|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-16-2008, 03:23 PM
|
#21 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Just to be on the safe side, I scanned that folder also - for Program Files.
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, June 16, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, June 16, 2008 12:08:05 Records in database: 872350 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - Folder: C:\Program Files Scan statistics: Files scanned: 40169 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 00:17:59 No malware has been detected. The scan area is clean. The selected area was scanned.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
06-16-2008, 03:33 PM
|
#22 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
So far, it is looking okay on this one acct I've been using throughout this process. (editing earlier remarks bc i spoke too soon, before i checked each acct thoroughly...). The other accts still have disabled display settings, that is what I have noticed so far. Does that mean those accts still have malware in their own settings somehow?
I assume I am safe to resintall Adoble Flash from the pop-ups I keep getting whenever I open Internet Explorer? And does the now-clean Kaspersky reports mean that I am clear on viruses sending spam from Thunderbird email? Also... if I have a home network, is the other computer possibly infected by this one? or is that just a whole new set of malware problems? That one is showing some odd signs now as well (missing desktop tabs also for starters) but not the blue screen/bugs this one started with.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. Last edited by mrskoz; 06-16-2008 at 03:53 PM. |
|
|
|
|
06-16-2008, 06:30 PM
|
#23 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
The Christopher account is clean now. However, some infections do pass to the other computers in the network. Let's have a look at them too.
=========================== Run HijackThis from each account and post the logs please.
__________________
My services are free. However, you can donate to TSF to help keep it running.   Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-16-2008, 08:04 PM
|
#24 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi, thank you again for your patience with me... just so I am clear on your instructions (and that I was clear to you before as well..) you want me to run HijackThis on the other XP accounts on the originally infected computer, (desktop) right?
And for the other computer in the network (laptop) that is showing signs of some infection, I should download and run dss.exe on that one?
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-16-2008, 08:10 PM
|
#25 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Let's check the other accounts on the computer that we've been working on first by running the DSS with the above instructions to produce extra.txt only (I don't need the main.txt) and a HijackThis log from each account.
When we are done with that you can run DSS.exe on the other computer and post both the main.txt and the extra.txt.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-16-2008, 08:21 PM
|
#26 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Okay, thank you, will do & post back asap.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-16-2008, 10:27 PM
|
#27 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Okay, here is the DSS extra log, then the hijackthis will follow for this acct (Christopher)... as well as the other 3 XP accts. Continued thanks!
***************** Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Celeron(R) CPU 3.20GHz Percentage of Memory in Use: 22% Physical Memory (total/avail): 2031.48 MiB / 1568.56 MiB Pagefile Memory (total/avail): 2622.23 MiB / 2337.63 MiB Virtual Memory (total/avail): 2047.88 MiB / 1988.77 MiB C: is Fixed (NTFS) - 128 GiB total, 40.19 GiB free. D: is CDROM (No Media) E: is CDROM (No Media) F: is Fixed (NTFS) - 58.31 GiB total, 38.57 GiB free. G: is Fixed (FAT32) - 465.65 GiB total, 369.34 GiB free. \\.\PHYSICALDRIVE0 - ST3200822A - 186.31 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 128 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 58.31 GiB - F: \\.\PHYSICALDRIVE1 - WD 5000AAKB Externa USB Device - 465.76 GiB - 1 partition \PARTITION0 - Unknown - 465.76 GiB - G: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: ESET Personal firewall v3.0.621.0 (ESET, spol. s r. o.) AV: ESET Smart Security 3.0 v3.0 (ESET, spol. s r. o.) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer" "C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"="C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe:*:Enabled:Media Server LiveUpdate" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE" "C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"="C:\\Program Files\\D-Link Media Server\\MediaGUI.exe:*:Enabled:D-Link_MediaServerGUI" "C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe:*:Enabled:D-Link_MediaServer" "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Disabled:CyberLink PowerDVD" "C:\\WINDOWS\\system32\\dlcqcoms.exe"="C:\\WINDOWS\\system32\\dlcqcoms.exe:*:Enabled:Lexmark Communications System" "C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe:*:Enabled:Pidgin" "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup" "C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\CHRISTOPHER\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=DADDYKOZ ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\CHRISTOPHER LOGONSERVER=\\DADDYKOZ NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0401 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp TMP=C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp USERDOMAIN=DADDYKOZ USERNAME=CHRISTOPHER USERPROFILE=C:\Documents and Settings\CHRISTOPHER windir=C:\WINDOWS __COMPAT_LAYER=EnableNXShowUI -- User Profiles --------------------------------------------------------------- CHRISTOPHER (admin) GENEVIEVE (admin) LAURYN BRITTNEY (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> MsiExec.exe /I{0CDCA5CD-C404-41FD-9216-9B4B3D24A7AA} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07} Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Adventure Inlay - Safari Edition --> C:\PROGRA~1\GAMEHO~1\ADVENT~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\ADVENT~1\INSTALL.LOG Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F} AusLogics Registry Defrag --> "C:\Program Files\AusLogics Registry Defrag\unins000.exe" Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG Blue's 123 Time Activities --> C:\WINDOWS\IsUninst.exe -fc:\hegames\Blues123\Uninst.isu -c"c:\hegames\Blues123\Uninst.dll Bob the Builder - Bob Builds a Park --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C13AD07-5129-11D5-96DB-AE99AF79C743}\SETUP.EXE" -l0x9 BookSmart™ 1.9.2 1.9.2 --> C:\Program Files\BookSmart\uninstall.exe Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033 Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001AB29C-5468-4972-8D24-2EBDB2B12133} Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6B8BDABA-6737-4998-AEE4-E218EDE5FC7A} Canon Camera Window MC 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{89EB3ED7-225A-412E-B048-623D502C000F} Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68D27126-BF6A-457D-8DD0-5F35E8D41310} Canon PhotoRecord --> MsiExec.exe /X{6693BD7C-CB4E-43AC-A0D6-10D1A1B88DCF} Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001EB665-D9EC-415E-9E13-AD2125B2B992} Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA} Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2} Cars - Radiator Springs Adventures --> "C:\Program Files\THQ\Disney-PIXAR\Cars\Radiator Springs Adventures\Uninstall_Cars - Radiator Springs Adventures\Uninstall Cars - Radiator Springs Adventures.exe" CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Chuzzle Deluxe --> C:\PROGRA~1\GAMEHO~1\CHUZZL~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\CHUZZL~1\INSTALL.LOG CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe Clifford Phonics --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{75B6C1BF-B98C-4B99-BD0D-CC9BF16C490D}\Setup.exe" -l0x9 Clifford Thinking Adventures --> C:\WINDOWS\system32\Clifford Uninstall.exe C:\Program