Trojan maybe??

[cerifido]

Hi

My mum (74 years old)downloaded a mahjong game and when I extracted it using winrar I think a trojan infected the computer.

She has NIS 2008 installed and it did pick up something but didn't call it any particular name. Since this I have uninstalled the mahjong and winrar but the machine is behaving really oddly.

Microsoft feeds synchronising keeps turning off, windows problem solver keeps closing. It will not let me use anything of NIS 2008 ( not even open the home page to perform a scan) and I have downloaded Spybot on another machine but after copying it to CD and putting it i her cd tray it will not let me install it on her machine. Also no other program will open.

I have tried after a lot of waiting to system restore to two different dates but this has been unsuccessful and now and again norton says downloader and a small box appears on screen that asks you to read the symbols and type them in a box below if you own the computer.

I have not filled this in at all but it will not leave the screen even when you click on the red cross at the top right of the message box. Once this box is on screen the mouse pointer will not move out of this box. All I can do is switch the machine off by pressing the 'on' button.I have taken the computer off the network for now.

Any help would be appreciated as mum is really upset as she loves her computer and browsing the web. I'm only a novice on computers so would need easy guides to follow but i'm willing to give anything a go. Otherwise the machine will be off to PC world to see if they can fix it.

The machine is a Dell Inspiron 530 3mb ram using AOL broadband and Vista Home Premium 32bit with NIS 2008 installed

Thanks, please help

ceri

i have since had some advice on another site 'Virus vault'

http://www.virusvault.co.uk/fusionbb...ost/last/#LAST

and have started in safe mode, run system config and disabled norton and UAC but when tried to install Hijack it wouldn't let me install this or spybot

Hi John,

Thanks for your advice. I have got as far as installing the Hijack install file but it will not install from the desktop in either normal start up or safe mode.

When i tried in normal start up mode a RunDLL error box opened stating 'c:\Users\Ruth\AppData\Local\Temp\wvUoPjhh.dll' The specified module could not be found.

Also another error box showed stating 'Microsoft feeds synchronisation has stopped working' and it waits for me to click on close proram.

I tried opening office word program in both safe mode and normal start up mode and that opened ok in both scenarios.

Any further help please. Sorry I can't open hijack to get you the log file.

Ceri

Also posted the info below

Hi John

Not sure if any of this will help but i have been able to copy and save to usb disc this info from windows problem reports and solutions

Product
Automatic LiveUpdate Scheduler Service

Problem
Stopped working

Date
27/06/2008 17:28

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: AluSchedulerSvc.exe
Application Version: 3.4.0.164
Application Timestamp: 46d7b04d
Fault Module Name: StackHash_4c86
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 003f000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 4c86
Additional Information 2: 287098e23090e4537a486ae040ee7891
Additional Information 3: af30
Additional Information 4: 4971906cd92ddee8ec0ce17c01a27d3a

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Product
launcher

Problem
Stopped working

Date
27/06/2008 15:36

Status
Report Sent

Description
Stopped working

Problem signature
Problem Event Name: CLR20r3
Problem Signature 01: _launcher.exe
Problem Signature 02: 1.0.0.0
Problem Signature 03: 2a425e19
Problem Signature 04: System
Problem Signature 05: 2.0.0.0
Problem Signature 06: 47577deb
Problem Signature 07: 39ee
Problem Signature 08: 288
Problem Signature 09: System.ComponentModel.Win32
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Extra information about the problem
Bucket ID: 221066171


Product
LiveUpdate Engine COM Module

Problem
Stopped working

Date
27/06/2008 15:58

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: LuComServer_3_4.EXE
Application Version: 3.4.0.162
Application Timestamp: 46cdedca
Fault Module Name: StackHash_919d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 0039000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 919d
Additional Information 2: cfde33574c499fde6893a99e64b61b38
Additional Information 3: 94e7
Additional Information 4: 05f0b7add3701429bdc9986e9dcf598b

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Product
Microsoft Feeds Synchronization

Problem
Stopped working

Date
27/06/2008 17:07

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: msfeedssync.exe
Application Version: 7.0.6001.18000
Application Timestamp: 47918ee3
Fault Module Name: unknown
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 000b000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Files that help describe the problem
Version.txt
AppCompat.txt



Product
Norton Protection Center Help and Support Loader

Problem
Stopped working

Date
27/06/2008 16:04

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: HSLoader.exe
Application Version: 2008.1.0.98
Application Timestamp: 46ce3093
Fault Module Name: StackHash_08b8
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 0039000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 08b8
Additional Information 2: 4e91148608f0b9536dd76ce0cf2b2d10
Additional Information 3: 6d8f
Additional Information 4: 78d35ac9fd13bd957585dc759b583dbb

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Product
Norton Protection Center LiveUpdate Stub

Problem
Stopped working

Date
27/06/2008 15:58

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: npcLUStb.exe
Application Version: 2008.1.0.98
Application Timestamp: 46ce3046
Fault Module Name: StackHash_268c
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 65007400
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 268c
Additional Information 2: 927133225a35d02213e73f4f9ac7bba7
Additional Information 3: c448
Additional Information 4: 6dc78a81c93e31c919ea915c031d5052

