Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Start up Problem
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-23-2009, 10:07 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Start up Problem
Hey guys. Sorry I hadn't managed to get to my apartment the last few weekends where my computer was located and was unable to respond to your posts so my thread was shut down. However, I now have my computer at home and will be able to respond in a timely manner.

The problem I am referring to can be found here: Start up problem

I followed the latest instructions and ran combo fix. I got an error "Date is '~' Run in reduced functionality mode, yes, no"

I also didn't have the "Microsoft Windows Recovery Console" and was unable to attain an internet connection to download it. (although I do have a working wireless connection to my other computer)

Anyways here is the log, thank you again for your continued assistance:

ComboFix 09-06-07.05 - Jeremy 06/17/2009 0:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1401 [GMT -4:00]
Running from: c:\documents and settings\Jeremy\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 01:37 . 2009-06-16 01:37 -------- d-----w- c:\windows\LastGood
2009-05-23 17:17 . 2009-05-23 17:17 390664 ----a-w- c:\documents and settings\Jeremy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 21:20 . 2006-08-02 02:13 76184 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-01 01:40 . 2006-09-08 01:20 -------- d-----w- c:\program files\Dl_cats
2009-05-30 00:12 . 2008-08-28 19:52 -------- d-----w- c:\program files\Panda Security
2009-05-26 00:41 . 2006-08-07 21:38 -------- d-----w- c:\program files\Encore
2009-05-26 00:41 . 2006-07-31 12:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-26 00:27 . 2007-09-12 09:01 -------- d-----w- c:\program files\REFPROP
2009-05-26 00:17 . 2008-12-19 03:11 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2009-05-26 00:15 . 2007-04-30 14:54 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-05-26 00:15 . 2007-04-30 14:54 -------- d-----w- c:\program files\Autodesk
2009-05-26 00:15 . 2007-04-30 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-05-25 23:53 . 2007-10-17 08:41 -------- d-----w- c:\program files\AutoCAD Civil 3D 2008
2009-05-25 23:47 . 2007-04-30 14:55 -------- d-----w- c:\program files\AutoCAD 2008
2009-05-24 07:02 . 2009-01-13 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-23 17:56 . 2009-01-14 02:05 -------- d-----w- c:\program files\Rhapsody
2009-05-23 17:53 . 2007-11-29 06:08 -------- d-----w- c:\program files\Full Tilt Poker
2009-03-25 03:35 . 2009-03-25 03:35 624096 -c--a-w- c:\windows\system32\rn.tmp
2008-01-19 18:26 . 2008-01-19 18:19 58619176 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-02 01:12 . 2008-01-02 01:12 1362812 -c--a-w- c:\program files\supcom_patch_3217_to_3220.exe
2007-12-29 02:52 . 2007-12-29 02:52 608744 -c--a-w- c:\program files\10_FOOT.exe
2007-12-29 02:51 . 2007-12-29 02:51 1530160 -c--a-w- c:\program files\Specialty.exe
2007-12-29 02:50 . 2007-12-29 02:50 3363139 -c--a-w- c:\program files\Lighting.exe
2007-12-29 02:36 . 2007-12-29 02:36 16469848 -c--a-w- c:\program files\Furniture.exe
2007-12-29 02:33 . 2007-12-29 02:33 676500 -c--a-w- c:\program files\12 Furnishings.exe
2007-12-29 02:32 . 2007-12-29 02:32 903030 -c--a-w- c:\program files\Plumbing.exe
2007-12-29 02:31 . 2007-12-29 02:31 567739 -c--a-w- c:\program files\Electrical.exe
2007-12-29 02:30 . 2007-12-29 02:11 6913973 -c--a-w- c:\program files\Cabinets.exe
2007-12-29 02:09 . 2007-12-29 02:08 6116610 -c--a-w- c:\program files\11 Equipment.exe
2007-12-29 02:07 . 2007-12-29 02:06 1539327 -c--a-w- c:\program files\10 Specialties.exe
2007-12-29 02:03 . 2007-12-29 02:03 15383765 -c--a-w- c:\program files\02 Site.exe
2007-12-28 17:53 . 2007-12-28 17:52 21321008 -c--a-w- c:\program files\QuickTimeInstaller.exe
2006-08-02 00:07 . 2006-08-02 00:07 56 --sh--r- c:\windows\system32\9485F0ABA8.sys
2006-10-06 23:22 . 2006-08-02 02:11 88 --sh--r- c:\windows\system32\A8ABF08594.sys
1601-01-01 00:12 . 1601-01-01 00:12 0 -csha-w- c:\windows\system32\dunanume.dll
2006-10-06 23:22 . 2006-08-02 00:07 5224 -csha-w- c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:12 . 1601-01-01 00:12 0 -csha-w- c:\windows\system32\puhelupi.dll
1601-01-01 00:12 . 1601-01-01 00:12 0 -csha-w- c:\windows\system32\wuripowi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-10 7561216]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

