Win32/rustock.gen!C and Window MSRT crashes

andrew.m · 03-25-2007, 03:00 AM

Hi,[list][*]I'm having trouble installing XP updates and have been getting a MS message that win32/rustock.gen!C is installed. But none of the other scans i have done find it.[*]All the critical xp updates are in place except for the Malicious software removal tool March 2007 which will reliably crash the pc ever time i try to install it. on reboot, i sometimes get an auto shutdown alert.[*]I cannot install IE 7 without a crash. Although I use Firefox most of the time.[*]After these problems started, I updated my McAfee to the latest version. On boot, it is alerting about stopping a buffer overload with c:\windows\system32\services.exe.[*]Last week one core was running constantly at 100%, with the other just ticking over. There were no obvious processes using this power. I fixed this by doing a restore to a week earlier.[*]I have run Steps 1-5. But SpywareGuard2.2 crashes with a runtime error.[*]I have attached the Panda scan (activescan.txt)
Can someone please help?!

tetonbob · 03-25-2007, 10:02 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@shutdown -a

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Each time your machine threatens to shutdown, double click on fix.bat & it shall abort the shutdown procedure. That should ease some of your current difficulties.

------------------------------------------------------------------------------------------

Download combofix from one of these locations:
- http://www.techsupportforum.com/sect...s/ComboFix.exe
- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Next, do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

andrew.m · 03-26-2007, 06:58 AM

Hi tetonbob and thanks for your help. Here are the files requested.
The PC was back to its old tricks this morning and rebooted itself several times when turned on.
When I ran combofix, SpywareGuard came up with an alert that IE search page had been changed from //www.google.com to htpp://www.microsoft.com/ispi/redir.dll?prd=iear=iesearch Is this a drama?

Deckard's System Scanner v20070318.32
Run by Morgans on 2007-03-26 at 20:40:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
107: 2007-03-26 12:40:47 UTC - RP245 - Deckard's System Scanner Restore Point
106: 2007-03-25 12:22:26 UTC - RP244 - System Checkpoint
105: 2007-03-24 06:20:14 UTC - RP243 - Removed Logitech Desktop Messenger
104: 2007-03-24 05:34:39 UTC - RP242 - Software Distribution Service 2.0
103: 2007-03-24 05:08:04 UTC - RP241 - Software Distribution Service 2.0

-- First Restore Point --
1: 2006-12-27 10:36:54 UTC - RP139 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as Morgans.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:42:02 PM, on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Morgans\Desktop\dss.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\HIJACK~1\Morgans.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/sami...bar.jhtml?p=DA
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys
R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys
R1 DcCam (Kodak Camera Proxy) - c:\windows\system32\drivers\dccam.sys
R1 MPFP - c:\windows\system32\drivers\mpfp.sys
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys
R1 vobiw - c:\windows\system32\drivers\vobiw.sys
R2 DCFS2K (Kodak DCFS2K Driver) - c:\windows\system32\drivers\dcfs2k.sys
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 cdrdrv - c:\windows\system32\drivers\cdrdrv.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys
R3 ha20x2k (Creative 20X HAL Driver) - c:\windows\system32\drivers\ha20x2k.sys
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys
R3 StillCam (Still Serial Digital Camera Driver) - c:\windows\system32\drivers\serscan.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S1 Exportit - c:\windows\system32\drivers\exportit.sys
S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 DcFpoint - c:\windows\system32\drivers\dcfpoint.sys
S3 DcLps (Legacy Polling Service) - c:\windows\system32\drivers\dclps.sys
S3 DcPTP - c:\windows\system32\drivers\dcptp.sys
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys
S3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys
S3 PVUSB (CESG502 USB Driver) - c:\windows\system32\drivers\cesg502.sys
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra professional 2004.sp2b (win32 x86)\sandra.sys
S3 TDIMSYS - c:\windows\system32\drivers\tdimsys.sys (file missing)
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 MSK80Service (McAfee SpamKiller Service) - "c:\program files\mcafee\msk\msksrver.exe"
R2 MSSQL$PINNACLESYS - c:\program files\microsoft sql server\mssql$pinnaclesys\binn\sqlservr.exe -spinnaclesys
R2 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

S3 bpcService (BigPond Broadband Cable Login) - "c:\program files\telstra\cable login\bpcservice.exe"
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini"
S3 SQLAgent$PINNACLESYS - c:\program files\microsoft sql server\mssql$pinnaclesys\binn\sqlagent.exe -i pinnaclesys

-- Scheduled Tasks -------------------------------------------------------------

2007-03-25 18:43:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-03-24 14:43:38 354 --a------ C:\WINDOWS\Tasks\McDefragTask.job<MCDEFR~1.JOB>
2007-03-24 14:43:37 356 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2007-02-26 and 2007-03-26 -----------------------------