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Product
Symantec Service Framework

Problem
Stopped working

Date
27/06/2008 15:42

Status
Report Sent

Problem signature
Problem Event Name: BEX
Application Name: ccSvcHst.exe
Application Version: 107.0.3.7
Application Timestamp: 477eef81
Fault Module Name: StackHash_76fb
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 004a000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 76fb
Additional Information 2: 4aaf69064d3f1e1d13b676eeff459c6d
Additional Information 3: 1be0
Additional Information 4: 92811b1d19428c0d5b2e2072ae7ed211

Extra information about the problem
Bucket ID: 270876479


Product
Windows Explorer

Problem
Stopped working

Date
27/06/2008 16:11

Status
Not Reported

Problem signature
Problem Event Name: APPCRASH
Application Name: Explorer.EXE
Application Version: 6.0.6001.18000
Application Timestamp: 47918e5d
Fault Module Name: xjxgjaxd.dll
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 4fed3c80
Exception Code: c0000005
Exception Offset: 00010d6b
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 2c83
Additional Information 2: beabdba6628a82156ad01f51afeb737b
Additional Information 3: eb07
Additional Information 4: bac424dd3c4a00d8ebae2dddb7a0385f

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Product
Windows host process (Rundll32)

Problem
Stopped working

Date
27/06/2008 15:38

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: rundll32.exe
Application Version: 6.0.6000.16386
Application Timestamp: 4549b0e1
Fault Module Name: StackHash_37a1
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 000e000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 37a1
Additional Information 2: 5ec7fe924add9c3b2d0cefd23280b14c
Additional Information 3: 803a
Additional Information 4: 38f0e434f6c66dc62c27e62e9f0f92f8



Product
Windows Problem Reporting

Problem
Stopped working

Date
27/06/2008 17:07

Status
Not Reported

Problem signature
Problem Event Name: BEX
Application Name: wermgr.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47918ca1
Fault Module Name: StackHash_3793
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 00a4000a
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057
Additional Information 1: 3793
Additional Information 2: df4b2237d476e1b5fe4d5c521d614052
Additional Information 3: 5a5c
Additional Information 4: 523df27e3896cc8178936497cac6d8ca

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp

This might help you???

Thanks

ceri

Hi John,

Tried installing via run as administrator also and still will not activate the Hijack installation. This is the same as trying to install Spybot last night. It will not allow any new programs to be installed. Everytime you try to do anything like this it just comes up with the 'microsoft feeds synchronisation has stopped working. I have had 13 of these error messages since i spoke to you on the last message and the computer has been left idle.

Sorry for the problem

Ceri

[cerifido]

Anyone any ideas please or will i have to reinstall windows vista?
Thanks
Ceri

[Ried]

Hello Ceri and welcome,

We prefer a more comprehensive set of logs to assist in detecting any malware that may be present.

As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help....

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

[cerifido]

Hi Reid,

Did all you said above but could not download Hijack as the infecyed computer not connected to web, showed it my copy of hijack which hasn't opened at all and it said didn't recognise the copy and then it ran Hijack this clone.

Soon after it said log was ready to copy but when computer tried to open notepad an error box came up saying' notepad has stopped working, a problem caused the program to stop working correctly, Windows will close the program and notify you if a solution is available.

This is what is happening to any programme except office word that is tried to be opened.
Anywhere else I can pick up the log report on the infected computer to copy it to word and paste it to another computer to send to you

Thanks

ceri

[Ried]

Hi Ceri,

Navigate to C:\Deckard\System Scanner

In that folder you'll find the main.txt and extra.txt, but please do not copy to Word or it will mess up the format for me.

Instead, transfer the main.txt and extra.txt to any removable media and take them to another computer. Open them and copy/paste into your next reply from that computer.

[cerifido]

Hi Ried,

Sorry been away from home for a few days this is the latest from the c:deckard/system scanner

main txt

Deckard's System Scanner v20071014.68
Run by Ruth on 2008-06-29 17:39:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
39: 2008-06-28 13:57:38 UTC - RP136 - Scheduled Checkpoint
38: 2008-06-27 17:20:41 UTC - RP135 - Restore Operation
37: 2008-06-27 17:04:21 UTC - RP134 - Restore Operation
36: 2008-06-26 09:11:11 UTC - RP133 - Scheduled Checkpoint
35: 2008-06-25 08:00:13 UTC - RP132 - Windows Update


-- First Restore Point --
1: 2008-05-20 11:17:38 UTC - RP98 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-29 17:44:59
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\aol\1204637550\ee\aolsoftware.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Users\Ruth\Desktop\dss.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1} - C:\Users\Ruth\AppData\Local\Temp\cbXonMEu.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LXCDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\cbXOIxxW.dll,#1
O4 - HKLM\..\Run: [5c8e46ff] rundll32.exe "C:\Users\Ruth\AppData\Local\Temp\xjxgjaxd.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Ruth\AppData\Local\Temp\wvUoPjhh.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Ruth\AppData\Local\Temp\cbXonMEu.dll,c
O4 - HKCU\..\Run: [5c8e46ff] rundll32.exe "C:\Users\Ruth\AppData\Local\Temp\xjxgjaxd.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\aol\acs\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: lxcd_device - Unknown owner - C:\Windows\System32\lxcdcoms.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 9711 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel


-- Scheduled Tasks -------------------------------------------------------------

2008-06-29 17:45:00 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{0F06759B-6A9A-4395-BDC4-0BA84D5B8436}.job
2008-06-23 22:18:14 544 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Ruth.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 17:37:10 24576 --a------ C:\Windows\system32\cbXOIxxW.dll
2008-06-28 13:08:13 24576 --a------ C:\Windows\system32\wvUmkkiG.dll
2008-06-27 15:28:29 0 d-------- C:\Program Files\Mahjong Garden To Go
2008-06-24 11:16:33 0 d-------- C:\Windows\Mahjong World
2008-06-24 11:15:55 0 d-------- C:\Windows\Mahjong Garden To Go
2008-06-24 11:13:20 0 d-------- C:\Windows\Alice's Magical Mahjong
2008-06-24 11:13:20 0 d-------- C:\Program Files\Alice's Magical Mahjong
2008-06-23 11:52:12 0 d-------- C:\Program Files\uTorrent
2008-06-22 16:10:22 0 d-------- C:\Windows\Hotel Mahjong Deluxe [h33t] [oi812heet]
2008-06-19 18:13:42 0 d-------- C:\Users\All Users\Trymedia
2008-06-19 18:13:30 0 d-------- C:\Program Files\AOL Games


-- Find3M Report ---------------------------------------------------------------

2008-06-28 22:24:49 12 --a------ C:\Windows\bthservsdp.dat
2008-06-28 20:46:44 0 d-------- C:\Users\Ruth\AppData\Roaming\uTorrent
2008-06-28 13:27:12 0 d-------- C:\Program Files\Common Files\aol
2008-06-27 18:27:37 0 d-------- C:\Program Files\Lx_cats
2008-06-27 15:38:07 0 d-------- C:\Users\Ruth\AppData\Roaming\WinRAR
2008-06-21 21:15:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-19 17:08:45 0 d-------- C:\Users\Ruth\AppData\Roaming\Zylom
2008-06-19 17:08:45 0 d-------- C:\Users\Ruth\AppData\Roaming\Identities
2008-06-11 09:07:43 0 d-------- C:\Program Files\Windows Mail
2008-06-03 15:05:49 0 d-------- C:\Program Files\Symantec
2008-05-29 14:35:13 0 d-------- C:\Users\Ruth\AppData\Roaming\Google
2008-05-29 14:34:11 0 d-------- C:\Program Files\Google
2008-05-01 15:56:53 0 d-------- C:\Program Files\Mindscape
2008-04-27 15:29:05 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
25/08/2007 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/03/2008 15:08 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1}]
C:\Users\Ruth\AppData\Local\Temp\cbXonMEu.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [25/08/2007 04:51 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [11/05/2007 14:26 C:\Windows\RtHDVCpl.exe]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/01/2008 17:42]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 12:37]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [05/11/2006 12:22]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/01/2008 17:49]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"HostManager"="C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe" [14/11/2006 15:01]
"LXCDCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCDtime.dll" [22/02/2007 06:15]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 18:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"MSServer"="C:\Windows\system32\cbXOIxxW.dll" [27/06/2008 15:36]
"5c8e46ff"="C:\Users\Ruth\AppData\Local\Temp\xjxgjaxd.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"Microsoft Windows Installer"="C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe" [26/06/2008 22:48]
"MSServer"="C:\Users\Ruth\AppData\Local\Temp\wvUoPjhh.dll,#1" []
"cmds"="C:\Users\Ruth\AppData\Local\Temp\cbXonMEu.dll,c" []
"5c8e46ff"="C:\Users\Ruth\AppData\Local\Temp\xjxgjaxd.dll,b" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ACED1C9F-2718-4512-9F69-F4E28C1F484F}"= C:\Windows\system32\cbXOIxxW.dll [27/06/2008 15:36 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Users\Ruth\AppData\Local\Temp\cbXonMEu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-29 17:45:53 ------------

Fom extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 3060.45 MiB / 2035.63 MiB
Pagefile Memory (total/avail): 6323.2 MiB / 5334.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1877.99 MiB

C: is Fixed (NTFS) - 455.71 GiB total, 365.25 GiB free.
D: is Fixed (NTFS) - 10 GiB total, 6.07 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - SAMSUNG HD501LJ ATA Device - 465.76 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 - Installable File System - 10 GiB - D:
\PARTITION2 (bootable) - Installable File System - 455.71 GiB - C:

\\.\PHYSICALDRIVE5 - Kingston DataTraveler 2.0 USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 1967.98 MiB - J:

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled Outdated
AS: Norton Internet Security v15.0.0.60 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Ruth\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RUTH-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Ruth
LOCALAPPDATA=C:\Users\Ruth\AppData\Local
LOGONSERVER=\\RUTH-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Ruth\AppData\Local\Temp
TMP=C:\Users\Ruth\AppData\Local\Temp
USERDOMAIN=Ruth-PC
USERNAME=Ruth
USERPROFILE=C:\Users\Ruth
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Ruth (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Alice's Magical Mahjong --> "C:\Windows\Alice's Magical Mahjong\uninstall.exe" "/U:C:\Program Files\Alice's Magical Mahjong\Uninstall\uninstall.xml"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Brain Trainer --> "C:\Program Files\Mindscape\Brain Trainer\Uninstall.exe" "C:\Program Files\Mindscape\Brain Trainer\Install.log" -u
Browser Address Error Redirector --> MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Dell Getting Started Guide --> MsiExec.exe /I{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Deluxe Mah Jongg --> C:\Windows\uninst.exe -f"C:\Program Files\Cosmi\Deluxe Mah Jongg\DeIsL1.isu" -c"C:\Program Files\Cosmi\Deluxe Mah Jongg\_ISREG32.DLL"
Dominoes --> C:\Windows\uninst.exe -f"C:\Program Files\Cosmi\Dominoes\DeIsL1.isu" -c"C:\Program Files\Cosmi\Dominoes\_ISREG32.DLL"
Emperor's Mahjong for Windows --> C:\Windows\unvise32.exe C:\Program Files\Mindscape\Mahjong Windows\uninstal.log
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections 12.1.11.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Intel(R) PRO Network Connections 12.1.11.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Internet From BT --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6FFB40A5-7F7D-4A32-8905-3CDF962EE1E4}\Setup.exe"
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Lexmark 6300 Series --> C:\Program Files\Lexmark 6300 Series\Install\x86\Uninst.exe
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\ProgramData\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Luxor Mahjong --> "C:\Users\Ruth\AppData\Local\Zylom Games\Luxor Mahjong\GameInstlr.exe" --uninstall UnInstall.log
Mah Jong Medley --> C:\PROGRA~1\AOLGAM~1\MAHJON~1\UNWISE.EXE /U C:\PROGRA~1\AOLGAM~1\MAHJON~1\INSTALL.LOG
Mahjong Escape - Ancient China --> C:\Program Files\Mahjong Escape - Ancient China\uninstall.exe
Mahjong Escape - Ancient Japan --> C:\Program Files\Mahjong Escape - Ancient Japan\uninstall.exe
Mahjongg Master Deluxe --> C:\PROGRA~1\eGames\MAHJON~3\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~3\INSTALL.LOG
Mahjongg Master Egyptian Edition --> C:\PROGRA~1\eGames\MAHJON~1\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~1\INSTALL.LOG
Mahjongg Patience --> C:\PROGRA~1\eGames\MAHJON~4\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~4\INSTALL.LOG
MahJongg Tiles of Time --> C:\PROGRA~1\eGames\MAHJON~2\UNWISE.EXE C:\PROGRA~1\eGames\MAHJON~2\INSTALL.LOG
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4BFE-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
PowerPacket Ethernet Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7D82F42-0E41-45D8-B5F6-E61E070F9C03}\Setup.exe" -l0x9
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE --> MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
RTC Client API v1.2 --> MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Tiscali Internet --> MsiExec.exe /I{58B2B6D3-E5FF-4D16-87AC-52CC5717C7C6}
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Mobile Device Center --> MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
Windows Mobile Device Center Driver Update --> MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}


-- Application Event Log -------------------------------------------------------

Event Record #/Type12683 / Error
Event Submitted/Written: 06/29/2008 05:40:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application msfeedssync.exe, version 7.0.6001.18000, time stamp 0x47918ee3, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0063000a,
process id 0xf80, application start time 0xmsfeedssync.exe0.

Event Record #/Type12681 / Error
Event Submitted/Written: 06/29/2008 05:37:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application MSASCui.exe, version 1.1.1600.0, time stamp 0x47918de2, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x0016000a,
process id 0x204, application start time 0xMSASCui.exe0.

Event Record #/Type12675 / Success
Event Submitted/Written: 06/29/2008 05:37:20 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type12674 / Success
Event Submitted/Written: 06/29/2008 05:37:16 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type12670 / Success
Event Submitted/Written: 06/29/2008 05:36:53 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type43013 / Warning
Event Submitted/Written: 06/29/2008 05:38:48 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type43012 / Warning
Event Submitted/Written: 06/29/2008 05:38:48 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type43011 / Warning
Event Submitted/Written: 06/29/2008 05:38:48 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type43010 / Warning
Event Submitted/Written: 06/29/2008 05:38:48 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.

Event Record #/Type43009 / Warning
Event Submitted/Written: 06/29/2008 05:38:48 PM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.



-- End of Deckard's System Scanner: finished at 2008-06-29 17:45:53 ------------

Hope this helps. Please remember that norton has been diabled in safe mode under sys config and so has UAC been disabled as earlier asked in the other forum.

I have found how to recover to factory preset under 'D' partition if this will help as there isn't really anything on the machine that needs to be recovered. Will this be the easier option if you think it will help

Thanks

Ceri

[cerifido]

Sorry here is the attached extra file

[Ried]

Hello cerifido,

Making use of the Recovery Partition is certainly an option. If you'd like to try to clean this first, then kindly do the following:

Please advise any forum where you've sought assistance that you are being helped, and request they close your threads.