c:\documents and settings\Jeremy\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2009-1-20 1564672]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-9-28 6144]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Jeremy\My Documents\My Pictures\Wall Papers\Tara Reid.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3D max\\3dsmax.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1154478539\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [1/20/2009 3:21 PM 238848]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [8/16/2005 10:06 PM 26488]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/23/2008 8:24 PM 24652]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [11/27/2006 1:54 PM 39048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - TDSSserv.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55d21f11-1500-11dd-b9bc-00142253f85f}]
\Shell\AutoRun\command - K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c4d4340-c8b4-11dd-ba00-0016b698575b}]
\Shell\AutoRun\command - L:\FalloutLauncher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2005-08-16 00:12]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {C4D012DD-1A5A-4794-93FD-1120B279D2D7} = 128.118.25.3,130.203.1.4
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 00:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\TDSSpqlt.sys 60416 bytes executable
c:\docume~1\Jeremy\LOCALS~1\Temp\TDSSd768.tmp 102400 bytes executable
c:\docume~1\Jeremy\LOCALS~1\Temp\TDSSd778.tmp 617472 bytes executable
c:\windows\system32\twain32
c:\windows\system32\TDSShrsr.dll 29696 bytes executable
c:\windows\system32\TDSSkkbi.log 19899 bytes
c:\windows\system32\TDSSlxwp.dll 2753 bytes
c:\windows\system32\TDSSoiqn.dll 35840 bytes executable
c:\windows\system32\TDSSorvd.dat 441 bytes
c:\windows\system32\TDSSrtqp.dll 31232 bytes executable
c:\windows\system32\TDSSxfum.dll 61440 bytes executable

scan completed successfully
hidden files: 11

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2668950972-758518906-3952906369-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,69,20,c8,d5,4c,34,83,5f,82,3c,82,5e,59,a3,a7,76,3f,7d,ef,66,df,2e,
76,1b,1d,31,9d,c5,cc,51,9b,14,5f,17,d6,b7,71,19,6d,35,ca,b9,6b,fd,48,80,7c,\
"??"=hex:dd,ae,71,b1,c6,bb,2e,0c,40,eb,05,95,bb,7e,82,bb

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\TDSSpqlt.sys"
"group"="file system"
.
Completion time: 2009-06-17 0:06
ComboFix-quarantined-files.txt 2009-06-17 04:06
ComboFix2.txt 2008-08-31 20:33

Pre-Run: 158,173,179,904 bytes free
Post-Run: 158,376,574,976 bytes free

204 --- E O F --- 2009-06-16 07:00
Last edited by jfw04; 06-23-2009 at 10:08 PM.
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-25-2009, 09:48 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Hello -

An outdated ComboFix will not fix the infection which is on this machine.

Delete your existing copy of ComboFix and download it again. If there's still no internet connection, use a USB drive or other removable media to transfer tools to and logs from the infected machine.

We can use another method to install the Recovery Console.


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

You must rename it before saving it. Rename it to CombFxx .Save it to your desktop.

* IMPORTANT !!! Place combofix.exe on your Desktop


First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

For XP Pro >> http://www.microsoft.com/downloads/d...displaylang=en

As indicated by the DDS log:

Quote:
Microsoft Windows XP Professional
Save it as it is originally named to your Desktop.

Now close all open windows and programs, and disable all antivirus and antispyware programs. This is usually done via a right click on the applications' system tray icon. Get help here for how to disable them, if required.



Then drag the setup package onto CombFxx.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement (EULA) to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Ensure all antivirus and antispyware programs are still disabled, so they do not interfere with the running of ComboFix.
  • Please click Yes to continue scanning for malware.
When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt

---------------------------------------------------------------------------------------------



If you have any questions along the way...STOP and ask them before proceeding.

Also, please let me know if there is no internet to this machine. Is that because there's no connection available, or because something is amiss with the connection?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-30-2009, 05:41 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
Hey I got it to work. I have managed to reconnect the internet to my computer, so while the link in your post wouldn't work on the computer I was working from I did manage to install the recovery console this time with combo fix's built in download prompt.