2007-03-25 15:45:34 21312 --a------ C:\WINDOWS\choice.exe
2007-03-25 15:44:36 0 d-------- C:\Program Files\ie-spyad
2007-03-25 15:42:19 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-03-25 15:37:07 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-25 14:01:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-24 14:45:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor<SITEAD~1>
2007-03-24 14:45:25 0 d-------- C:\Program Files\SiteAdvisor<SITEAD~1>
2007-03-24 14:45:25 0 d-------- C:\Documents and Settings\Morgans\Application Data\SiteAdvisor<SITEAD~1>
2007-03-24 14:45:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor<SITEAD~1>
2007-03-24 14:44:50 143360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-03-24 14:43:53 37480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-03-24 14:43:53 32008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-03-24 14:43:52 34184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-03-24 14:43:50 170408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-03-24 14:43:50 71496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-03-24 14:43:47 109608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-24 14:43:28 0 d-------- C:\Program Files\McAfee.com
2007-03-24 14:43:25 0 d-------- C:\Program Files\Common Files\McAfee
2007-03-24 14:43:20 0 d-------- C:\Program Files\McAfee
2007-03-23 16:38:24 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-22 18:11:46 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-03-22 05:53:33 0 d--hs---- C:\WINDOWS\CSC
2007-03-21 20:53:12 0 d-------- C:\Program Files\McAfee(2).com<MCAFEE~1.COM>
2007-03-21 18:43:27 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee(2)<MCAFEE~1>
2007-03-21 15:30:24 11415 --a------ C:\WINDOWS\system32\¨ùö<C7AC~1>
2007-03-18 17:38:29 10485760 --a------ C:\Documents and Settings\Morgans\ntuser.dat
2007-03-17 19:52:08 1660 --a------ C:\WINDOWS\desctemp.dat
2007-03-15 08:30:42 0 d-------- C:\spoolerlogs<SPOOLE~1>
2007-03-12 16:39:43 40672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-03-12 16:39:40 0 d-------- C:\Program Files\CASIO
2007-03-05 19:46:10 0 d-------- C:\Documents and Settings\Morgans\Application Data\FirstClass<FIRSTC~1>

-- Find3M Report ---------------------------------------------------------------

2007-03-26 20:01:56 0 d-------- C:\Documents and Settings\Morgans\Application Data\Skype
2007-03-24 14:20:14 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-24 14:20:10 0 d-------- C:\Program Files\Logitech
2007-03-20 06:37:34 0 d-------- C:\Program Files\Java
2007-03-05 19:46:10 0 d-------- C:\Program Files\FirstClass<FIRSTC~1>
2007-02-18 17:44:22 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-02-04 18:37:59 0 d-------- C:\Program Files\SpeedFan
2007-01-31 20:45:56 0 d-------- C:\Documents and Settings\Morgans\Application Data\OfficeUpdate12<OFFICE~1>

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"IW_Drop_Icon"="C:\\Program Files\\Pinnacle\\InstantCDDVD\\InstantWrite\\iwctrl.exe /DropDisc"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTXFIREG"="CTxfiReg.exe"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6028\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUME~1/Morgans/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-03-26 at 20:42:26 ---------

"Morgans" - 07-03-26 20:09:45 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Morgans\My Documents\Applications\SpyWare Removers"

((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 ))))))))))))))))))))))))))))))))))

2007-03-25 15:45 21,312 --a------ C:\WINDOWS\choice.exe
2007-03-25 15:44 <DIR> d-------- C:\Program Files\ie-spyad
2007-03-25 15:42 <DIR> d-------- C:\Program Files\SpywareGuard
2007-03-25 15:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-25 14:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-24 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-03-24 14:44 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-03-24 14:43 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-03-24 14:43 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-03-24 14:43 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-03-24 14:43 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-03-24 14:43 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-03-24 14:43 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee.com
2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee
2007-03-24 14:43 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-03-23 16:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-22 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-03-22 05:53 <DIR> d--hs---- C:\WINDOWS\CSC
2007-03-21 20:53 <DIR> d-------- C:\Program Files\McAfee(2).com
2007-03-21 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee(2)
2007-03-18 17:38 10,485,760 --a------ C:\DOCUME~1\Morgans\ntuser.dat
2007-03-17 19:52 1,660 --a------ C:\WINDOWS\desctemp.dat
2007-03-15 08:30 <DIR> d-------- C:\spoolerlogs
2007-03-12 16:39 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-03-12 16:39 <DIR> d-------- C:\Program Files\CASIO
2007-03-05 19:46 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\FirstClass

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-26 20:01 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\skype
2007-03-24 14:20 -------- d--h----- C:\Program Files\installshield installation information
2007-03-24 14:20 -------- d-------- C:\Program Files\logitech
2007-03-20 06:37 -------- d-------- C:\Program Files\java
2007-03-05 19:46 -------- d-------- C:\Program Files\firstclass
2007-02-18 17:44 -------- d-------- C:\Program Files\quicktime
2007-02-04 18:37 -------- d-------- C:\Program Files\speedfan
2007-01-31 20:45 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\officeupdate12