Files\Scholastic's Clifford\Clifford Adventure\ Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe Curious George Downtown Adventure --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\UNCGTown.exe D-Link Media Server 1.08 --> "C:\Program Files\D-Link Media Server\unins000.exe" Dell PC Fax --> C:\Program Files\Dell PC Fax\Install\x86\Uninst.exe /R:faxunst Dell Photo AIO Printer 966 --> C:\Program Files\Dell Photo AIO Printer 966\Install\x86\Uninst.exe Direct Show Ogg Vorbis Filter (remove only) --> "C:\WINDOWS\system32\OggDSuninst.exe" DiscWizard 2003 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe" DiskExplorer for NTFS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64630268-1833-4461-9EC3-857EEB8A0540}\setup.exe" -l0x9 -removeonly Disney Toontown Online --> C:\Program Files\Disney\Disney Online\ToontownOnline\uninst.exe EasyRecovery Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A8BB9906-E618-406A-B161-7383AFF46C39} /l1033 ESET Smart Security --> MsiExec.exe /I{A1350B64-1AF8-497B-AC07-307DF67FB8D4} Evrsoft First Page 2006 --> "C:\Program Files\Evrsoft First Page 2006\unins000.exe" ExtractNow --> "C:\Program Files\ExtractNow\unins000.exe" FairStars Audio Converter 1.55 --> "C:\Program Files\FairStars Audio Converter\unins000.exe" Final Draft 7 --> MsiExec.exe /I{78D62D17-D970-42DA-B8CF-5E5576293B33} FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe" FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1108 --> "C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\unins000.exe" GetDataBack for NTFS --> "C:\Program Files\Runtime Software\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack for NTFS\install.log" -u Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B} GTK+ Runtime 2.10.13 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HP Customer Participation Program 9.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat HP Deskjet Printer Driver Software 9.0 --> C:\Program Files\HP\Digital Imaging\{03E66394-42F0-4745-85F7-0A2F8F35C09F}\setup\hpzscr01.exe -datfile hphscr15.dat -showdisconnect -forcereboot HP Imaging Device Functions 9.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat HP Photosmart Essential 2.01 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat HP Smart Web Printing --> MsiExec.exe /X{415CDA53-9100-476F-A7B2-476691E117C7} HP Solution Center 9.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat HP Update --> MsiExec.exe /X{AB40272D-92AB-4F30-B36B-22EDE16F8FE5} HPSSupply --> MsiExec.exe /X{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3} Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572 Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79} iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B} Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060} Jewel Quest --> C:\PROGRA~1\GAMEHO~1\JEWELQ~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\JEWELQ~1\INSTALL.LOG K-Lite Codec Pack 3.4.0 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe" Lavasoft Reghance 2.1 --> C:\PROGRA~1\LAVASO~1\UNWISE.EXE C:\PROGRA~1\LAVASO~1\INSTALL.LOG Lexmark X1100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series Madeline Rainy Day Activities --> c:\program files\cwonders\madeline\MRDA\CWRUN.EXE MadelineRainyDayActivities UninstallExe Mah Jong Medley --> C:\PROGRA~1\GAMEHO~1\MAHJON~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\MAHJON~1\INSTALL.LOG Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120 Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft Tool Web Package:NetDiag.exe --> MsiExec.exe /X{D8A07C06-2BD7-4486-9786-7365B2E9B589} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Minnesota Cuke --> C:\WINDOWS\iun507.exe C:\Program Files\BigIdea\Minnesota Cuke\irunin.ini Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Mozilla Thunderbird (2.0.0.12) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PCI Audio Driver --> cmuninst.exe Peanuts - Where's the Blanket Charlie Brown? --> C:\Tivola\Peanuts\UNWISE.EXE C:\Tivola\Peanuts\INSTALL.LOG Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe" Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe PowerDVD --> "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x000409 /z-uninstall Print to Fax --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD} Reader Rabbit Learn To Read With Phonics --> C:\Program Files\The Learning Company\Reader Rabbit Learn To Read With Phonics\uninstal.exe Reader Rabbit Thinking Adventures Ages 4-6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Reader Rabbit Thinking Adventures Ages 4-6\Uninst.isu" RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Shape Shifter --> "C:\Program Files\Shape Shifter\ReflexiveArcade\unins000.exe" Super Jigsaw Butterflies --> C:\PROGRA~1\GAMEHO~1\Jigsaw\UN-BUT~1.EXE /U C:\PROGRA~1\GAMEHO~1\Jigsaw\Butterflies-INSTALL.LOG Super Jigsaw Flowers --> C:\PROGRA~1\GAMEHO~1\Jigsaw\UN-FLO~1.EXE /U C:\PROGRA~1\GAMEHO~1\Jigsaw\Flowers-INSTALL.LOG The Mystery of Veggie Island --> C:\WINDOWS\uninst.exe -f"C:\Program Files\BigIdea\The Mystery of Veggie Island\DeIsL1.isu" TheaterTouch Designer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DC4AA18-97B1-46E3-A52E-D699BE79F5D6}\setup.exe" -l0x9 -removeonly TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F} TurboTax Premier 2005 --> C:\Program Files\TurboTax\Premier 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2005\Uninstall.log" -NoGui Tweak-SE plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\tweakse\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\tweakse\INSTALL.LOG WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B} WD Firewire HID Driver --> MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46} WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe" Windows Driver Package - RTI (RTIUSB) Control Device (12/14/2005 1.01.101) --> C:\PROGRA~1\DIFX\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\rtiusb_AF6FB714D7B4E3BCEC063A7122BE735D643BBB51\rtiusb.inf Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe" Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe Wise Registry Cleaner 2.3 --> "C:\Program Files\Wise Registry Cleaner\unins000.exe" Xtreme Sound PCI --> C:\WINDOWS\CmiPCIUninstall.exe C:\Program Files\Xtreme Sound PCI#C-Media PCI Audio#Xtreme Sound PCI# Zune --> MsiExec.exe /X{ED55BFEF-90F3-4926-9536-D94FDBBF65DC} -- Application Event Log ------------------------------------------------------- Event Record #/Type1630 / Error Event Submitted/Written: 06/16/2008 05:55:06 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type1597 / Error Event Submitted/Written: 06/14/2008 04:18:12 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application HijackThis.exe, version 2.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type1563 / Warning Event Submitted/Written: 06/05/2008 02:50:12 PM Event ID/Source: 1001 / MsiInstaller Event Description: Detection of product '{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}', feature 'ItsDeductible10_Files' failed during request for component '{397D1016-A762-11D2-B97E-006097C4DE24}' Event Record #/Type1556 / Error Event Submitted/Written: 06/05/2008 02:25:59 PM Event ID/Source: 1511 / Userenv Event Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Event Record #/Type1555 / Error Event Submitted/Written: 06/05/2008 02:25:58 PM Event ID/Source: 1515 / Userenv Event Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type23679 / Error Event Submitted/Written: 06/16/2008 06:12:18 PM Event ID/Source: 8032 / BROWSER Event Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{36C707D7-8376-4063-B85E-F45553DE9708}. The backup browser is stopping. Event Record #/Type23677 / Error Event Submitted/Written: 06/16/2008 05:53:39 PM Event ID/Source: 14338 / WMPNetworkSvc Event Description: A new media server was not initialized because CoCreateInstance(CLSID_UPnPRegistrar) encountered error '0x80040154'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly. Event Record #/Type23676 / Error Event Submitted/Written: 06/16/2008 05:53:39 PM Event ID/Source: 14338 / WMPNetworkSvc Event Description: A new media server was not initialized because CoCreateInstance(CLSID_UPnPRegistrar) encountered error '0x80040154'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly. Event Record #/Type23673 / Warning Event Submitted/Written: 06/16/2008 05:53:26 PM Event ID/Source: 2511 / Server Event Description: The server service was unable to recreate the share PuzzleInlay because the directory C:\Program Files\GameHouse\PuzzleInlay no longer exists. Please run "net share PuzzleInlay /delete" to delete the share, or recreate the directory C:\Program Files\GameHouse\PuzzleInlay. Event Record #/Type23672 / Warning Event Submitted/Written: 06/16/2008 05:53:26 PM Event ID/Source: 2511 / Server Event Description: The server service was unable to recreate the share ShapeShifter because the directory C:\Program Files\GameHouse\ShapeShifter no longer exists. Please run "net share ShapeShifter /delete" to delete the share, or recreate the directory C:\Program Files\GameHouse\ShapeShifter. -- End of Deckard's System Scanner: finished at 2008-06-17 00:12:02 ------------ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:15:57 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4703 bytes &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& XP ACCT Genevieve Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:19:55 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\imapi.