While running Combofix prompted me that it had detected a rootkit and needed to restart and told me to write down a number of file names I assume were deleted. Let me know if you need the names of those files as well. Combofix completed it's run after rebooting the computer.

As I had mentioned before, while I am able to connect to the internet on my desktop (the one with the problem) this website is blocked and I have been viewing and downloading things on my laptop and then transferring them via flashdrive to my desktop. Please let me know if this poses a problem. If not here is my combo fix log as per your instructions. Hope it helps, and thanks again for all your help.



ComboFix 09-06-29.07 - Jeremy 06/30/2009 19:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1639 [GMT -4:00]
Running from: c:\documents and settings\Jeremy\Desktop\ComboFxx.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\dunanume.dll
c:\windows\system32\puhelupi.dll
c:\windows\system32\TDSShrsr.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twain32\user.ds.lll
c:\windows\system32\twex.exe
c:\windows\system32\wuripowi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-17 03:58 . 2009-06-17 04:07 -------- d-s---w- C:\Combo-Fix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 07:14 . 2006-09-08 01:20 -------- d-----w- c:\program files\Dl_cats
2009-06-07 21:20 . 2006-08-02 02:13 76184 -c--a-w- c:\documents and settings\Jeremy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 00:12 . 2008-08-28 19:52 -------- d-----w- c:\program files\Panda Security
2009-05-26 00:41 . 2006-08-07 21:38 -------- d-----w- c:\program files\Encore
2009-05-26 00:41 . 2006-07-31 12:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-26 00:27 . 2007-09-12 09:01 -------- d-----w- c:\program files\REFPROP
2009-05-26 00:17 . 2008-12-19 03:11 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2009-05-26 00:15 . 2007-04-30 14:54 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-05-26 00:15 . 2007-04-30 14:54 -------- d-----w- c:\program files\Autodesk
2009-05-26 00:15 . 2007-04-30 14:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-05-25 23:53 . 2007-10-17 08:41 -------- d-----w- c:\program files\AutoCAD Civil 3D 2008
2009-05-25 23:47 . 2007-04-30 14:55 -------- d-----w- c:\program files\AutoCAD 2008
2009-05-24 07:02 . 2009-01-13 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-23 17:56 . 2009-01-14 02:05 -------- d-----w- c:\program files\Rhapsody
2009-05-23 17:53 . 2007-11-29 06:08 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-23 17:17 . 2009-05-23 17:17 390664 ----a-w- c:\documents and settings\Jeremy\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2008-01-19 18:26 . 2008-01-19 18:19 58619176 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-02 01:12 . 2008-01-02 01:12 1362812 -c--a-w- c:\program files\supcom_patch_3217_to_3220.exe
2007-12-29 02:52 . 2007-12-29 02:52 608744 -c--a-w- c:\program files\10_FOOT.exe
2007-12-29 02:51 . 2007-12-29 02:51 1530160 -c--a-w- c:\program files\Specialty.exe
2007-12-29 02:50 . 2007-12-29 02:50 3363139 -c--a-w- c:\program files\Lighting.exe
2007-12-29 02:36 . 2007-12-29 02:36 16469848 -c--a-w- c:\program files\Furniture.exe
2007-12-29 02:33 . 2007-12-29 02:33 676500 -c--a-w- c:\program files\12 Furnishings.exe
2007-12-29 02:32 . 2007-12-29 02:32 903030 -c--a-w- c:\program files\Plumbing.exe
2007-12-29 02:31 . 2007-12-29 02:31 567739 -c--a-w- c:\program files\Electrical.exe
2007-12-29 02:30 . 2007-12-29 02:11 6913973 -c--a-w- c:\program files\Cabinets.exe
2007-12-29 02:09 . 2007-12-29 02:08 6116610 -c--a-w- c:\program files\11 Equipment.exe
2007-12-29 02:07 . 2007-12-29 02:06 1539327 -c--a-w- c:\program files\10 Specialties.exe
2007-12-29 02:03 . 2007-12-29 02:03 15383765 -c--a-w- c:\program files\02 Site.exe
2007-12-28 17:53 . 2007-12-28 17:52 21321008 -c--a-w- c:\program files\QuickTimeInstaller.exe
2006-08-02 00:07 . 2006-08-02 00:07 56 --sh--r- c:\windows\system32\9485F0ABA8.sys
2006-10-06 23:22 . 2006-08-02 02:11 88 --sh--r- c:\windows\system32\A8ABF08594.sys
2006-10-06 23:22 . 2006-08-02 00:07 5224 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-10 7561216]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