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"IW_Drop_Icon"="C:\\Program Files\\Pinnacle\\InstantCDDVD\\InstantWrite\\iwctrl.exe /DropDisc"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTXFIREG"="CTxfiReg.exe"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6028\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUME~1/Morgans/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-26 20:11:55
C:\ComboFix2.txt ... 07-03-26 20:07

tetonbob · 03-26-2007, 09:35 AM

Quote:

When I ran combofix, SpywareGuard came up with an alert that IE search page had been changed from //www.google.com to htpp://www.microsoft.com/ispi/redir.dll?prd=iear=iesearch

ComboFix sets homepage to MS default.

I'm not seeing any sign of Rustock in your logs. What was alerting you to it's presence, and is it still?

You appear to have run ComboFix twice.

Please post C:\ComboFix2.txt

andrew.m · 03-26-2007, 04:52 PM

The Rustock alert came after trying to install the MS Malicious software Removal Tool - March 2007. The pc crashed during the install, and when I rebooted and i said "yes, report the serious error", a message appeared that Rustock was present. It was as if the tool was installed and found something, but it is still on the updates ready to install list. Every time I shutdown now I shutdown without doing the install. Do you want me to try installing it again?

Here is ComoFix2.txt

"Morgans" - 07-03-26 19:54:32 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname1.dat
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{2CDFE~1
C:\Program Files\Common Files\{3CDFE~1

((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 ))))))))))))))))))))))))))))))))))

2007-03-25 15:45 21,312 --a------ C:\WINDOWS\choice.exe
2007-03-25 15:44 <DIR> d-------- C:\Program Files\ie-spyad
2007-03-25 15:42 <DIR> d-------- C:\Program Files\SpywareGuard
2007-03-25 15:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-25 14:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-24 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-03-24 14:44 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-03-24 14:43 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-03-24 14:43 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-03-24 14:43 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-03-24 14:43 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-03-24 14:43 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-03-24 14:43 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee.com
2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee
2007-03-24 14:43 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-03-23 16:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-22 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-03-22 05:53 <DIR> d--hs---- C:\WINDOWS\CSC
2007-03-21 20:53 <DIR> d-------- C:\Program Files\McAfee(2).com
2007-03-21 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee(2)
2007-03-18 17:38 10,485,760 --a------ C:\DOCUME~1\Morgans\ntuser.dat
2007-03-17 19:52 1,660 --a------ C:\WINDOWS\desctemp.dat
2007-03-15 08:30 <DIR> d-------- C:\spoolerlogs
2007-03-12 16:39 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys
2007-03-12 16:39 <DIR> d-------- C:\Program Files\CASIO
2007-03-05 19:46 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\FirstClass

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ... driver unloaded successfully. Run ADS scan for remnant driver file

2007-03-26 20:01 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\skype
2007-03-24 14:20 -------- d--h----- C:\Program Files\installshield installation information
2007-03-24 14:20 -------- d-------- C:\Program Files\logitech
2007-03-20 06:37 -------- d-------- C:\Program Files\java
2007-03-05 19:46 -------- d-------- C:\Program Files\firstclass
2007-02-18 17:44 -------- d-------- C:\Program Files\quicktime
2007-02-04 18:37 -------- d-------- C:\Program Files\speedfan
2007-01-31 20:45 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\officeupdate12

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"IW_Drop_Icon"="C:\\Program Files\\Pinnacle\\InstantCDDVD\\InstantWrite\\iwctrl.exe /DropDisc"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CTXFIREG"="CTxfiReg.exe"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\""
"BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6028\\SiteAdv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUME~1/Morgans/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-26 20:07:17

tetonbob · 03-26-2007, 05:51 PM

Quote:

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ... driver unloaded successfully. Run ADS scan for remnant driver file

This is why I wanted to see the first run of ComboFix. Rustock has been neutralised.

As far as MSRT goes....it should not find Rustock now. Rustock driver may well have been interfering with it's run and causing the crash of MSRT. Let's continue with the cleaning before you run it again.

Please do this:

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Run ADS Spy

Open HijackThis
Click on the button " Open the Misc Tools section"
Click the button labelled "Open ADSSpy"
Make sure "Quick Scan (Windows based folders only)" is unchecked.

Make sure "Ignore Safe System Info Streams" is checked.
Click the "Scan" button.
When it has finished scanning, checkmark/tick all that entries that it found.
Click the "remove selected" button, then Click "Yes" at the following prompt.
Click the "Scan" button once again.
Click the "Save Log" button once this scan is complete. If nothing is found in this second run, no log will be produced.