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CHRISTOPHER') O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'CHRISTOPHER') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4943 bytes ******************************************************* ******************************************************* ******************************************************* XP Acct Brittney Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:40 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CHRISTOPHER') O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'CHRISTOPHER') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4730 bytes ******************************* ******************************* ******************************* XP Acct Lauryn (this is a restricted acct, not an administrator, which may have caused error msgs in hijackthis relating to the hosts file?) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:22:32 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shopformusic.microsoft.com/sh...++650551&name= O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4177 bytes
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-17-2008, 04:59 AM
|
#28 (permalink) | |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
All of these HijackThis logs appear to be clean. Quote:
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
|
06-17-2008, 05:38 AM
|
#29 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
Here are the logs for the 2 XP accounts that are missing the desktop & screensaver tabs in the display settings: Deckard's System Scanner v20071014.68 Run by BRITTNEY on 2008-06-17 07:30:51 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as BRITTNEY.exe) -------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:30:53 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Documents and Settings\BRITTNEY\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\BRITTNEY.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CHRISTOPHER') O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'CHRISTOPHER') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4735 bytes -- Files created between 2008-05-17 and 2008-06-17 ----------------------------- 2008-06-16 17:58:31 0 d-------- C:\WINDOWS\LastGood 2008-06-14 21:17:35 0 d-------- C:\WINDOWS\ERUNT 2008-06-14 18:31:20 0 d-------- C:\Program Files\Common Files\Java 2008-06-14 16:53:39 0 d-------- C:\cmdcons 2008-06-14 16:17:18 0 d-------- C:\Program Files\Trend Micro 2008-06-13 07:29:52 0 dr-h----- C:\Documents and Settings\CHRISTOPHER\Recent 2008-06-13 07  17 47360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>2008-06-13 07 16 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso2008-06-05 14:50:33 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET 2008-06-05 14:39:06 0 d-------- C:\Documents and Settings\LAURYN\Application Data\ESET 2008-06-05 06:39:32 0 d-------- C:\Program Files\MSXML 6.0 2008-06-05 06:22:50 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET 2008-06-04 17:41:52 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET 2008-06-04 17:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 17:39:00 0 d-------- C:\Program Files\iPod 2008-06-04 17:38:52 0 d-------- C:\Program Files\iTunes 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\scripting 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\en 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\bits 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\l2schemas 2008-06-04 14:45:16 0 d-------- C:\WINDOWS\ServicePackFiles 2008-06-04 14:42:56 0 d-------- C:\WINDOWS\network diagnostic 2008-06-04 14:39:34 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-06-04 14:38:52 15360 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft (R) DRM> 2008-06-04 14:38:28 0 d-------- C:\WINDOWS\EHome 2008-06-04 14:32:53 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-06-04 14:23:38 0 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-04 10:20:51 0 d-------- C:\Program Files\Panda Security 2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com 2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-03 20:56:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-05-18 12:31:14 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData -- Find3M Report --------------------------------------------------------------- 2008-06-16 18:41:34 0 d-------- C:\Program Files\Mozilla Thunderbird 2008-06-16 17:23:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-16 11:50:39 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\.purple 2008-06-14 18:31:55 0 d-------- C:\Program Files\Java 2008-06-14 18:31:20 0 d-------- C:\Program Files\Common Files 2008-06-14 00:34:12 0 d-------- C:\Program Files\D-Link Media Server 2008-06-13 07:11:30 0 d-------- C:\Program Files\Qualcomm 2008-06-05 06:21:08 0 d-------- C:\Program Files\Apple Software Update 2008-06-04 17:37:49 0 d-------- C:\Program Files\QuickTime 2008-06-04 15:03:23 0 d-------- C:\Program Files\Windows NT 2008-06-04 15:03:22 0 d-------- C:\Program Files\Movie Maker 2008-06-04 15:03:21 0 d-------- C:\Program Files\Messenger 2008-06-03 20:33:49 3168 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-03 20:13:08 0 d-------- C:\Program Files\The Learning Company 2008-06-03 20:07:59 0 d-------- C:\Program Files\GameHouse 2008-06-03 20:03:07 0 d-------- C:\Program Files\PopCap Games 2008-05-26 18:18:44 0 d-------- C:\Program Files\dl_Cats 2008-05-20 06:41:18 0 d-------- C:\Program Files\Picasa2 2008-05-06 06:35:46 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\HPAppData 2008-05-01 06:28:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-04-30 09:05:10 85 --a------ C:\WINDOWS\popcinfo.dat 2008-04-29 12:33:37 137447 --a------ C:\WINDOWS\HPHins15.dat 2008-04-29 12:29:29 0 d-------- C:\Program Files\HP 2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files\HP 2008-04-22 12:55:59 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\Adobe 2008-03-25 17:16:18 25840 --a------ C:\Documents and Settings\BRITTNEY\Application Data\GDIPFONTCACHEV1.DAT 2008-03-18 19:36:14 36734 --a------ C:\WINDOWS\system32\OggDSuninst.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WD Button Manager"="WDBtnMgr.exe" [03/18/2007 07:59 PM C:\WINDOWS\system32\WDBtnMgr.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/07/2007 04:24 PM] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM] "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [08/19/2003 11:43 AM] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [02/07/2007 04:21 PM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 11:35 AM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 11:36 AM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 11:32 AM] "FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [12/12/2006 04:22 AM] "dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [01/12/2007 01:21 PM] "CmPCIaudio"="CMICNFG3.CPL" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispScrSavPage"=1 (0x1) "DisableTaskMgr"=0 (0x0) "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=1 (0x1) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=0 (0x0) "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) "ForceActiveDesktopOn"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZuneNetworkSvc"=2 (0x2) "Bonjour Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e3b6ae5-416c-11dc-a119-0016e665bbdc}] AutoRun\command- H:\LaunchU3.exe -a -- End of Deckard's System Scanner: finished at 2008-06-17 07:31:50 ------------ &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Deckard's System Scanner v20071014.68 Run by GENEVIEVE on 2008-06-17 07:34:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as GENEVIEVE.