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3076
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\2052
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1054
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1042
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1041
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1037
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1033
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1031
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1028
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1025
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\security
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Resources<RESOUR~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\repair
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msapps
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msagent
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Media
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\java
2007-02-16 15:03:03 0 d--h----- C:\WINDOWS\inf
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\ime
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Help
2007-02-16 15:03:03 0 dr--s---- C:\WINDOWS\Fonts
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Driver Cache<DRIVER~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Debug
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Cursors
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Connection Wizard<CONNEC~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\AppPatch
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\addins


-- Find3M Report ----------------------------------------------------------------

2007-02-19 14:47:41 0 --ah----- C:\Documents and Settings\deborah stone\Application Data\hpothb07.tif
2007-02-19 14:44:29 257 --ah----- C:\Program Files\hpothb07.tif
2007-02-17 10:22:59 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Macromedia<MACROM~1>
2007-02-17 10:07:05 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Mozilla
2007-02-16 22:19:07 0 d---s---- C:\Documents and Settings\deborah stone\Application Data\Microsoft<MICROS~1>
2007-02-16 20:22:10 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Identities<IDENTI~1>
2007-02-16 15:07:49 62 --ahs---- C:\Documents and Settings\deborah stone\Application Data\desktop.ini
2007-01-24 17:45:46 102800 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpySweeper"=""
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"="\"C:\\Program Files\\Common Files\\{1873997D-0702-1033-1002-020105290001}\\Update.exe\" mc-110-12-0000144"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-02-19 at 18:46:28 -------------------------

ComboScan v20070212.14 run by deborah stone on 2007-02-19 at 18:33:09
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 511 MiB / 205.08 MiB
Pagefile Memory (total/avail): 1250.19 MiB / 945.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2007.2 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.84 GiB total, 51.39 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is unknown.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\deborah stone\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GALAXY
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\deborah stone
LOGONSERVER=\\GALAXY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp
USERDOMAIN=GALAXY
USERNAME=deborah stone
USERPROFILE=C:\Documents and Settings\deborah stone
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

deborah stone (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink Software --> "C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp officejet 6100 series --> MsiExec.exe /X{12BB7942-1E1F-43D9-B441-4668C1629425}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp officejet 6100 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Trend Micro PC-cillin Internet Security 2007 --> msiexec.exe /i {BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}


-- End of ComboScan: finished at 2007-02-19 at 18:46:28 -------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:48:50 PM, on 2/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe





/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2007-02-19, 14:12:28, Auto-clean mode specified.
2007-02-19, 14:12:28, Running scanner "C:\Documents and Settings\deborah stone\Desktop\TSC.BIN"...
2007-02-19, 14:15:03, Scanner "C:\Documents and Settings\deborah stone\Desktop\TSC.BIN" has finished running.
2007-02-19, 14:15:03, TSC Log:

Damage Cleanup Engine (DCE) 5.0(Build 1107)
Windows XP(Build 2600: Service Pack 1)

Start time : Mon Feb 19 2007 14:12:29

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\deborah stone\Desktop\tsc.ptn" (version 838) [success]

Complete time : Mon Feb 19 2007 14:15:02
Execute pattern count(3051), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-02-19, 14:15:16, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2007-02-19, 14:29:12, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 2/19/2007 14:15:32
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 277 (158555 Patterns) (2007/02/18) (427700)
Command Line: C:\Documents and Settings\deborah stone\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\deborah stone\Desktop

15333 files have been read.
15333 files have been checked.
14042 files have been scanned.
20971 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/19/2007 14:29:12
---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-19, 14:29:12, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 2/19/2007 14:15:32
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 277 (158555 Patterns) (2007/02/18) (427700)
Command Line: C:\Documents and Settings\deborah stone\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\deborah stone\Desktop

15333 files have been read.
15333 files have been checked.
14042 files have been scanned.
20971 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/19/2007 14:29:12 13 minutes 29 seconds (809.28 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-19, 14:29:12, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 2/19/2007 14:15:32
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 277 (158555 Patterns) (2007/02/18) (427700)
Command Line: C:\Documents and Settings\deborah stone\Desktop\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\deborah stone\Desktop