This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

------------------------------------------------

We'll beging with ComboFix. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

[cerifido]

Hi Ried,

Tried to recovery partition and it came up with an error box just stating that an error has occured. Downloaded and tried to run combifix but it will not open the programm. Even tried running as administrator. The computer only has one user and it has administrator rights.

Sorry no further forward

Ceri

[cerifido]

Hi Reid,

Just ran DSs again. Find below main .txt bt this time an extra.txt file was not created

Deckard's System Scanner v20071014.68
Run by Ruth on 2008-07-04 15:04:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-04 15:05:34
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\aol\1204637550\ee\aolsoftware.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\System32\mobsync.exe
C:\Users\Ruth\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\rqRIaAsQ.dll,#1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} () - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\aol\acs\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: lxcd_device - Unknown owner - C:\Windows\System32\lxcdcoms.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 9460 bytes

-- Files created between 2008-06-04 and 2008-07-04 -----------------------------

2008-07-04 14:52:56 24576 --a------ C:\Windows\system32\rqRIaAsQ.dll
2008-07-03 21:51:17 0 d-------- C:\Program Files\7-Zip
2008-07-03 21:15:06 141312 --a------ C:\Windows\system32\drivers\sp_rsdrv2.sys
2008-07-03 21:15:05 0 d-------- C:\Users\All Users\Spyware Terminator
2008-07-03 21:15:03 0 d-------- C:\Program Files\Spyware Terminator
2008-07-03 20:53:07 0 d-------- C:\Program Files\CCleaner
2008-06-28 13:08:13 24576 --a------ C:\Windows\system32\wvUmkkiG.dll
2008-06-27 15:28:29 0 d-------- C:\Program Files\Mahjong Garden To Go
2008-06-24 11:16:33 0 d-------- C:\Windows\Mahjong World
2008-06-24 11:15:55 0 d-------- C:\Windows\Mahjong Garden To Go
2008-06-24 11:13:20 0 d-------- C:\Windows\Alice's Magical Mahjong
2008-06-23 11:52:12 0 d-------- C:\Program Files\uTorrent
2008-06-22 16:10:22 0 d-------- C:\Windows\Hotel Mahjong Deluxe [h33t] [oi812heet]
2008-06-19 18:13:42 0 d-------- C:\Users\All Users\Trymedia


-- Find3M Report ---------------------------------------------------------------

2008-07-04 15:02:56 0 d-------- C:\Users\Ruth\AppData\Roaming\uTorrent
2008-07-04 13:15:35 12 --a------ C:\Windows\bthservsdp.dat
2008-07-04 12:23:20 0 d-------- C:\Users\Ruth\AppData\Roaming\Spyware Terminator
2008-07-03 21:27:58 0 d-------- C:\Users\Ruth\AppData\Roaming\Roxio
2008-07-03 21:03:46 0 d-------- C:\Program Files\eGames
2008-07-03 20:55:39 0 d-------- C:\Program Files\Mindscape
2008-07-03 20:55:31 0 d-------- C:\Program Files\Cosmi
2008-07-03 20:33:45 0 d-------- C:\Program Files\Lx_cats
2008-06-28 13:27:12 0 d-------- C:\Program Files\Common Files\aol
2008-06-27 15:38:07 0 d-------- C:\Users\Ruth\AppData\Roaming\WinRAR
2008-06-21 21:15:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-19 17:08:45 0 d-------- C:\Users\Ruth\AppData\Roaming\Zylom
2008-06-19 17:08:45 0 d-------- C:\Users\Ruth\AppData\Roaming\Identities
2008-06-11 09:07:43 0 d-------- C:\Program Files\Windows Mail
2008-06-03 15:05:49 0 d-------- C:\Program Files\Symantec
2008-05-29 14:35:13 0 d-------- C:\Users\Ruth\AppData\Roaming\Google
2008-05-29 14:34:11 0 d-------- C:\Program Files\Google
2008-04-27 15:29:05 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
25/08/2007 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/03/2008 15:08 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [25/08/2007 04:51 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [11/05/2007 14:26 C:\Windows\RtHDVCpl.exe]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/01/2008 17:42]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 12:37]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [05/11/2006 12:22]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/01/2008 17:49]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"HostManager"="C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe" [14/11/2006 15:01]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 18:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"MSServer"="C:\Windows\system32\rqRIaAsQ.dll" [27/06/2008 15:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [14/02/2008 12:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"Microsoft Windows Installer"="C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe" [26/06/2008 22:48]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{ACED1C9F-2718-4512-9F69-F4E28C1F484F}"= C:\Windows\system32\rqRIaAsQ.dll [27/06/2008 15:36 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Users\Ruth\AppData\Local\Temp\cbXonMEu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCDCATS]
rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCDtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\byXNfFww.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-04 15:05:47 ------------

[Ried]

Let's try again.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[cerifido]

Hi Ried,

Please find both files below. Hijackthis installed this time.

During Combofix an error box came up after rebooting windows

LogonUI.exe-bad Image
c:\windows\system32\clbdll.dll is either not designed to run on windows, or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Click OK

This error message came up for every file with the same message in the error box and I had to click ok. Not sure if this will help you.