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:34:05 AM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Documents and Settings\GENEVIEVE\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\GENEVIEVE.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [SUPERAntiSpyware] H:\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'CHRISTOPHER') O4 - HKUS\S-1-5-21-1214440339-1343024091-1801674531-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'CHRISTOPHER') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4885 bytes -- Files created between 2008-05-17 and 2008-06-17 ----------------------------- 2008-06-16 17:58:31 0 d-------- C:\WINDOWS\LastGood 2008-06-14 21:17:35 0 d-------- C:\WINDOWS\ERUNT 2008-06-14 18:31:20 0 d-------- C:\Program Files\Common Files\Java 2008-06-14 16:53:39 0 d-------- C:\cmdcons 2008-06-14 16:17:18 0 d-------- C:\Program Files\Trend Micro 2008-06-13 07:29:52 0 dr-h----- C:\Documents and Settings\CHRISTOPHER\Recent 2008-06-13 07 17 47360 --a------ C:\Documents and Settings\CHRISTOPHER\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>2008-06-13 07 16 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\Vso2008-06-05 14:50:33 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\ESET 2008-06-05 14:39:06 0 d-------- C:\Documents and Settings\LAURYN\Application Data\ESET 2008-06-05 06:39:32 0 d-------- C:\Program Files\MSXML 6.0 2008-06-05 06:22:50 0 d-------- C:\Documents and Settings\BRITTNEY\Application Data\ESET 2008-06-04 17:41:52 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\ESET 2008-06-04 17:41:00 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 17:39:00 0 d-------- C:\Program Files\iPod 2008-06-04 17:38:52 0 d-------- C:\Program Files\iTunes 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\scripting 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\en 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\system32\bits 2008-06-04 14:46:50 0 d-------- C:\WINDOWS\l2schemas 2008-06-04 14:45:16 0 d-------- C:\WINDOWS\ServicePackFiles 2008-06-04 14:42:56 0 d-------- C:\WINDOWS\network diagnostic 2008-06-04 14:39:34 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-06-04 14:38:52 15360 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft (R) DRM> 2008-06-04 14:38:28 0 d-------- C:\WINDOWS\EHome 2008-06-04 14:32:53 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-06-04 14:23:38 0 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-04 10:20:51 0 d-------- C:\Program Files\Panda Security 2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\SUPERAntiSpyware.com 2008-06-03 21:11:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-03 20:56:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla 2008-05-18 12:31:14 0 d-------- C:\Documents and Settings\CHRISTOPHER\Application Data\HPAppData -- Find3M Report --------------------------------------------------------------- 2008-06-16 18:41:34 0 d-------- C:\Program Files\Mozilla Thunderbird 2008-06-16 17:23:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-14 18:31:55 0 d-------- C:\Program Files\Java 2008-06-14 18:31:20 0 d-------- C:\Program Files\Common Files 2008-06-14 00:34:12 0 d-------- C:\Program Files\D-Link Media Server 2008-06-13 07:11:30 0 d-------- C:\Program Files\Qualcomm 2008-06-05 06:21:08 0 d-------- C:\Program Files\Apple Software Update 2008-06-04 17:37:49 0 d-------- C:\Program Files\QuickTime 2008-06-04 15:03:23 0 d-------- C:\Program Files\Windows NT 2008-06-04 15:03:22 0 d-------- C:\Program Files\Movie Maker 2008-06-04 15:03:21 0 d-------- C:\Program Files\Messenger 2008-06-03 20:33:49 3168 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-03 20:13:08 0 d-------- C:\Program Files\The Learning Company 2008-06-03 20:07:59 0 d-------- C:\Program Files\GameHouse 2008-06-03 20:03:07 0 d-------- C:\Program Files\PopCap Games 2008-05-27 18:25:09 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent 2008-05-26 18:18:44 0 d-------- C:\Program Files\dl_Cats 2008-05-20 06:41:18 0 d-------- C:\Program Files\Picasa2 2008-05-15 09:16:32 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\HPAppData 2008-05-12 13:25:47 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\.purple 2008-05-01 06:28:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-04-30 09:05:10 85 --a------ C:\WINDOWS\popcinfo.dat 2008-04-29 12:33:37 137447 --a------ C:\WINDOWS\HPHins15.dat 2008-04-29 12:29:29 0 d-------- C:\Program Files\HP 2008-04-29 12:26:29 0 d-------- C:\Program Files\Common Files\HP 2008-04-23 10:49:28 0 d-------- C:\Documents and Settings\GENEVIEVE\Application Data\Adobe 2008-03-18 19:36:14 36734 --a------ C:\WINDOWS\system32\OggDSuninst.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WD Button Manager"="WDBtnMgr.exe" [03/18/2007 07:59 PM C:\WINDOWS\system32\WDBtnMgr.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/07/2007 04:24 PM] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [03/11/2003 05:24 PM] "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [08/19/2003 11:43 AM] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [02/07/2007 04:21 PM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 11:35 AM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 11:36 AM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 11:32 AM] "FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [12/12/2006 04:22 AM] "dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" [01/12/2007 01:21 PM] "CmPCIaudio"="CMICNFG3.CPL" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="H:\SUPERAntiSpyware\SUPERAntiSpyware.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=1 (0x1) "NoDispScrSavPage"=1 (0x1) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=0 (0x0) "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) "ForceActiveDesktopOn"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZuneNetworkSvc"=2 (0x2) "Bonjour Service"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] hpdevmgmt hpqcxs08 hpqddsvc -- End of Deckard's System Scanner: finished at 2008-06-17 07:34:57 ------------
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-17-2008, 05:46 AM
|
#30 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
It isn't related to the display settings problem I am sure, but I noticed the following entry "C:\Documents and Settings\GENEVIEVE\Application Data\uTorrent" so deleted that folder, as well as another folder with a reference to a program I also no longer have on the computer: Nero.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-17-2008, 06:51 AM
|
#31 (permalink) | ||
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi again,
Quote:
You might like to delete it from the CHRISTOPHER account too: C:\Documents and Settings\CHRISTOPHER\Application Data\uTorrent ================================ Please log into Brittney account. Open notepad. It must be notepad, not wordpad. Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap. Choose file save as and set file type to all files. Type fixreg.reg in the file name and save it to your desktop. It should look like this:  Quote:
Make sure there IS one blank line at the end of the file. Close notepad. Make sure that all windows are closed. Find the fixreg.reg file on your desktop. Double click it. It will then ask if you want the file merged to your registry. Answer yes. ===================================== Next, log into Genevieve account and do the same. =================================== Reboot your computer. =================================== See if you have the desktop & screensaver tabs back in those accounts and let me know. You can delete the fixreg.reg files from the desktops .