15333 files have been read.
15333 files have been checked.
14042 files have been scanned.
20971 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 2/19/2007 14:29:12 13 minutes 29 seconds (809.28 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-02-19, 14:29:12, Scanner "C:\Documents and Settings\deborah stone\Desktop\VSCANTM.BIN" has finished running.
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 04:24 PM   #15 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


and now I can't open pc-cillin
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-19-2007, 06:47 PM   #16 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Please download and run FindAWF http://noahdfear.geekstogo.com/FindAWF.exe"

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-20-2007, 03:05 PM   #17 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


Here's my awf log. not to exciting, i must say!:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


I also ran all my security programs last night and I've been infected with more spyware. here's my avg log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:00:40 PM 2/19/2007

+ Scan result:



C:\Documents and Settings\deborah stone\DoctorWeb\Quarantine\A0002062.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Documents and Settings\deborah stone\DoctorWeb\Quarantine\A0002061.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{FB851716-8BA1-4B6D-A786-96F34372954A}\RP23\A0002063.exe -> Adware.Toolbar888 : Cleaned with backup (quarantined).


::Report end

and my pc-cilling didn't find anything when I scanned last night ( I ran it after all the spyware programs.

It seems as though everytime I go online, I pick stuff up. isn't there anyway to seal the hole this stuff is getting through?

db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-20-2007, 06:43 PM   #18 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi dbstone,

Quote:
Here's my awf log. not to exciting, i must say!:
That's a good thing. I was afraid that you might have another infection when you mentioned that you could not open pccillin.

Make sure that you can see hidden files
· Click Start
· Open My Computer
· Select the Tools menu and click Folder Options
· Select the View Tab
· Under the Hidden files and folders heading select Show hidden files and folders
· Uncheck the Hide protected operating system files (recommended) option
· Click Yes to confirm
· Click OK

===========================================

Please go here to upload the following
file for analysis before you continue with the rest.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\System32\mubl.exe
  • In the comments, please mention that it's for LonnyRJones
  • Click on Send File
Thanks

================================================

Using Windows Explorer, locate and delete the following files and folders, if present:

C:\Program Files\Ipwindows\
C:\Documents and Settings\deborah stone\Local Settings\Temporary Internet Files\Content.IE5\
C:\Program Files\Common Files\{3873997D-0702-1033-1002-020105290001}\
C:\WINDOWS\system32\mc-110-12-0000144.exe
C:\WINDOWS\system32\MSKSVRVS.EXE
C:\WINDOWS\System32\mubl.exe
C:\WINDOWS\System32\unsvchosts.exe

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine<=== delete the contents of this folder
C:\Program Files\HijackThis\backups <===== delete the contents

==================================================

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

1>> Download UnHookExec.inf

2>> Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

===================================================

Copy/paste the following text inside the quote box into a new notepad document. It must be Notepad, not wordpad. Make sure the "wordwrap" is unchecked in Format.

Quote:
REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"{1873997D-0702-1033-1002-020105290001}"=-
Make sure that there is no space before REGEDIT4, and there is a single space after the last line.

Save it to your desktop as fixme.reg . Save it as File Type All Files. Don't do anything with it yet. We'll use it in Safe Mode.

==================================================

I would also like to see if you have anything disabled from the startup with msconfig.

Open notepad and copy/ paste the following text in blue:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Save this as look.bat , choose to save as all files and place it on your desktop.
This is how the batch must look after you created it:
Doubleclick on look.bat and post the contents of it in your next reply as well.

====================================================

Let's run SDFix again.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
=========================================================

Double click fixme.reg and answer yes when asked to merge it into the registry.

==========================================================
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
=====================================================

Please run ComboScan one more time
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
  • A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  • Please attach Supplementary.txt to your post.

=====================================================

Please download BlackLight Beta Graphical User Interface version, and save it to your desktop. Click on BlackLight Beta to scan with it. When the scan is completed, there will be a report on your desktop named "fsbl-xxxxxxx.log"(xxxxx is date/time of the scan).

Please post that log in your next reply.