Please post that log here for review.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name. In your case, they are J2SE Runtime Environment 5.0 Update 6 and Java 2 Runtime Environment, SE v1.4.2_03
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

After the install is complete, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyWay Search Assistant

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/sami...bar.jhtml?p=DA
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete this folder if present:

C:\Program Files\MyWaySA

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

andrew.m · 03-31-2007, 08:30 AM

Hi again tetonbob. Sorry for the delay.

I ran ADS Spy. I did not delete any of the files found as they appear to be a lot of my photos on c: and their backups on f:. What do you think?
Java is updated
MyWay Search is deleted
HiJackThis system scan log is attached
Panda Active scan is attached. Looks like if found Rustock at the end as well as a lot of other stuff.

=======================================================
ADS Spy:

file attached

===============================================
Hijack This system scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:12 PM, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0169471175329853) (0169471175329853mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\016947~1.EXE
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

=========================================================
Panda ActiveScan:

Incident Status Location

Adware:adware/sbsoft Not disinfected Windows Registry
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[c5.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.2o7.net/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.ad.sensismediasmart.com.au/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/hc/17373911]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.xiti.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.gostats.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hotlog.ru/]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[UE.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[WSu.exe]
Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\system32:lzx32.sys

andrew.m · 03-31-2007, 08:33 AM

Hi again tetonbob. Sorry for the delay.

I ran ADS Spy. I did not delete any of the files found as they appear to be a lot of my photos on c: and their backups on f:. What do you think?
Java is updated
MyWay Search is deleted
HiJackThis system scan log is attached
Panda Active scan is attached. Looks like if found Rustock at the end as well as a lot of other stuff.

=======================================================
ADS Spy:

file is too long and nothing happens when i click Manage Attachements.

===============================================
Hijack This system scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:12 PM, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0169471175329853) (0169471175329853mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\016947~1.EXE
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

=========================================================
Panda ActiveScan:

Incident Status Location

Adware:adware/sbsoft Not disinfected Windows Registry
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[c5.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.winantivirus.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.systemdoctor.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.overture.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.2o7.net/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.ad.sensismediasmart.com.au/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/hc/17373911]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.xiti.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.gostats.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hotlog.ru/]
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[UE.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[WSu.exe]
Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\system32:lzx32.sys

tetonbob · 03-31-2007, 08:53 AM

If you can't attach the ADS Spy log, split it into as many posts as necessary...(your popup blocker may be preventing the manage attachments window from opening, as a new window or tab should open when you click on the button. Not sure why, as you were able to attach files earlier. Try again.)

However, first, make sure that Ignore safe system info streams was checked.

Also, what Panda is showing is the ADS, which we need to remove using ADS Spy. It is not a file, but a data stream attached to the system32 folder.

Somewhere in the ADS Scan screen will appear something like this:

C:\WINDOWS\system32 : lzx32.sys (xxxxx bytes) <Where xxxxx is the size of the stream>
C:\WINDOWS\system32 : lzx32.sys (xxxxx bytes)

There may be one line, but there may be two.

Find them, and check them only, then click Remove Selected.

Then, run a new scan with ADS Spy, save the log, and attach it (or split it into several posts if need be)

The only other things Panda found were cookies (easily deleted) and this file which you should delete:

Quote:

C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

Let me know how that all goes.

andrew.m · 03-31-2007, 09:20 AM

I've attached the ADS file. You were right, a pop up was being blocked even though block popups was off. So i switched to Firefox.
I've deleted the Firefox cookies

Where is "Ignore safe system info streams" check box - in ADS?
Also, what do you mean by "what Panda is showing is the ADS". What is a Panda?

andrew.m · 03-31-2007, 09:34 AM

Sorry - found the check box in ADS
I found the 2 lines in the middle of the ADS log file, at the end of the list of c: files
I deleted these 2 lines
I ran another ADS - file attached.

tetonbob · 03-31-2007, 09:46 AM

Good job!

Though you've solved it already, I'd like to explain:

Quote:

Also, what do you mean by "what Panda is showing is the ADS". What is a Panda?

Panda is the online scan we used, which produced the Active Scan report you posted.

From the Panda Active Scan log:

Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\system32:lzx32.sys<<<Note the odd path structure using colon. In simple terms, this indicates a data stream, not a file. ADS Spy is designed to scan for these, and can remove them. Which you've successfully done!!

So, how is your system behaving?

andrew.m · 04-01-2007, 03:24 AM

Hi tetonbob. Looks like you've done it as everything seems to be behaving OK. I've updated Explorer to V7 without any crashes
Thanks for all your help.
Can you tell me exactly what a data stream is and what it does? I had noticed some high upload usage off and on over the last 6 months, and maybe this is it. What sort of data does it stream?
How do I know if I have been affected again? I really only came across this one by chance. Should I be run HijackThis every so often?

tetonbob · 04-01-2007, 09:02 AM

HijackThis is an analysis and registry tool, best used in concert with trained help. Removal of the wrong thing can damage your system.