Combofix.txt and Hijackthis.txt are below

ComboFix.txt

ComboFix 08-07-04.1 - Ruth 2008-07-04 22:29:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2100 [GMT 1:00]
Running from: C:\Users\Ruth\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\~bundle.DDF
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\27249.exe
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\Bubble Shooter Premium Edition v1.0 crack by TE.torrent
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\Bubble Shooter Premium Edition v1.0 crack by TE.zip
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\GameHouse Westward Serial by BalCrNepal.torrent
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\GameHouse Westward Serial by BalCrNepal.zip
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\Meanders Annotator for Microsoft Office v1.52 patch by BAKA.torrent
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\Meanders Annotator for Microsoft Office v1.52 patch by BAKA.zip
C:\Users\Ruth\AppData\Roaming\Microsoft\dtsc\s
C:\Windows\megavid.cdt
C:\Windows\muotr.so
C:\Windows\system32\byXPGAtr.dll
C:\Windows\system32\clbdll.dll
C:\Windows\system32\clbinit.dll
C:\Windows\system32\drivers\clbdriver.sys
C:\Windows\system32\wvUmkkiG.dll
C:\Windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-04 10:53 . 2008-07-04 22:32 <DIR> d-------- C:\Users\Ruth\AppData\Roaming\uTorrent
2008-07-03 21:51 . 2008-07-03 21:51 <DIR> d-------- C:\Program Files\7-Zip
2008-07-03 21:15 . 2008-07-04 12:23 <DIR> d-------- C:\Users\Ruth\AppData\Roaming\Spyware Terminator
2008-07-03 21:15 . 2008-07-03 21:25 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-07-03 21:15 . 2008-07-03 21:25 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-07-03 21:15 . 2008-07-03 22:06 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-07-03 21:15 . 2008-07-03 21:15 141,312 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-07-03 20:53 . 2008-07-03 20:53 <DIR> d-------- C:\Program Files\CCleaner
2008-06-29 17:39 . 2008-06-29 17:39 <DIR> d-------- C:\Deckard
2008-06-28 13:55 . 2008-06-28 13:55 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-28 13:08 . 2008-01-02 17:33 172,032 --a------ C:\Windows\System32\igfxres.dll
2008-06-27 17:42 . 2008-06-27 17:49 1,905 --a------ C:\Windows\diagwrn.xml
2008-06-27 17:42 . 2008-06-27 17:49 1,905 --a------ C:\Windows\diagerr.xml
2008-06-27 15:37 . 2008-01-19 06:49 6,144 --a------ C:\Windows\System32\beep.sys
2008-06-27 15:28 . 2008-06-27 15:31 <DIR> d-------- C:\Program Files\Mahjong Garden To Go
2008-06-24 11:16 . 2008-06-24 11:16 <DIR> d-------- C:\Windows\Mahjong World
2008-06-24 11:15 . 2008-06-27 18:25 <DIR> d-------- C:\Windows\Mahjong Garden To Go
2008-06-24 11:13 . 2008-06-24 11:13 <DIR> d-------- C:\Windows\Alice's Magical Mahjong
2008-06-23 11:52 . 2008-06-23 11:52 <DIR> d-------- C:\Program Files\uTorrent
2008-06-22 16:10 . 2008-06-22 16:13 <DIR> d-------- C:\Windows\Hotel Mahjong Deluxe [h33t] [oi812heet]
2008-06-19 18:13 . 2008-06-19 18:13 <DIR> d-------- C:\Users\All Users\Trymedia
2008-06-19 18:13 . 2008-06-19 18:13 <DIR> d-------- C:\ProgramData\Trymedia
2008-06-19 17:08 . 2008-06-19 17:08 <DIR> d-------- C:\Users\Ruth\AppData\Roaming\Zylom
2008-06-14 20:05 . 2008-04-23 05:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 20:05 . 2008-04-23 05:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 20:05 . 2008-04-23 05:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 20:05 . 2008-04-23 05:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-13 14:14 . 2008-06-13 14:14 24,112 --a------ C:\Windows\System32\drivers\SymIMV.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\Windows\System32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\Windows\System32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\Windows\System32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\Windows\System32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\Windows\System32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\Windows\System32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\Windows\System32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\Windows\System32\drivers\symdns.sys
2008-06-11 08:57 . 2008-04-25 03:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 08:57 . 2008-04-26 09:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 08:57 . 2008-04-25 05:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 08:57 . 2008-05-10 02:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-03 20:27 --------- d-----w C:\Users\Ruth\AppData\Roaming\Roxio
2008-07-03 20:03 --------- d-----w C:\Program Files\eGames
2008-07-03 19:55 --------- d-----w C:\Program Files\Mindscape
2008-07-03 19:55 --------- d-----w C:\Program Files\Cosmi
2008-07-03 19:33 --------- d-----w C:\Program Files\Lx_cats
2008-06-28 12:27 --------- d-----w C:\Program Files\Common Files\aol
2008-06-27 17:25 --------- d-----w C:\ProgramData\AOL
2008-06-27 14:37 10,240 ----a-w C:\Windows\system32\drivers\beep.sys
2008-06-27 07:31 --------- d-----w C:\ProgramData\Symantec
2008-06-21 20:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 09:32 --------- d---a-w C:\ProgramData\TEMP
2008-06-11 08:07 --------- d-----w C:\Program Files\Windows Mail
2008-06-03 14:05 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-03 14:05 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-03 14:05 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-03 14:05 --------- d-----w C:\Program Files\Symantec
2008-05-29 13:34 --------- d-----w C:\Program Files\Google
2008-04-27 14:29 174 --sha-w C:\Program Files\desktop.ini
2008-04-27 13:33 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-27 13:33 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-11 10:20 988,216 ----a-w C:\Windows\System32\winload.exe