=====================================================

Please post back:

look.bat
Report.txt
C:\ComboScan
Supplementary.txt
fsbl-xxxxxxx.log

You might have to make two posts if too long.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-21-2007, 05:04 AM   #19 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: winxp


sometimes, a little insomnia is a good thing....
here are my logs:


SDFix: Version 1.67

Run by deborah stone - Wed 02/21/2007 @ 7:28:00.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\TFTP2536 - Deleted
C:\WINDOWS\system32\TFTP3288 - Deleted
C:\WINDOWS\system32\TFTP3368 - Deleted
C:\WINDOWS\system32\TFTP3372 - Deleted
C:\WINDOWS\system32\TFTP3592 - Deleted
C:\WINDOWS\system32\TFTP724 - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\09a5679abc8f910f48af2100a235af8d\BIT1D.tmp

Add/Remove Programs List:

ATI Display Driver
AVG Anti-Spyware 7.5
CCleaner (remove only)
EarthLink Software
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 2.0 - hp officejet 6100 series
Lavasoft VX2 Cleaner
Mozilla Firefox (2.0.0.1)
Panda ActiveScan
Intel(R) PRO Ethernet Adapter and Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Trend Micro PC-cillin Internet Security 2007
hp officejet 6100 series
EarthLink Spyware Blocker
ELNBonus
EarthLink Setup
EarthLink Redistributed
EarthLink FastLane
EarthLink Common
EarthLink Toolbar
HP Photo and Imaging 2.0 - All-in-One Drivers
Ad-Aware SE Personal
EarthLink Update Manager
EarthLink MailBox
HP Photo and Imaging 2.0 - All-in-One
EarthLink TaskPanel
HP Memories Disc
Microsoft XML Parser
Trend Micro PC-cillin Internet Security 2007
Dell ResourceCD
EarthLink IM
EarthLink Webspace
Deal Info
SoundMAX
EarthLink Accelerator

Finished


ComboScan v20070212.14 run by deborah stone on 2007-02-21 at 07:43:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as deborah stone.com) ------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:43:20 AM, on 2/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\deborah stone\Desktop\comboscan.exe
C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\~ihgpupr.tmp\deborah stone.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1171679163515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1171679115937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /s
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 aeaudio - system32\drivers\aeaudio.sys
3 ati2mtaa - System32\DRIVERS\ati2mtaa.sys
1 AVG Anti-Spyware Driver - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 basic2 - System32\DRIVERS\HSF_BSC2.sys
3 E100B (Intel(R) PRO Adapter Driver) - System32\DRIVERS\e100b325.sys
2 Fallback - System32\DRIVERS\HSF_FALL.sys
2 Fsks - System32\DRIVERS\HSF_FSKS.sys
3 HPZid412 (IEEE-1284.4 Driver HPZid412) - System32\DRIVERS\HPZid412.sys
3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - System32\DRIVERS\HPZipr12.sys
3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - System32\DRIVERS\HPZius12.sys
3 hsf_msft - System32\DRIVERS\HSF_MSFT.sys
2 K56 - System32\DRIVERS\HSF_K56K.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0 PCIIde - System32\DRIVERS\pciide.sys
3 Rksample - System32\DRIVERS\HSF_SAMP.sys
3 smwdm - system32\drivers\smwdm.sys
2 SoftFax - System32\DRIVERS\HSF_FAXX.sys
2 SpeakerPhone - System32\DRIVERS\HSF_SPKP.sys
3 tmcfw (Trend Micro Common Firewall Service) - System32\DRIVERS\TM_CFW.sys
2 tmcomm - \??\C:\WINDOWS\System32\drivers\tmcomm.sys
2 tmmbd (Trend Micro MBD Driver) - System32\DRIVERS\tm_mbd_c.sys
2 Tmpreflt - System32\drivers\Tmpreflt.sys
1 tmtdi (Trend Micro TDI Driver) - System32\DRIVERS\tmtdi.sys
2 tmxpflt - System32\drivers\TmXPFlt.sys
2 Tones - System32\DRIVERS\HSF_TONE.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
2 V124 - System32\DRIVERS\HSF_V124.sys
2 Vsapint - System32\drivers\VsapiNT.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2 PcCtlCom (Trend Micro Central Control Component) - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
3 PcScnSrv (Trend Micro Protection Against Spyware ) - "C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe"
3 Pml Driver HPZ12 - C:\WINDOWS\System32\HPZipm12.exe
3 SCardDrv (Smart Card Helper) - %SystemRoot%\System32\SCardSvr.exe
2 Tmntsrv (Trend Micro Real-time Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
2 TmPfw (Trend Micro Personal Firewall) - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
2 tmproxy (Trend Micro Proxy Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
2 uploadmgr (Upload Manager) - %SystemRoot%\System32\svchost.exe -k netsvcs
2 WmdmPmSp (Portable Media Serial Number) - %SystemRoot%\System32\svchost.exe -k netsvcs