Regarding ADS.....Best to do some deep reading to understand Alternate Data Streams. I wouldn't do it justice by trying to post an over simplified response here. Please note that they are a part of NTFS based Windows OS systems, and not all ADS are threats.

A couple of good links:

http://www.bleepingcomputer.com/tuto...utorial25.html

http://www.windowsecurity.com/articl...a_Streams.html

Glad to hear things are returning to normal.

Let's perform a couple more tasks.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Let's run this next tool to look for remnants. It will also be a good tool to have in your protection arsenal.

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the main Status screen, under Your Computer's Security, click Resident Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here, along with the AVG Anti-Spyware log you saved.

---------------------------------------------------------------------------------------------

andrew.m · 04-04-2007, 06:49 PM

Hi tetonbob.
Thanks for the links about ADStreams. Some good reading and now I know a lot more.

I'm now having trouble with Spyware Guard. It comes up with a runtime error on every boot. I've tried a reinstall but that didn't fix it.

Sonic burning s'ware that came with the Dell is also playing up, looking for an update program. It takes about 10 clicks of cancel buttons to get out to this. I've tried putting in the original CD, but this doesn't help. Maybe I should try an uninstall/reinstall?

Outlook is now taking forever to load. The main window come up immediately, but then the hour glass appears waiting for the preview pane to load. Maybe this is McAfee which I updated a couple of weeks ago?

But the good news is that so far all the Windows updates run OK without crashing.

Had a bit of trouble with the AVG install - the "Resident Shield" said "NA", and could not be clicked. But the scan seemed to run OK.

Here are the HijackThis and AVG logs:
=============================
HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:13 PM, on 3/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

============================
AVG scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:42:04 PM 3/04/2007

+ Scan result:

C:\RECYCLER\S-1-5-21-770111583-2160406571-3994036003-1005\Dc2.exe -> Adware.PurityScan : Cleaned.
C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\James' documents\FreeMyEmoticonsV7BadBoys.exe/VVSN.exe -> Adware.SaveNow : Cleaned.
:mozilla.36:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.37:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.38:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.39:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.40:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.41:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.42:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.43:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.70:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Morgans\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned.
C:\Documents and Settings\Morgans\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned.
C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned.
C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned.
F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_Oct05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned.
F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_Oct05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned.
F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_nov05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned.
F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_nov05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned.

::Report end

=============================

andrew.m · 04-04-2007, 06:54 PM

There also seem to be a few svchost processes running, the largest taking 40Mb mem. Is there some easy way to see what applications there relate to?

tetonbob · 04-04-2007, 08:43 PM

Quote:

Originally Posted by andrew.m

Hi tetonbob.
Thanks for the links about ADStreams. Some good reading and now I know a lot more.

You're welcome.

I'm now having trouble with Spyware Guard. It comes up with a runtime error on every boot. I've tried a reinstall but that didn't fix it.

Exact error message, please?

Sonic burning s'ware that came with the Dell is also playing up, looking for an update program. It takes about 10 clicks of cancel buttons to get out to this. I've tried putting in the original CD, but this doesn't help. Maybe I should try an uninstall/reinstall?

Might be the thing to do....or see if this helps first:

To correct the problem, click the link below and perform the following steps.

1. Click the following link to access the hotfix from the Roxio website:

http://tools.roxio.com/support/dell/isum_hotfix.exe

The File Download - Security Warning window appears.
2. Click Run
The Internet Explorer - Security Warning window appears.
3. Click Run.
The Sonic - ISUM Hotfix Setup window appears.
4. Click Yes.
The Sonic - ISUM Hotfix Setup window appears.
5. Click Yes when the reboot prompt appears.

MSCONFIG method:

Click start then run, type msconfig then press enter and click on the startup tab.

See if you have these processes listed "issch" and "isuspm". If so, uncheck them, click apply and restart the computer.

When windows gets to the desktop, tick do not start the configuration utilty when windows starts.

Outlook is now taking forever to load. The main window come up immediately, but then the hour glass appears waiting for the preview pane to load. Maybe this is McAfee which I updated a couple of weeks ago?

Could be....I can't see why anything we've done would affect Outlook. Perhaps one of the Windows Updates and McAfee aren't playing well together. I'd suggest you take that up with McAfee Support.

But the good news is that so far all the Windows updates run OK without crashing.

Had a bit of trouble with the AVG install - the "Resident Shield" said "NA", and could not be clicked. But the scan seemed to run OK.

Apologies....you had it installed already. Resident Shield times out after a trial period and is unavailable.

=============================

Quote:

Originally Posted by andrew.m

There also seem to be a few svchost processes running, the largest taking 40Mb mem. Is there some easy way to see what applications there relate to?

ProcessExplorer

andrew.m · 04-05-2007, 04:48 AM

Hi again tetonbob.

The SpywareGuard run-time error is in attached file.