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
||
|
|
|
|
06-17-2008, 08:30 AM
|
#32 (permalink) | |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Quote:
And.. it's all working again! No more display setting problems, and I will just reinstall my printer to get that working again now that I know this computer is all clean.. thank you!!!! Questions related to your post about protection/prevention.. and overkill? For protection on this computer I have: eset nod32 for antivirus & firewall. I have installed Spyware Blaster now (it works!  ) instead of Spybot Search & destroy... and is ad-aware necessary? re: Microsoft updates, is SP3 required or recommended? and is ATF cleaner the same as ccleaner or different? We normally use firefox to browse and I updated all XP accts with the noscript & flash block extensions as well as updating the IE settings you recommended earlier. Now.. should I start a new thread for the other computer on my home network that may or may not have been infected by this one? I would be more than happy to do that as I assume I shoulld start with the 5 steps on that one next. You've been exceptionally patient & attentive to my problem, and I don't want to hog up all your resources when I know how busy you are. Thank you again VERY much.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
|
06-17-2008, 09:04 AM
|
#33 (permalink) | |||||||
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
Quote:
 Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|||||||
|
|
|
|
06-18-2008, 07:51 AM
|
#34 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi again,
I've run the five steps, short of updating to SP3 until I am sure this machine isn't infected by the original computer over the home network. Before I ran any logs I removed old programs/remnants as well as you recommended on the other computer, but noticed they are showing in the logs still along with some others that haven't been on the machine in quite some time: mostly antivirus & security progs? I've tried to remove them in the past, but they still show up in the start-up and in task mgr sometimes as well? I am having a hard time tracking them down for you. This computer's problems were originally disabled display settings as well on my XP acct (which I frequently used to access the other computer over the network), military time on the computer's clock & frequent BSODs. I am guessing the BSOD is an unrelated issue to malware? It even happened twice during the 5 steps process here, so am not sure what is causing it yet. Here is the info: &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Deckard's System Scanner v20071014.68 Run by Genevieve on 2008-06-18 09:36:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- -- Last 5 Restore Point(s) -- 112: 2008-06-17 19:41:29 UTC - RP786 - Deckard's System Scanner Restore Point 111: 2008-06-17 15:58:25 UTC - RP785 - Removed SUPERAntiSpyware Free Edition 110: 2008-06-17 11:51:26 UTC - RP784 - Software Distribution Service 3.0 109: 2008-06-17 02:37:17 UTC - RP783 - System Checkpoint 108: 2008-06-16 01:58:57 UTC - RP782 - Removed AOLIcon -- First Restore Point -- 1: 2008-03-20 21:42:15 UTC - RP675 - System Checkpoint Performed disk cleanup. -- HijackThis (run as Genevieve.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:37, on 2008-06-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dlcqcoms.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\WINDOWS\system32\dllhost.exe C:\Documents and Settings\Genevieve\desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\GENEVI~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dl] C:\Program Files\svehost.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=21871 O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing) O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing) O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe -- End of file - 5906 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071226-152133-718 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com backup-20071226-152133-801 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com backup-20071226-162035-113 O4 - HKUS\S-1-5-19\..\Run: [qykcscn.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\LocalService\Local Settings\Application Data\qykcscn.dll",ztrtgce (User 'LOCAL SERVICE') backup-20071226-162035-968 O4 - HKUS\S-1-5-20\..\Run: [qykcscn.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\NetworkService\Local Settings\Application Data\qykcscn.dll",ztrtgce (User 'NETWORK SERVICE') backup-20071226-162047-945 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe backup-20071226-162055-238 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab backup-20071226-162118-454 O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\kydexus.html backup-20071226-162144-187 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20071226-162144-721 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" backup-20071226-162144-849 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20071226-162144-856 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe backup-20071226-162144-988 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20071226-162156-236 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" backup-20071226-162156-497 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20071226-162156-927 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20071226-162156-973 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20071226-162220-641 O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab backup-20071226-162249-357 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com backup-20071226-162249-713 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com backup-20080531-211932-148 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe backup-20080531-211932-158 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com backup-20080531-211932-237 O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') backup-20080531-211932-241 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com backup-20080531-211932-333 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080531-211932-340 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe backup-20080531-211932-436 O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') backup-20080531-211932-505 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll backup-20080531-211932-511 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 backup-20080531-211932-938 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" backup-20080531-211932-970 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20080531-211932-977 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll backup-20080531-211933-122 O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe backup-20080531-211933-552 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe backup-20080531-211933-793 O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe backup-20080603-220905-507 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080603-220926-360 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20080603-220938-648 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080603-221126-350 O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll backup-20080603-221339-162 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe backup-20080603-221413-150 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080603-221413-684 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" backup-20080603-221413-819 O4 - HKUS\S-1-5-19\..\Run: [_mzu_stonedrv7] C:\WINDOWS\system32\_mzu_stonedrv7.exe (User 'LOCAL SERVICE') backup-20080603-221413-951 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20080603-223626-141 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 backup-20080603-223626-198 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE backup-20080603-223626-241 O4 - HKUS\S-1-5-19\..