2008-04-11 10:20 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-04-11 10:20 615,992 ----a-w C:\Windows\System32\ci.dll
2008-04-11 10:20 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-04-11 10:20 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-04-11 10:20 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-04-11 10:20 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-04-11 10:20 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-04-11 10:20 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-04-11 10:20 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-04-11 10:18 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-04-11 10:18 2,032,128 ----a-w C:\Windows\System32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-04 15:08 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 08:33 1233920]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-01-05 17:42 77824]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-05 17:49 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"HostManager"="C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe" [2006-11-14 15:01 50736]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 18:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 18:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 18:07 133656]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 12:01 51048]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 14:26 4452352 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCDCATS]
--a------ 2007-02-22 06:15 73728 C:\Windows\System32\spool\drivers\w32x86\3\lxcdtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A40FD43E-8F6C-43DB-B94F-5467963D5627}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{41AB0196-B063-4B9A-9FCA-56EBA12D91DB}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialler
"{88B5CFE1-B419-4C92-AF2A-3374057A301A}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{A12DF09D-9B5E-4064-9464-1C0FA4667480}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Services
"{DA29BE4A-9206-4934-B592-927AD6F2F929}"= UDP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{CE17D6F2-9AC7-4684-B975-7BAE46E1F042}"= TCP:C:\Program Files\AOL 9.0 VR\waol.exe:AOL
"{8B5050B2-2A32-48A6-96D5-673019EE0DBA}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{594589D1-A87C-433E-B755-2EEDBA77AD82}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C803141D-A40D-4F10-8BE4-166CCCF7B9B6}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{6C9D78B4-B9CB-41E4-9BE3-071F479A3FBD}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{30954AE5-265A-4A96-813D-2822F2F8D30D}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{87F30329-F2AA-417F-BBC3-11537E7B9D88}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{8A1A8E5F-C848-471F-B30D-2A1A08A22803}"= UDP:C:\Program Files\Common Files\aol\1204637550\ee\aolsoftware.exe:AOL Shared Components
"{3F41B4BC-1B6D-4ED0-9AD2-6DD09DA8F62C}"= TCP:C:\Program Files\Common Files\aol\1204637550\ee\aolsoftware.exe:AOL Shared Components
"{914578D0-8FDE-40A8-B08C-15343D778383}"= Disabled:UDP:135:TCP Port 135
"{FDCCD1F3-9766-4080-8BDF-CDC3C560B793}"= Disabled:UDP:5000:TCP Port 5000
"{C5F51052-09F6-40AC-AC52-6ECFEB530AAA}"= Disabled:UDP:5001:TCP Port 5001
"{F2EA70F3-E6F3-4BB6-976A-45B3ECC4DB1A}"= Disabled:UDP:5002:TCP Port 5002
"{6512FC35-ED1A-47DC-9605-5E495162C290}"= Disabled:UDP:5003:TCP Port 5003
"{4974BA30-A197-4572-A423-0E356D7DA501}"= Disabled:UDP:5004:TCP Port 5004
"{EE39A1B3-B6E3-49C2-B7BC-A230A8890B13}"= Disabled:UDP:5005:TCP Port 5005
"{6E659D68-EC0B-4E0F-AD87-2B32EF1395EF}"= Disabled:UDP:5006:TCP Port 5006
"{1CD0A5B2-3327-47C0-9E12-4426D4F55929}"= Disabled:UDP:5007:TCP Port 5007
"{F63878E6-2122-482D-8962-388748F10B99}"= Disabled:UDP:5008:TCP Port 5008
"{55DF3E17-CD6E-4303-BB2C-B80C8861DC33}"= Disabled:UDP:5009:TCP Port 5009
"{D9D36DD4-2846-4E70-8965-6A98307255FD}"= Disabled:UDP:5010:TCP Port 5010
"{C2D130B4-DB83-48D9-9DB9-4BEE0D910849}"= Disabled:UDP:5011:TCP Port 5011
"{9E1617AB-FBE8-4A50-8B0C-221CFA98AE8D}"= Disabled:UDP:5012:TCP Port 5012
"{DE28ACC4-9B25-47F7-8F08-2A296A12770E}"= Disabled:UDP:5013:TCP Port 5013
"{C5C23C22-29B7-48F5-A26B-E43268C79BE8}"= Disabled:UDP:5014:TCP Port 5014
"{7C812B37-51C3-4E7E-B715-D41228BC28AB}"= Disabled:UDP:5015:TCP Port 5015
"{19B4AF38-909B-4E13-85C6-3D0AD3430240}"= Disabled:UDP:5016:TCP Port 5016
"{10BF22D9-CA8C-4571-A305-5103FFA94FD0}"= Disabled:UDP:5017:TCP Port 5017
"{9E9CFA03-9373-4884-BE6D-945DACA645F7}"= Disabled:UDP:5018:TCP Port 5018
"{D0ACC118-42E5-464D-8BE2-C171F7F748BF}"= Disabled:UDP:5019:TCP Port 5019
"{F1E64452-FCB1-41B7-B269-8540431A1600}"= Disabled:UDP:5020:TCP Port 5020
"{F13AEBD4-DE6B-4635-84C8-019395235D12}"= UDP:C:\Windows\System32\lxcdcoms.exe:6300 Series Server
"{210BB5C6-CD84-4545-B21E-66C9183C2BBB}"= TCP:C:\Windows\System32\lxcdcoms.exe:6300 Series Server
"{95D0605E-FF82-4289-BDAD-5C1C3317BA74}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxcdpswx.exe:6300 Series Printer Status
"{E4F508C3-DBA9-4278-B13B-7AFB06E33184}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxcdpswx.exe:6300 Series Printer Status
"{A948F2C9-B41B-4750-91C6-03BE7C449183}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{B9C77CFC-8830-4488-B056-A7597AF90BC1}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080623.001\IDSvix86.sys [2008-02-13 17:18]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 17:48]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 08:36]
S4 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 21:18:14 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Ruth.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
.
- - - - ORPHANS REMOVED - - - -