-- Scheduled Tasks --------------------------------------------------------------

2007-02-17 22:55:09 418 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1171770793.job<FRUTAS~1.JOB>


-- Files created between 2007-01-21 and 2007-02-21 ------------------------------

2007-02-21 07:24:38 0 d-------- C:\SDFix
2007-02-20 21:21:41 25600 --a------ C:\WINDOWS\System32\xpsp1hfm.exe<Unsigned: Microsoft Corporation>
2007-02-19 14:47:41 0 --ah----- C:\Documents and Settings\deborah stone\Application Data\hpothb07.dat
2007-02-19 14:47:38 391 --ah----- C:\hpothb07.dat
2007-02-19 14:44:29 149 --ah----- C:\Program Files\hpothb07.dat
2007-02-19 10:57:31 0 d-------- C:\Program Files\CCleaner
2007-02-18 18:37:05 0 d-------- C:\Documents and Settings\deborah stone\DoctorWeb<DOCTOR~1>
2007-02-18 13:27:44 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-18 13:27:42 0 d-------- C:\Program Files\Grisoft
2007-02-18 07:20:22 0 d-------- C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}<{18739~1>
2007-02-17 22:55:14 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Hewlett-Packard<HEWLET~1>
2007-02-17 22:52:55 82380 --a------ C:\WINDOWS\System32\drivers\AFS2K.SYS<Unsigned: Oak Technology Inc.>
2007-02-17 22:49:42 57344 -ra------ C:\WINDOWS\System32\HPZisn12.dll<Signed: HP>
2007-02-17 22:49:42 94208 -ra------ C:\WINDOWS\System32\HPZipt12.dll<Signed: HP>
2007-02-17 22:49:42 65795 -ra------ C:\WINDOWS\System32\HPZipm12.exe<Signed: HP>
2007-02-17 22:49:42 61699 -ra------ C:\WINDOWS\System32\HPZinw12.exe<Signed: HP>
2007-02-17 22:49:41 167936 -ra------ C:\WINDOWS\System32\HPZipr12.dll<Signed: HP>
2007-02-17 22:49:41 233528 -ra------ C:\WINDOWS\System32\HPZidr12.dll<Signed: HP>
2007-02-17 22:49:41 16080 -ra------ C:\WINDOWS\System32\drivers\HPZipr12.sys<Signed: HP>
2007-02-17 22:49:39 51024 -ra------ C:\WINDOWS\System32\drivers\hpzid412.sys<Signed: HP>
2007-02-17 22:49:11 21456 -ra------ C:\WINDOWS\System32\drivers\HPZius12.sys<Signed: HP>
2007-02-17 22:45:41 16618 -----n--- C:\WINDOWS\hpomdl01.dat
2007-02-17 22:45:41 20454 --a------ C:\WINDOWS\hpoins01.dat
2007-02-17 19:42:39 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-17 18:17:10 0 d-------- C:\WINDOWS\Prefetch
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1>
2007-02-17 18:13:24 0 d-------- C:\WINDOWS\ehome
2007-02-17 18:13:23 450176 -----n--- C:\WINDOWS\System32\drivers\ati2mtag.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 34735 -----n--- C:\WINDOWS\System32\drivers\atinxsxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 29455 -----n--- C:\WINDOWS\System32\drivers\atinxbxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 36463 -----n--- C:\WINDOWS\System32\drivers\atintuxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 21343 -----n--- C:\WINDOWS\System32\drivers\atinttxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 26367 -----n--- C:\WINDOWS\System32\drivers\atinsnxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 63663 -----n--- C:\WINDOWS\System32\drivers\atinrvxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 30671 -----n--- C:\WINDOWS\System32\drivers\atinraxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 12047 -----n--- C:\WINDOWS\System32\drivers\atinpdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 11615 -----n--- C:\WINDOWS\System32\drivers\atinmdxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:22 56591 -----n--- C:\WINDOWS\System32\drivers\atinbtxx.sys<Signed: ATI Technologies Inc.>
2007-02-17 18:13:21 921475 -----n--- C:\WINDOWS\System32\ati3d2ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 844675 -----n--- C:\WINDOWS\System32\ati3d1ag.dll<Signed: ATI Technologies Inc. >
2007-02-17 18:13:21 202496 -----n--- C:\WINDOWS\System32\ati2dvag.dll<Signed: ATI Technologies Inc.>
2007-02-17 10:30:48 0 d-------- C:\WINDOWS\System32\ActiveScan<ACTIVE~1>
2007-02-17 10:21:56 1168 --a------ C:\WINDOWS\mozver.dat
2007-02-17 10:07:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-17 1054 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-17 09:11:43 0 d-------- C:\WINDOWS\System32\NtmsData