Installed the Sonic patch, but no joy. I found issch and Isuspm in msconfig and unticked and applied. But got an Access Denied message and that I needed to log on as an administrator. But I am logged onto the only account on my PC and it is the administrator. Confirmed this in Control Panel>User Accounts. When it rebooted there was no option to tick to not start the configuration utility. The utility started itself and issch and isuspm were still on the list, although unticked.

Did the HijackThis and AVG logs show anything of interest?

tetonbob · 04-05-2007, 08:10 AM

Let's try to work on one error at a time.

Regarding the SpywareGuard error....did you reboot after uninstall? If not, uninstall, reboot, download afresh, and install. See if that clears it up.

tetonbob · 04-05-2007, 08:54 AM

Give this a try for the Sonic Update Manager error

From Sonic's FAQ:

http://support.sonic.com/desktop/faq...&product=mydvd

Why does the Update Manager try to update all of the time?
There are no separate user settings to limit the frequency with which Sonic Update Manager checks for updates. Within RecordNow though, it is possible to select whether or not the Sonic Update Manager will automatically check for updates when RecordNow launches. To disable that automatic check go through the following steps.

# Start RecordNow.
# Click on the Options (wrench) icon.
# Click on "General."
# Under "Startup," remove the checkmark from "Check for updates."
# Click on "OK."

This can also be an error of the Sonic Update Manager ( or "sgtray.exe" if using the Veritas version) unsuccessfully attempting to update itself. To update, remove this program using the "Add/Remove Programs," control panel. Then download the latest version here and install.
If you decide to permanently remove the Sonic Update Manager, it will not affect the performance of any Sonic software currently installed on the system.

03-26-2007, 04:52 PM	#5 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes The Rustock alert came after trying to install the MS Malicious software Removal Tool - March 2007. The pc crashed during the install, and when I rebooted and i said "yes, report the serious error", a message appeared that Rustock was present. It was as if the tool was installed and found something, but it is still on the updates ready to install list. Every time I shutdown now I shutdown without doing the install. Do you want me to try installing it again? Here is ComoFix2.txt "Morgans" - 07-03-26 19:54:32 Service Pack 2 ComboFix 07-03-23 - Running from: "C:\Program Files\Mozilla Firefox" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\keyboard1.dat C:\WINDOWS\newname1.dat C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\Program Files\Common Files\{2CDFE~1 C:\Program Files\Common Files\{3CDFE~1 ((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 )))))))))))))))))))))))))))))))))) 2007-03-25 15:45 21,312 --a------ C:\WINDOWS\choice.exe 2007-03-25 15:44 <DIR> d-------- C:\Program Files\ie-spyad 2007-03-25 15:42 <DIR> d-------- C:\Program Files\SpywareGuard 2007-03-25 15:37 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-03-25 14:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-03-24 14:45 <DIR> d-------- C:\Program Files\SiteAdvisor 2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\SiteAdvisor 2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor 2007-03-24 14:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor 2007-03-24 14:44 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll 2007-03-24 14:43 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2007-03-24 14:43 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2007-03-24 14:43 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2007-03-24 14:43 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2007-03-24 14:43 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2007-03-24 14:43 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee.com 2007-03-24 14:43 <DIR> d-------- C:\Program Files\McAfee 2007-03-24 14:43 <DIR> d-------- C:\Program Files\Common Files\McAfee 2007-03-23 16:38 127,208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-22 18:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-03-22 05:53 <DIR> d--hs---- C:\WINDOWS\CSC 2007-03-21 20:53 <DIR> d-------- C:\Program Files\McAfee(2).com 2007-03-21 18:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee(2) 2007-03-18 17:38 10,485,760 --a------ C:\DOCUME~1\Morgans\ntuser.dat 2007-03-17 19:52 1,660 --a------ C:\WINDOWS\desctemp.dat 2007-03-15 08:30 <DIR> d-------- C:\spoolerlogs 2007-03-12 16:39 40,672 --a------ C:\WINDOWS\system32\drivers\CESG502.sys 2007-03-12 16:39 <DIR> d-------- C:\Program Files\CASIO 2007-03-05 19:46 <DIR> d-------- C:\DOCUME~1\Morgans\APPLIC~1\FirstClass (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. ... attempting disinfection pe386 ... driver unloaded successfully. Run ADS scan for remnant driver file 2007-03-26 20:01 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\skype 2007-03-24 14:20 -------- d--h----- C:\Program Files\installshield installation information 2007-03-24 14:20 -------- d-------- C:\Program Files\logitech 2007-03-20 06:37 -------- d-------- C:\Program Files\java 2007-03-05 19:46 -------- d-------- C:\Program Files\firstclass 2007-02-18 17:44 -------- d-------- C:\Program Files\quicktime 2007-02-04 18:37 -------- d-------- C:\Program Files\speedfan 2007-01-31 20:45 -------- d-------- C:\DOCUME~1\Morgans\APPLIC~1\officeupdate12 (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "IW_Drop_Icon"="C:\\Program Files\\Pinnacle\\InstantCDDVD\\InstantWrite\\iwctrl.exe /DropDisc" "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup" "LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\"" "VolPanel"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup" "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "CTXFIREG"="CTxfiReg.exe" "CTxfiHlp"="CTXFIHLP.EXE" "CTHelper"="CTHELPER.EXE" "CTDVDDET"="\"C:\\Program Files\\Creative\\Sound Blaster X-Fi\\DVDAudio\\CTDVDDET.EXE\"" "BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r" "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe " "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe" "MskAgentexe"="C:\\Program Files\\McAfee\\MSK\\MskAgent.exe" "SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6028\\SiteAdv.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ file:///C:/DOCUME~1/Morgans/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\McDefragTask.job C:\WINDOWS\tasks\McQcTask.job ****************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-03-26 20:07:17