\Run: [standalone] RUNDLL32.EXE "C:\Documents and Settings\All Users\Application Data\autosearch.dll",UserBlin (User 'LOCAL SERVICE') backup-20080603-223626-346 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime backup-20080603-223626-505 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe backup-20080603-223626-552 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe backup-20080603-223626-579 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll backup-20080603-223626-654 O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" backup-20080603-223626-665 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" backup-20080603-223626-729 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20080603-223626-747 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" backup-20080603-223626-808 O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" backup-20080603-223626-846 O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe backup-20080603-223626-963 O4 - HKUS\S-1-5-20\..\Run: [standalone] RUNDLL32.EXE "C:\Documents and Settings\All Users\Application Data\autosearch.dll",UserBlin (User 'NETWORK SERVICE') backup-20080603-223627-881 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll backup-20080603-225635-132 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com backup-20080603-225635-333 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll backup-20080603-225635-515 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll backup-20080603-225635-590 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com backup-20080603-225636-315 O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') backup-20080603-225636-336 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe backup-20080603-225636-343 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe backup-20080603-225636-399 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe backup-20080603-225636-497 O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') backup-20080603-225636-638 O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe backup-20080603-225636-686 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab backup-20080603-225636-756 O4 - HKUS\S-1-5-20\..\Run: [_mzu_stonedrv7] C:\WINDOWS\system32\_mzu_stonedrv7.exe (User 'NETWORK SERVICE') -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver> R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver> R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> S2 FILESpy - c:\program files\softwin\bitdefender9\filespy.sys (file missing) S2 REGSpy - c:\program files\softwin\bitdefender9\regspy.sys (file missing) S3 cportclm - c:\docume~1\genevi~1\locals~1\temp\cportclm.sys (file missing) S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt> S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI> S3 SymEvent - c:\program files\symantec\symevent.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc> R2 RMSvc (Media Center Extender Resource Monitor) - c:\windows\ehome\rmsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S2 ccEvtMgr (Symantec Event Manager) - "c:\program files\common files\symantec shared\ccevtmgr.exe" (file missing) S2 ccSetMgr (Symantec Settings Manager) - "c:\program files\common files\symantec shared\ccsetmgr.exe" (file missing) S2 Service - S3 ccPwdSvc (Symantec Password Validation) - "c:\program files\common files\symantec shared\ccpwdsvc.exe" (file missing) S3 GoogleDesktopManager - "c:\program files\google\google desktop search\googledesktop.exe" (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Process Modules ------------------------------------------------------------- C:\WINDOWS\explorer.exe (pid 1264) 2008-01-21 15:48:40 339968 --a------ C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; > 2007-12-19 13:53:40 577536 --a------ C:\Program Files\OpenOffice.org 2.4\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary> 2006-04-18 21:15:22 126464 --a------ C:\Program Files\WinRAR\RarExt.dll 2007-11-04 17:41:39 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll -- Scheduled Tasks ------------------------------------------------------------- 2008-06-13 21:34:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-18 and 2008-06-18 ----------------------------- 2008-06-09 11:41:10 0 d-------- C:\Program Files\Attractel 2008-06-05 22:25:06 0 d-------- C:\Program Files\MSBuild 2008-06-05 22:23:00 0 d-------- C:\WINDOWS\system32\XPSViewer 2008-06-05 22:21:45 0 d-------- C:\Program Files\Reference Assemblies 2008-06-05 22:20:08 0 d-------- C:\b7d1273ec74308c1bcfdcfe654dc5bde 2008-06-05 22:20:06 0 d-------- C:\Program Files\MSXML 6.0 2008-06-05 22:16:37 0 d-------- C:\WINDOWS\network diagnostic 2008-06-05 21:26:05 11254 --a------ C:\WINDOWS\system32\locate.com 2008-06-05 20:54:40 68096 --a------ C:\WINDOWS\zip.exe 2008-06-05 20:54:40 49152 --a------ C:\WINDOWS\VFind.exe 2008-06-05 20:54:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-06-05 20:54:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-06-05 20:54:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-06-05 20:54:40 98816 --a------ C:\WINDOWS\sed.exe 2008-06-05 20:54:40 80412 --a------ C:\WINDOWS\grep.exe 2008-06-05 20:54:40 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-06-05 17:27:26 1240104 --a------ C:\MGtools.exe 2008-06-05 17:11:26 0 dr-h----- C:\Documents and Settings\Lauryn\Recent 2008-06-05 17:10:25 0 d-------- C:\Documents and Settings\Lauryn\Application Data\ESET 2008-06-05 17:10:01 0 dr-h----- C:\Documents and Settings\Christopher\Recent 2008-06-05 17:08:43 0 d-------- C:\Documents and Settings\Christopher\Application Data\ESET 2008-06-05 17:08:05 0 dr-h----- C:\Documents and Settings\Brittney\Recent 2008-06-05 17:05:43 0 d-------- C:\Documents and Settings\Brittney\Application Data\ESET 2008-06-05 17:05:01 0 dr-h----- C:\Documents and Settings\Genevieve\Recent 2008-06-05 16:55:54 0 d-------- C:\Program Files\Common Files\Java 2008-06-04 17:23:40 0 d-------- C:\Documents and Settings\Genevieve\Application Data\ESET 2008-06-04 17:22:29 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 12:19:37 0 d-------- C:\ie-spyad_zo <IE-SPY~1> 2008-06-04 12:18:54 0 d-------- C:\Program Files\SpywareBlaster 2008-06-03 09:31:18 0 d-------- C:\Program Files\Panda Security 2008-05-31 21:44:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-28 13:44:15 12582912 --a------ C:\Documents and Settings\Genevieve\ntuser.dat 2008-05-28 13:44:14 245760 --a------ C:\Documents and Settings\LocalService\ntuser.dat -- Find3M Report --------------------------------------------------------------- 2008-06-18 09:36:15 0 d-------- C:\Documents and Settings\Genevieve\Application Data\.purple 2008-06-17 16:14:13 0 d-------- C:\Program Files\Common Files 2008-06-17 11:58:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-17 11:49:48 0 d-------- C:\Documents and Settings\Genevieve\Application Data\Lavasoft 2008-06-17 11:36:42 0 d-------- C:\Program Files\PhotoRescue Pro 2008-06-15 22:11:51 0 d-------- C:\Program Files\Java 2008-06-15 22:10:28 0 d-------- C:\Program Files\Common Files\Knowledge Adventure 2008-06-10 12:26:18 0 d-------- C:\Documents and Settings\Genevieve\Application Data\OpenOffice.org2 2008-06-05 22:19:20 0 d-------- C:\Program Files\Windows Media Connect 2 2008-06-04 07:41:49 224290 --a------ C:\Documents and Settings\Genevieve\Application Data\CleanUp!.log 2008-05-25 22:16:51 0 d-------- C:\Documents and Settings\Genevieve\Application Data\gtk-2.0 2008-05-12 16:30:12 0 d-------- C:\Documents and Settings\Genevieve\Application Data\Real 2008-05-11 01:00:12 0 d-------- C:\Program Files\Common Files\Real 2008-05-11 00:53:31 0 d-------- C:\Program Files\1st Page 2000 2008-04-25 12:18:39 0 d-------- C:\Program Files\Apple Software Update -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-19 05:41] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-19 05:38] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-19 05:42] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 04:41] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 23:35 C:\WINDOWS\stsystra.exe] "NWEReboot"="" [] "Dl"="C:\Program Files\svehost.exe" [] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00] C:\Documents and Settings\Genevieve\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2007-08-17 13:43:26] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE QWAVE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682b5742-8eb9-11dc-b027-001422ef8271}] AutoRun\command- E:\wd_windows_tools\setup.exe -- End of Deckard's System Scanner: finished at 2008-06-18 09:38:54 ------------