2007-02-17 08:50:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-02-17 08:49:55 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-16 23:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-16 23:13:18 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-16 23:05:12 118784 --a------ C:\WINDOWS\System32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-16 23:05:12 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-16 22:49:13 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Lavasoft
2007-02-16 22:49:08 0 d-------- C:\Program Files\Lavasoft
2007-02-16 22:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-16 22:11:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-16 21:54:44 0 d-------- C:\WINDOWS\System32\PreInstall<PREINS~1>
2007-02-16 21:54:40 0 d--h----- C:\WINDOWS\$hf_mig$
2007-02-16 21:53:53 0 d-------- C:\WINDOWS\System32\bits
2007-02-16 21:25:46 0 d-------- C:\WINDOWS\SoftwareDistribution<SOFTWA~1>
2007-02-16 21:10:21 101376 --a------ C:\WINDOWS\System32\drivers\tm_mbd_c.sys<Unsigned: Trend Micro Inc.>
2007-02-16 21:10:20 281600 --a------ C:\WINDOWS\System32\drivers\TM_CFW.sys<Signed: Trend Micro Inc.>
2007-02-16 21:09:53 0 d-------- C:\Program Files\Trend Micro<TRENDM~1>
2007-02-16 21:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro<TRENDM~1>
2007-02-16 21:03:24 0 d---s---- C:\Documents and Settings\deborah stone\UserData
2007-02-16 20:57:30 0 d-------- C:\Documents and Settings\deborah stone\Application Data\EarthLink Toolbar<EARTHL~2>
2007-02-16 20:54:42 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Earthlink<EARTHL~1>
2007-02-16 20:52:24 0 d-------- C:\Program Files\EarthLink TotalAccess<EARTHL~1>
2007-02-16 20:50:28 0 d-------- C:\Program Files\UIU
2007-02-16 20:38:29 0 d-------- C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:37:34 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-16 20:30:35 53248 --a------ C:\WINDOWS\System32\Prounstl.exe<Signed: Intel Corporation>
2007-02-16 20:30:35 23040 --a------ C:\WINDOWS\System32\IntelNic.dll<Signed: Intel Corporation>
2007-02-16 20:30:35 139776 --a------ C:\WINDOWS\System32\drivers\e100b325.sys<Signed: Intel Corporation>
2007-02-16 20:29:38 3744 --a------ C:\WINDOWS\System32\drivers\smsens.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:38 4816 --a------ C:\WINDOWS\System32\drivers\aeaudio.sys<Signed: Andrea Electronics Corporation>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\DSndUp.exe<Unsigned: Analog Devices Inc.>
2007-02-16 20:29:37 545208 --a------ C:\WINDOWS\System32\drivers\smwdm.sys<Signed: Analog Devices, Inc.>
2007-02-16 20:29:37 45056 --a------ C:\WINDOWS\System32\CleanUp.exe<Unsigned: adi>
2007-02-16 20:29:37 720896 --a------ C:\WINDOWS\System32\a3d.dll<Signed: Sensaura Ltd>
2007-02-16 20:29:37 0 d-------- C:\Program Files\Analog Devices<ANALOG~1>
2007-02-16 20:28:58 4557 -----n--- C:\WINDOWS\System32\atiicdxx.sys<Unsigned: ATI Technologies Inc.>
2007-02-16 20:28:45 295168 --a------ C:\WINDOWS\System32\drivers\ati2mtaa.sys<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 1175642 --a------ C:\WINDOWS\System32\atioglaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 98304 --a------ C:\WINDOWS\System32\atiiprxx.exe<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 229376 --a------ C:\WINDOWS\System32\atiiiexx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 102400 --a------ C:\WINDOWS\System32\Atiidtxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 45056 --a------ C:\WINDOWS\System32\atiicpxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 327774 --a------ C:\WINDOWS\System32\atiicdxx.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:28:45 40960 --a------ C:\WINDOWS\System32\Ati2mdxx.exe<Signed: ATI Technologies, Inc.>
2007-02-16 20:28:45 318080 --a------ C:\WINDOWS\System32\ati2dvaa.dll<Signed: ATI Technologies Inc.>
2007-02-16 20:27:48 0 d--hs---- C:\RECYCLER
2007-02-16 20:25:17 0 d-------- C:\Program Files\Intel
2007-02-16 20:24:57 0 d-------- C:\WINDOWS\System32\ReinstallBackups<REINST~1>