BHO-{76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1} - (no file)
ShellExecuteHooks-{ACED1C9F-2718-4512-9F69-F4E28C1F484F} - C:\Windows\system32\byXPGAtr.dll
MSConfigStartUp-MSServer - C:\Windows\system32\byXNfFww.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 23:04:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Windows\system32\clbdll.dll 43520 bytes executable
C:\Windows\system32\clbinit.dll 1723 bytes
C:\Windows\system32\drivers\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp1_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp2_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp3_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp1_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp2_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable
C:\Users\Ruth\AppData\Local\Temp\Temp3_catchme2008-07-04_223145.56.zip\clbdriver.sys 10240 bytes executable

scan completed successfully
hidden files: 9

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\Windows\System32\lxcdcoms.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-07-04 23:26:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 22:26:31

Pre-Run: 392,201,183,232 bytes free
Post-Run: 392,470,024,192 bytes free

272 --- E O F --- 2008-06-25 08:01:06


Hijackthis.txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:47, on 04/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\aol\1204637550\ee\aolsoftware.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {76F65C2C-A9C6-42D6-8BC6-A78C812AA1D1} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1204637550\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcd_device - - C:\Windows\system32\lxcdcoms.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7227 bytes

[Ried]

Hello cerifido,

Before I continue with additional removals, I need a bit more information.


Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

cmd /c Vfind -ltf C:\beep.sys >Log.txt&Log.txt&del Log.txt

A block cmd.exe box will appear, and it will seem as though nothing is happening. Please be patient--a log text will pop up within a few minutes.

Kindly copy/paste the contents of that log.txt in your next reply.

[cerifido]

Hi Ried,

All that comes up is an error box stating cmd.exe-bad image and the same error as previous post C:\Windows\system32\clbdll.dll is either not designed to run on windows or it contains an erorr......

I click ok but then nothing appears in the block cmd.exe box

Sorry no further forward

Ceri

[Ried]

Run Combo-Fix.exe again and post the C:\ComboFix.txt

[cerifido]

Hi Reid

When I try to run it it comes up with combo-fix.exe Bad image and the same error message as above then when i click on ok all other files say the same error message. I keep clicking on ok and after about 23 files another error message says

Error

you cannot rename ComboFix as Combo-Fix Please use another name , preferably made up of alphanumeric characters. Press ok

When I press ok nothing else happens

No new ComboFix.txt file has been created

[Ried]

Delete your existing Combo-Fix.exe, and the folder C:\Combofix (if that folder exists)

Download a fresh copy, being sure to re-name it before saving it to your desktop.

Right-click Combo-Fix.exe and 'run as administrator'.

Post the C:\ComboFix.txt when it has completed

[cerifido]

deleted combo-fix exe but it will not let me delete C:\Combofix.

Error message

Delete Folder
An unexpected error is preventing the operation. Make a note of this error code, which might be useful if you get additional help to resolve this problem

Error0x80070091: the directory is not empty

The Combo-Fix folder has a Test folder included. I have tried to delete this test folder but the same error message comes up. This test folder is empty though but it ewill still not let me delete it.

I have been able to delete the ComboFix.txt file

[Ried]

Leave the ComboFix folder, and see if the freshly downloaded Combo-Fix.exe will run.

If not, boot into Safe Mode and delete the C:\ComboFix folder, then run Combo-Fix.exe

[cerifido]

Will not let me delete in safe mode either still the same error.

tried to run new Combo-Fix.exe but still bad image errors for all files. Did not create new Combofix folder in c drive but created C:\327882R2FWJFW

This is both in safe mode and normal mode

See content of folder attached in word document. Only way I could get the info to you