03-31-2007, 08:30 AM	#7 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes Hi again tetonbob. Sorry for the delay. I ran ADS Spy. I did not delete any of the files found as they appear to be a lot of my photos on c: and their backups on f:. What do you think? Java is updated MyWay Search is deleted HiJackThis system scan log is attached Panda Active scan is attached. Looks like if found Rustock at the end as well as a lot of other stuff. ======================================================= ADS Spy: file attached =============================================== Hijack This system scan: Logfile of HijackThis v1.99.1 Scan saved at 6:12:12 PM, on 31/03/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6028\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINDOWS\Explorer.EXE c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6028\SiteAdv.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: McAfee Application Installer Cleanup (0169471175329853) (0169471175329853mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\016947~1.EXE O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ========================================================= Panda ActiveScan: Incident Status Location Adware:adware/sbsoft Not disinfected Windows Registry Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[c5.zedo.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.statcounter.com/] Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.errorsafe.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[stats1.reliablestats.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.winantivirus.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.systemdoctor.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.com.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.overture.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.112.2o7.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.2o7.net/] Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.spylog.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.ad.sensismediasmart.com.au/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.revenue.net/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[counter.hitslink.com/] Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adtech.de/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/hc/17373911] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.did-it.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.advertising.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.xiti.com/] Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.paycounter.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.toplist.cz/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atwola.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.go.com/] Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.gostats.com/] Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hotlog.ru/] Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[UE.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[WSu.exe] Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\system32:lzx32.sys

03-31-2007, 08:33 AM	#8 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes Hi again tetonbob. Sorry for the delay. I ran ADS Spy. I did not delete any of the files found as they appear to be a lot of my photos on c: and their backups on f:. What do you think? Java is updated MyWay Search is deleted HiJackThis system scan log is attached Panda Active scan is attached. Looks like if found Rustock at the end as well as a lot of other stuff. ======================================================= ADS Spy: file is too long and nothing happens when i click Manage Attachements. =============================================== Hijack This system scan: Logfile of HijackThis v1.99.1 Scan saved at 6:12:12 PM, on 31/03/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SiteAdvisor\6028\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINDOWS\Explorer.EXE c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6028\SiteAdv.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: McAfee Application Installer Cleanup (0169471175329853) (0169471175329853mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\016947~1.EXE O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ========================================================= Panda ActiveScan: Incident Status Location Adware:adware/sbsoft Not disinfected Windows Registry Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[c5.zedo.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.zedo.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.statcounter.com/] Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.errorsafe.com/] Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[stats1.reliablestats.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.as-eu.falkag.net/] Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.winantivirus.com/] Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.systemdoctor.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.com.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.overture.com/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.112.2o7.net/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.2o7.net/] Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.spylog.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.tradedoubler.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.ad.sensismediasmart.com.au/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.revenue.net/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[counter.hitslink.com/] Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adtech.de/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hitbox.com/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/] Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[server.iad.liveperson.net/hc/17373911] Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.did-it.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.maxserving.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.advertising.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.xiti.com/] Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.paycounter.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.bluestreak.com/] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.toplist.cz/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.atwola.com/] Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.burstnet.com/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.go.com/] Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.gostats.com/] Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt[.hotlog.ru/] Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[UE.exe] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Morgans\Desktop\OiUninstaller.exe[WSu.exe] Hacktool:Rootkit/Rustock Not disinfected C:\WINDOWS\system32:lzx32.sys

04-01-2007, 03:24 AM	#13 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes Hi tetonbob. Looks like you've done it as everything seems to be behaving OK. I've updated Explorer to V7 without any crashes Thanks for all your help. Can you tell me exactly what a data stream is and what it does? I had noticed some high upload usage off and on over the last 6 months, and maybe this is it. What sort of data does it stream? How do I know if I have been affected again? I really only came across this one by chance. Should I be run HijackThis every so often?