2007-02-16 20:23:43 176128 --a------ C:\WINDOWS\System32\RcdScan.dll<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:43 446464 -ra------ C:\WINDOWS\System32\hhactivex.dll<HHACTI~1.DLL><Unsigned: Blue Sky Software Corporation.>
2007-02-16 20:23:41 89360 --a------ C:\WINDOWS\System32\VB5DB.DLL<Unsigned: Microsoft Corporation>
2007-02-16 20:23:40 13632 -----n--- C:\WINDOWS\System32\drivers\omci.sys<Unsigned: Dell Computer Corporation>
2007-02-16 20:23:40 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-16 20:23:34 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-16 20:22:13 0 d--hs---- C:\WINDOWS\Installer<INSTAL~1>
2007-02-16 20:21:57 1835008 --ah----- C:\Documents and Settings\deborah stone\NTUSER.DAT
2007-02-16 20:20:57 0 d--hs---- C:\System Volume Information<SYSTEM~1>
2007-02-16 20:20:56 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-02-16 20:20:55 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-02-16 20:18:12 0 d-------- C:\WINDOWS\System32\xircom
2007-02-16 20:18:12 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-02-16 20:18:09 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-02-16 20:18:09 0 d-------- C:\DELL
2007-02-16 20:18:00 0 -rahs---- C:\MSDOS.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 -rahs---- C:\IO.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\CONFIG.SYS<Unsigned: n/a>
2007-02-16 20:18:00 0 --a------ C:\AUTOEXEC.BAT
2007-02-16 20:17:07 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-02-16 20:16:58 0 dr------- C:\WINDOWS\Offline Web Pages<OFFLIN~1>
2007-02-16 20:16:58 0 d---s---- C:\WINDOWS\Downloaded Program Files<DOWNLO~1>
2007-02-16 20:16:30 0 d-------- C:\WINDOWS\System32\DirectX
2007-02-16 20:15:55 28672 --a------ C:\WINDOWS\System32\isrdbg32.dll<Signed: Intel Corporation>
2007-02-16 20:15:49 0 d---s---- C:\WINDOWS\Tasks
2007-02-16 20:15:46 0 d-------- C:\Program Files\Common Files\MSSoap
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\System32\Macromed
2007-02-16 20:15:42 0 d-------- C:\WINDOWS\srchasst
2007-02-16 20:15:40 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-16 20:15:37 0 d-------- C:\WINDOWS\PCHealth
2007-02-16 20:15:36 0 d-------- C:\WINDOWS\System32\Restore
2007-02-16 20:15:22 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat<EMPTYR~1.DAT>
2007-02-16 20:15:06 0 d-------- C:\WINDOWS\Registration<REGIST~1>
2007-02-16 20:14:37 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-02-16 20:14:37 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-02-16 20:14:31 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-16 20:14:27 0 d-------- C:\Program Files\MSN Gaming Zone<MSNGAM~1>
2007-02-16 20:14:20 489984 --a------ C:\WINDOWS\System32\hypertrm.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:20 44544 --a------ C:\WINDOWS\System32\hticons.dll<Signed: Hilgraeve, Inc.>
2007-02-16 20:14:10 1161 --a------ C:\WINDOWS\System32\usrlogon.cmd
2007-02-16 20:13:57 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\MsDtc
2007-02-16 20:13:54 0 d-------- C:\WINDOWS\System32\Com
2007-02-16 15:09:27 9759 --a------ C:\WINDOWS\System32\HSF_INST.dll<Signed: Conexant>
2007-02-16 15:09:27 488383 --a------ C:\WINDOWS\System32\drivers\HSF_V124.sys<Signed: Conexant>
2007-02-16 15:09:27 50751 --a------ C:\WINDOWS\System32\drivers\HSF_TONE.sys<Signed: Conexant>
2007-02-16 15:09:27 73279 --a------ C:\WINDOWS\System32\drivers\HSF_SPKP.sys<Signed: Conexant>
2007-02-16 15:09:27 44863 --a------ C:\WINDOWS\System32\drivers\HSF_SOAR.sys<Signed: Conexant>
2007-02-16 15:09:27 57471 --a------ C:\WINDOWS\System32\drivers\HSF_SAMP.sys<Signed: Conexant>
2007-02-16 15:09:27 542879 --a------ C:\WINDOWS\System32\drivers\HSF_MSFT.sys<Signed: Conexant>
2007-02-16 15:09:27 391199 --a------ C:\WINDOWS\System32\drivers\HSF_K56K.sys<Signed: Conexant>
2007-02-16 15:09:27 115807 --a------ C:\WINDOWS\System32\drivers\HSF_FSKS.sys<Signed: Conexant>
2007-02-16 15:09:27 199711 --a------ C:\WINDOWS\System32\drivers\HSF_FAXX.sys<Signed: Conexant>
2007-02-16 15:09:27 289887 --a------ C:\WINDOWS\System32\drivers\HSF_FALL.sys<Signed: Conexant>
2007-02-16 15:09:27 67167 --a------ C:\WINDOWS\System32\drivers\HSF_BSC2.sys<Signed: Conexant>