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-18-2008, 10:29 AM
|
#35 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
One item, svehost.exe, in your log appears to be a variant of a known malware, i.e. a backdoor trojan. Please disconnect this PC from the Internet until it's clean. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be prudent to contact those same financial institutions to apprise them of your situation. Scan with HijackThis and put a checkmark against the following entries: O4 - HKLM\..\Run: [Dl] C:\Program Files\svehost.exe O4 - Startup: PowerReg Scheduler.exe Close all browsers and windows other than HijackThis and click on "fix checked". ============================ We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows:
Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-18-2008, 11:55 AM
|
#36 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi,
And I actually thought this one was better than the first, that was rather alarming! I followed your instructions, including getting off the web. I did reconnect to post the logs you required. here goes.. the logs are below... &&&&&&&&&&&&&&&&&&&&&&&&&& ComboFix 08-06-16.5 - Genevieve 2008-06-18 13:46:15.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -4:00] Running from: C:\Documents and Settings\Genevieve\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Genevieve\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 ))))))))))))))))))))))))))))))) . 2008-06-17 15:40 . 2008-06-17 15:40 <DIR> d-------- C:\Deckard 2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-09 11:41 . 2008-06-09 11:41 <DIR> d-------- C:\Program Files\Attractel 2008-06-05 22:25 . 2008-06-05 22:25 <DIR> d-------- C:\Program Files\MSBuild 2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-06-05 22:21 . 2008-06-05 22:21 <DIR> d-------- C:\Program Files\Reference Assemblies 2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\b7d1273ec74308c1bcfdcfe654dc5bde 2008-06-05 22:20 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-06-05 22:12 . 2006-11-13 02:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2008-06-05 22:12 . 2006-11-13 02:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2008-06-05 22:12 . 2006-11-13 02:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2008-06-05 21:55 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-05 21:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-05 21:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-05 21:55 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-05 21:55 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-05 21:55 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-05 21:55 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-05 21:55 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-05 21:55 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-05 21:40 . 2008-06-14 21:47 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-06-05 21:39 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-06-05 21:26 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com 2008-06-05 21:25 . 2008-06-06 00:11 48,271 --a------ C:\MGlogs.zip 2008-06-05 18:21 . 2008-06-05 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-05 17:27 . 2008-06-05 17:27 1,240,104 --a------ C:\MGtools.exe 2008-06-05 17:10 . 2008-06-05 17:10 <DIR> d-------- C:\Documents and Settings\Lauryn\Application Data\ESET 2008-06-05 17:08 . 2008-06-05 17:08 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\ESET 2008-06-05 17:05 . 2008-06-05 17:05 <DIR> d-------- C:\Documents and Settings\Brittney\Application Data\ESET 2008-06-05 16:57 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-05 16:55 . 2008-06-05 16:55 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 17:23 . 2008-06-04 17:23 <DIR> d-------- C:\Documents and Settings\Genevieve\Application Data\ESET 2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Program Files\ESET 2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 12:19 . 2008-06-04 12:19 <DIR> d-------- C:\ie-spyad_zo 2008-06-04 12:18 . 2008-06-17 16:25 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-03 09:31 . 2008-06-03 09:31 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 21:44 . 2008-06-05 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-18 17:31 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\.purple 2008-06-17 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-17 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-17 15:49 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\Lavasoft 2008-06-17 15:36 --------- d-----w C:\Program Files\PhotoRescue Pro 2008-06-16 23:38 --------- d-----w C:\Documents and Settings\Brittney\Application Data\.purple 2008-06-16 02:11 --------- d-----w C:\Program Files\Java 2008-06-16 02:10 --------- d-----w C:\Program Files\Common Files\Knowledge Adventure 2008-06-12 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro 2008-06-10 16:26 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\OpenOffice.org2 2008-06-06 02:25 4,666 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2008-06-06 02:19 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-04 11:40 --------- d-----w C:\Program Files\CleanUp! 2008-05-26 02:16 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\gtk-2.0 2008-05-11 05:00 --------- d-----w C:\Program Files\Common Files\Real 2008-05-11 04:53 --------- d-----w C:\Program Files\1st Page 2000 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-25 16:18 --------- d-----w C:\Program Files\Apple Software Update 2008-04-25 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-20 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-05 18:41 69,992 ----a-w C:\Documents and Settings\Genevieve\Application Data\GDIPFONTCACHEV1.DAT 2007-12-23 00:09 47,360 ----a-w C:\Documents and Settings\Genevieve\Application Data\pcouffin.sys 2007-12-22 22:02 87,608 ----a-w C:\Documents and Settings\Genevieve\Application Data\ezpinst.exe 2007-11-05 01:32 69,976 ----a-w C:\Documents and Settings\Brittney\Application Data\GDIPFONTCACHEV1.DAT 2006-06-25 23:38 152 --sh--r C:\WINDOWS\system32\10C1754A1D.sys 2006-06-25 23:38 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-19 05:41 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-19 05:38 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-19 05:42 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 04:41 1347584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 23:35 397312 C:\WINDOWS\stsystra.exe] "NWEReboot"="" [] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15 366400] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Pidgin\\pidgin.exe"= "C:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22] R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55] R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39] S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682b5742-8eb9-11dc-b027-001422ef8271}] \Shell\AutoRun\command - E:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-06-14 01:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-18 13:49:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-18 13:49:48 ComboFix-quarantined-files.txt 2008-06-18 17:49:44 ComboFix2.txt 2008-06-06 01:08:38 ComboFix3.txt 2007-12-26 20:51:58 Pre-Run: 18,256,019,456 bytes free Post-Run: 18,241,781,760 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 165 --- E O F --- 2008-06-17 11:53:05 &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:51, on 2008-06-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\dlcqcoms.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=21871 O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing) O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing) O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe -- End of file - 5807 bytes
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-18-2008, 01:11 PM
|
#37 (permalink) | ||
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
Hi Genevieve,
Quote:
Quote:
To remove the RC installed by CF, delete the following files/folders: C:\cmdcons C:\cmldr Next,
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
||
|
|
|
|
06-18-2008, 01:32 PM
|
#38 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Geeze I am sorry.