04-01-2007, 09:02 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,613 OS: 2000 Pro; XP Pro; XP Home	Re: Win32/rustock.gen!C and Window MSRT crashes HijackThis is an analysis and registry tool, best used in concert with trained help. Removal of the wrong thing can damage your system. Regarding ADS.....Best to do some deep reading to understand Alternate Data Streams. I wouldn't do it justice by trying to post an over simplified response here. Please note that they are a part of NTFS based Windows OS systems, and not all ADS are threats. A couple of good links: http://www.bleepingcomputer.com/tuto...utorial25.html http://www.windowsecurity.com/articl...a_Streams.html Glad to hear things are returning to normal. Let's perform a couple more tasks. CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK --------------------------------------------------------------------------------------------- Let's run this next tool to look for remnants. It will also be a good tool to have in your protection arsenal. Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the main Status screen, under Your Computer's Security, click Resident Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here, along with the AVG Anti-Spyware log you saved. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-04-2007, 06:49 PM	#15 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes Hi tetonbob. Thanks for the links about ADStreams. Some good reading and now I know a lot more. I'm now having trouble with Spyware Guard. It comes up with a runtime error on every boot. I've tried a reinstall but that didn't fix it. Sonic burning s'ware that came with the Dell is also playing up, looking for an update program. It takes about 10 clicks of cancel buttons to get out to this. I've tried putting in the original CD, but this doesn't help. Maybe I should try an uninstall/reinstall? Outlook is now taking forever to load. The main window come up immediately, but then the hour glass appears waiting for the preview pane to load. Maybe this is McAfee which I updated a couple of weeks ago? But the good news is that so far all the Windows updates run OK without crashing. Had a bit of trouble with the AVG install - the "Resident Shield" said "NA", and could not be clicked. But the scan seemed to run OK. Here are the HijackThis and AVG logs: ============================= HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 9:48:13 PM, on 3/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\WINDOWS\Explorer.EXE c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\SiteAdvisor\6028\SAService.exe C:\WINDOWS\system32\dla\tfswctrl.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6028\SiteAdv.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/news/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://morganthegrim-reaper.spaces.m...d/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174566720546 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ============================ AVG scan: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 9:42:04 PM 3/04/2007 + Scan result: C:\RECYCLER\S-1-5-21-770111583-2160406571-3994036003-1005\Dc2.exe -> Adware.PurityScan : Cleaned. C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\James' documents\FreeMyEmoticonsV7BadBoys.exe/VVSN.exe -> Adware.SaveNow : Cleaned. :mozilla.36:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned. :mozilla.37:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned. :mozilla.38:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.39:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.40:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.41:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.42:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.43:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned. :mozilla.70:C:\Documents and Settings\Morgans\Application Data\Mozilla\Firefox\Profiles\dhc2y92z.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned. C:\Documents and Settings\Morgans\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned. C:\Documents and Settings\Morgans\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned. C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned. C:\Documents and Settings\Morgans\My Documents\plaza_pc_backup\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned. F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_Oct05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned. F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_Oct05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned. F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_nov05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/Service Pack Stuff.zip/XPKey.exe -> Trojan.Small.edz : Cleaned. F:\Backup C drive Docs & Settings\Documents and Settings(2)\Windows XP_nov05\My Documents\Andrew's documents\Work\Applications.zip/Applications/XP Service Pack/XPKey.exe -> Trojan.Small.edz : Cleaned. ::Report end =============================

04-04-2007, 06:54 PM	#16 (permalink)
andrew.m Registered User Join Date: Mar 2007 Posts: 19 OS: XP	Re: Win32/rustock.gen!C and Window MSRT crashes There also seem to be a few svchost processes running, the largest taking 40Mb mem. Is there some easy way to see what applications there relate to?

04-05-2007, 08:10 AM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,613 OS: 2000 Pro; XP Pro; XP Home	Re: Win32/rustock.gen!C and Window MSRT crashes Let's try to work on one error at a time. Regarding the SpywareGuard error....did you reboot after uninstall? If not, uninstall, reboot, download afresh, and install. See if that clears it up. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-05-2007, 08:54 AM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,613 OS: 2000 Pro; XP Pro; XP Home	Re: Win32/rustock.gen!C and Window MSRT crashes Give this a try for the Sonic Update Manager error From Sonic's FAQ: http://support.sonic.com/desktop/faq...&product=mydvd Why does the Update Manager try to update all of the time? There are no separate user settings to limit the frequency with which Sonic Update Manager checks for updates. Within RecordNow though, it is possible to select whether or not the Sonic Update Manager will automatically check for updates when RecordNow launches. To disable that automatic check go through the following steps. # Start RecordNow. # Click on the Options (wrench) icon. # Click on "General." # Under "Startup," remove the checkmark from "Check for updates." # Click on "OK." This can also be an error of the Sonic Update Manager ( or "sgtray.exe" if using the Veritas version) unsuccessfully attempting to update itself. To update, remove this program using the "Add/Remove Programs," control panel. Then download the latest version here and install. If you decide to permanently remove the Sonic Update Manager, it will not affect the performance of any Sonic software currently installed on the system. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009