2007-02-16 15:09:27 150239 --a------ C:\WINDOWS\System32\drivers\HSF_AMOS.sys<Signed: Conexant>
2007-02-16 15:08:13 0 d-------- C:\Program Files\Common Files\ODBC
2007-02-16 15:08:10 0 dr------- C:\Program Files<PROGRA~1>
2007-02-16 15:08:10 0 d-------- C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
2007-02-16 15:07:59 24661 --a------ C:\WINDOWS\System32\spxcoins.dll<Signed: Perle Systems Ltd.>
2007-02-16 15:07:59 103424 --a------ C:\WINDOWS\System32\EqnClass.Dll<Signed: Equinox Systems Inc.>
2007-02-16 15:07:59 85020 --a------ C:\WINDOWS\System32\dgsetup.dll<Signed: Digi International>
2007-02-16 15:07:59 176157 --a------ C:\WINDOWS\System32\dgrpsetu.dll<Signed: Digi International, Inc.>
2007-02-16 15:07:49 0 dr------- C:\Documents and Settings\All Users\Documents<DOCUME~1>
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot2
2007-02-16 15:07:36 0 d-------- C:\WINDOWS\System32\CatRoot
2007-02-16 15:07:15 0 d-------- C:\Documents and Settings<DOCUME~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\WinSxS
2007-02-16 15:03:03 0 dr------- C:\WINDOWS\Web
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\twain_32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system32
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wins
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\wbem
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\usmt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\spool
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ShellExt
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\Setup
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ras
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\oobe
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\npp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\inetsrv
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\IME
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\icsxml
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\ias
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\export
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\etc
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\drivers\disdn
2007-02-16 15:03:03 0 dr-hs--c- C:\WINDOWS\System32\dllcache
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\dhcp
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3com_dmi
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\3076
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\2052
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1054
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1042
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1041
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1037
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1033
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1031
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1028
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\System32\1025
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\system
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\security
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Resources<RESOUR~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\repair
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\mui
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msapps
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\msagent
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Media
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\java
2007-02-16 15:03:03 0 d--h----- C:\WINDOWS\inf
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\ime
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Help
2007-02-16 15:03:03 0 dr--s---- C:\WINDOWS\Fonts
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Driver Cache<DRIVER~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Debug
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Cursors
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Connection Wizard<CONNEC~1>
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\Config
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\AppPatch
2007-02-16 15:03:03 0 d-------- C:\WINDOWS\addins