 I own XP home for the other computer, but this one was pre-installed so I never gave it a second thought.Will correct shortly.
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
|
06-18-2008, 01:34 PM
|
#39 (permalink) |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,296
OS: XP SP3
|
Re: 2nd thread, malware: blue screen, bugs & more
No problem.
I am checking the log in the mean time.
__________________
My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
06-18-2008, 01:45 PM
|
#40 (permalink) |
|
Registered User
Join Date: May 2005
Posts: 35
OS: XP
|
Re: 2nd thread, malware: blue screen, bugs & more
Okay, sheepish me has another log for you.. sorry again...
&&&&&&&&&&&&&&&&&&&&&&&&&& ComboFix 08-06-16.5 - Genevieve 2008-06-18 15:37:58.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT -4:00] Running from: C:\Documents and Settings\Genevieve\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Genevieve\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 ))))))))))))))))))))))))))))))) . 2008-06-17 15:40 . 2008-06-17 15:40 <DIR> d-------- C:\Deckard 2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-09 11:41 . 2008-06-09 11:41 <DIR> d-------- C:\Program Files\Attractel 2008-06-05 22:25 . 2008-06-05 22:25 <DIR> d-------- C:\Program Files\MSBuild 2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-06-05 22:21 . 2008-06-05 22:21 <DIR> d-------- C:\Program Files\Reference Assemblies 2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\b7d1273ec74308c1bcfdcfe654dc5bde 2008-06-05 22:20 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-06-05 22:12 . 2006-11-13 02:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll 2008-06-05 22:12 . 2006-11-13 02:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll 2008-06-05 22:12 . 2006-11-13 02:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll 2008-06-05 21:55 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-05 21:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-05 21:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-05 21:55 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-05 21:55 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-05 21:55 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-05 21:55 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-05 21:55 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-05 21:55 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-05 21:40 . 2008-06-14 21:47 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-06-05 21:39 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-06-05 21:26 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com 2008-06-05 21:25 . 2008-06-06 00:11 48,271 --a------ C:\MGlogs.zip 2008-06-05 18:21 . 2008-06-05 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-05 17:27 . 2008-06-05 17:27 1,240,104 --a------ C:\MGtools.exe 2008-06-05 17:10 . 2008-06-05 17:10 <DIR> d-------- C:\Documents and Settings\Lauryn\Application Data\ESET 2008-06-05 17:08 . 2008-06-05 17:08 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\ESET 2008-06-05 17:05 . 2008-06-05 17:05 <DIR> d-------- C:\Documents and Settings\Brittney\Application Data\ESET 2008-06-05 16:57 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-05 16:55 . 2008-06-05 16:55 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 17:23 . 2008-06-04 17:23 <DIR> d-------- C:\Documents and Settings\Genevieve\Application Data\ESET 2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Program Files\ESET 2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-06-04 12:19 . 2008-06-04 12:19 <DIR> d-------- C:\ie-spyad_zo 2008-06-04 12:18 . 2008-06-17 16:25 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-03 09:31 . 2008-06-03 09:31 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 21:44 . 2008-06-05 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-18 19:36 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\.purple 2008-06-17 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-17 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-17 15:49 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\Lavasoft 2008-06-17 15:36 --------- d-----w C:\Program Files\PhotoRescue Pro 2008-06-16 23:38 --------- d-----w C:\Documents and Settings\Brittney\Application Data\.purple 2008-06-16 02:11 --------- d-----w C:\Program Files\Java 2008-06-16 02:10 --------- d-----w C:\Program Files\Common Files\Knowledge Adventure 2008-06-12 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro 2008-06-10 16:26 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\OpenOffice.org2 2008-06-06 02:25 4,666 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2008-06-06 02:19 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-06-04 11:40 --------- d-----w C:\Program Files\CleanUp! 2008-05-26 02:16 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\gtk-2.0 2008-05-11 05:00 --------- d-----w C:\Program Files\Common Files\Real 2008-05-11 04:53 --------- d-----w C:\Program Files\1st Page 2000 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-25 16:18 --------- d-----w C:\Program Files\Apple Software Update 2008-04-25 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-20 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-05 18:41 69,992 ----a-w C:\Documents and Settings\Genevieve\Application Data\GDIPFONTCACHEV1.DAT 2007-12-23 00:09 47,360 ----a-w C:\Documents and Settings\Genevieve\Application Data\pcouffin.sys 2007-12-22 22:02 87,608 ----a-w C:\Documents and Settings\Genevieve\Application Data\ezpinst.exe 2007-11-05 01:32 69,976 ----a-w C:\Documents and Settings\Brittney\Application Data\GDIPFONTCACHEV1.DAT 2006-06-25 23:38 152 --sh--r C:\WINDOWS\system32\10C1754A1D.sys 2006-06-25 23:38 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-18_13.49.35.82 ))))))))))))))))))))))))))))))))))))))))) . + 2008-06-18 17:59:03 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_1e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-19 05:41 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-19 05:38 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-19 05:42 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 04:41 1347584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 23:35 397312 C:\WINDOWS\stsystra.exe] "NWEReboot"="" [] "egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15 366400] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Pidgin\\pidgin.exe"= "C:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22] R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55] R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39] S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682b5742-8eb9-11dc-b027-001422ef8271}] \Shell\AutoRun\command - E:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-06-14 01:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-18 15:41:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-18 15:43:41 ComboFix-quarantined-files.txt 2008-06-18 19:42:42 ComboFix2.txt 2008-06-18 17:49:49 ComboFix3.txt 2008-06-06 01:08:38 ComboFix4.txt 2007-12-26 20:51:58 Pre-Run: 18,376,380,416 bytes free Post-Run: 18,351,132,672 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 170 --- E O F --- 2008-06-17 11:53:05
__________________
Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years. William F. Buckley, Jr. |
|
|
|
| Thread Tools | |
|
|