-- Find3M Report ----------------------------------------------------------------

2007-02-19 14:47:41 0 --ah----- C:\Documents and Settings\deborah stone\Application Data\hpothb07.tif
2007-02-19 14:44:29 257 --ah----- C:\Program Files\hpothb07.tif
2007-02-17 10:22:59 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Macromedia<MACROM~1>
2007-02-17 10:07:05 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Mozilla
2007-02-16 22:19:07 0 d---s---- C:\Documents and Settings\deborah stone\Application Data\Microsoft<MICROS~1>
2007-02-16 20:22:10 0 d-------- C:\Documents and Settings\deborah stone\Application Data\Identities<IDENTI~1>
2007-02-16 15:07:49 62 --ahs---- C:\Documents and Settings\deborah stone\Application Data\desktop.ini
2007-01-24 17:45:46 102800 --a------ C:\WINDOWS\System32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpySweeper"=""
"OE"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\TMAS_OE\\TMAS_OEMon.exe\""
"E6TaskPanel"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2007\\pccguide.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-02-21 at 07:45:53 -------------------------



02/21/07 07:48:11 [Info]: BlackLight Engine 1.0.55 initialized
02/21/07 07:48:11 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/21/07 07:48:12 [Note]: 7019 4
02/21/07 07:48:12 [Note]: 7005 0
02/21/07 07:48:15 [Note]: 7006 0
02/21/07 07:48:15 [Note]: 7011 1048
02/21/07 07:48:15 [Note]: 7026 0
02/21/07 07:48:15 [Note]: 7026 0
02/21/07 07:48:19 [Note]: FSRAW library version 1.7.1021
02/21/07 07:52:56 [Note]: 7007 0


where can I find look.bat and report.bat??

I had to use earthlinks disk again to log on. other than that, things seem to be running more smoothly. Everything seemed to be freezing up before.

so. that was cool. what next? db
dbstone is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 02-21-2007, 02:05 PM   #20 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 6,342
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Hi again,

Quote:
sometimes, a little insomnia is a good thing....


Quote:
where can I find look.bat and report.bat??
It should be where you saved the contents to post back. If you don't have it, try it again and save it to your desktop.

Quote:
Open notepad and copy/ paste the following text in blue:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Save this as look.bat , choose to save as all files and place it on your desktop.
This is how the batch must look after you created it:
Doubleclick on look.bat and post the contents of it in your next reply as well.
For report.bat, I guess you mean report.txt which you've included already.

Quote:
Please post back:

look.bat
Report.txt
C:\ComboScan
Supplementary.txt
fsbl-xxxxxxx.log
==========================================

Submit a file to Jotti
Please go here
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\Program Files\Common Files\{1873997D-0702-1033-1002-020105290001}

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

=============================================

There is one entry missing from your HijackThis log and I would like to know what's happening there.

Create a folder on desktop called Exports

Click start> run> type regedit and hit enter.
Navigate to the following keys by expanding the + sign left of each.

HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Windows

Right click on Windows and choose export. Call it look1.reg and save it to your expors folder.

Next, do the same with:

HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon
Notify Right click on Notify and choose export. Call it look2.reg and save it to your exports folder.

Exit regedit.

Note: Please be careful and do not do anything else when you're working with the registry.

Open exports folder on your desktop, right click look1.reg > open with notepad> post results here.

Do the same with look2.reg

==========================================

Disable realtime scanners temporarily so that they will not interfere with the following fix.

Open AVG Anti Spyware.
Under 'Status',click on "change status" to make it 'inactive'.

To disable SpywareGuard: Right click the running icon of Spywareguard in the tray in the lower right corner.It will open the program. Go to Menu>file>exit. Confirm that the program is closed.

Trend Micro Protection Against Spyware will also need to be disabled temporarily. I have never used TM, so I don't know how to disable it, but usually there is an icon in the tray that you can right click and disable with other scanners.

===========================================

Please right click on HijackThis.exe and rename it to dbstone.exe.
Scan with it.
Close all windows including this one.
Put a checkmark against the following entry and click on fix checked:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Exit HijackThis.

Restart your computer for the changes to take effect.
==========================================

Please post :

the look.bat
look1.reg
look2.reg
a fresh HijackThis log taken after the reboot
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:07 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84