c:\documents and settings\Jeremy\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2009-1-20 1564672]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-9-28 6144]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Jeremy\My Documents\My Pictures\Wall Papers\Tara Reid.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3D max\\3dsmax.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1154478539\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/23/2008 8:24 PM 24652]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [1/20/2009 3:21 PM 238848]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [11/27/2006 1:54 PM 39048]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2005-08-16 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {C4D012DD-1A5A-4794-93FD-1120B279D2D7} = 128.118.25.3,130.203.1.4
FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\xt5ja4n1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.personal.psu.edu/rms5158/
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 19:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2668950972-758518906-3952906369-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,69,20,c8,d5,4c,34,83,5f,82,3c,82,5e,59,a3,a7,76,3f,7d,ef,66,df,2e,
76,1b,1d,31,9d,c5,cc,51,9b,14,5f,17,d6,b7,71,19,6d,35,ca,b9,6b,fd,48,80,7c,\
"??"=hex:dd,ae,71,b1,c6,bb,2e,0c,40,eb,05,95,bb,7e,82,bb

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2009-06-30 19:20
ComboFix-quarantined-files.txt 2009-06-30 23:20
ComboFix2.txt 2009-06-17 04:06
ComboFix3.txt 2008-08-31 20:33

Pre-Run: 158,366,183,424 bytes free
Post-Run: 158,338,924,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

205 --- E O F --- 2009-06-30 07:00
Attached Files
File Type: txt combofix log 06-30-09.txt (12.8 KB, 0 views)
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-30-2009, 05:54 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Hello -

That looks much better. We'll still have more work to do, but first, I wonder if you can tell me what these files are for...do they have anything to do with your autocad appliction? It's unusual for exe files to be dropped into the main Program Files directory.

c:\Program Files\10_FOOT.exe
c:\Program Files\Specialty.exe
c:\Program Files\Lighting.exe
c:\Program Files\Furniture.exe
c:\Program Files\12 Furnishings.exe
c:\Program Files\Plumbing.exe
c:\Program Files\Electrical.exe
c:\Program Files\Cabinets.exe
c:\Program Files\11 Equipment.exe
c:\Program Files\10 Specialties.exe
c:\Program Files\02 Site.exe
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-01-2009, 09:44 PM   #5 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
Yeah all those files are directories for engineering programs, auto cad and revit. Its just a directory that you can use to pull pre-made models of things and put them in your drawing. It is safe and I wouldn't suspect it would be corrupted although I to was surprised to see it listed in there.

Anyways, the files they listed to me to write down are as follows:

C:\Windows\System32\twex.exe
C:\Windows\System32\TDSSpqlt.sys
C:\Windows\System32\TDSSoiqn.dll
C:\Windows\System32\TDSSorvd.dat
C:\Windows\System32\TDSShrsr.dll
C:\Windows\System32\TDSSrtqp.dll
C:\Windows\System32\TDSSxfum.dll
C:\Windows\System32\TDSSlxwp.dll
C:\Windows\System32\TDSSkkbi.log
C:\Windows\System32\TDSSnmxh.log
C:\Windows\System32\TDSSsihc.dll
C:\Windows\System32\TDSSrhyp.log Rootkit
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-01-2009, 09:57 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Ok, thanks....

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.


S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
  • See this link for a tutorial


---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Save the file as "fix.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 9
Java Runtime Environment 1.1
Java(TM) 6 Update 3
Java(TM) 6 Update 4

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 11 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Run a new scan with DDS, and post it's logs. You can download it from here if you need to


Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-04-2009, 11:27 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
Hey here are the logs you requested, I didn't have any problems running them.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 03, 2009 01:35:08
Records in database: 2416290
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 229974
Threat name: 13
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 0514


File name / Threat name / Threats count
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-32958ad3 Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-32958ad3 Infected: Trojan.Java.ClassLoader.h 1
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-32958ad3 Infected: Trojan.Java.ClassLoader.d 1
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\62\2387043e-577ff80e Infected: Trojan-Downloader.Java.OpenConnection.aj 2
C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\62\2387043e-577ff80e Infected: Exploit.Java.ByteVerify 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSShrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqn.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_twex_.exe.zip Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\WINDOWS\system32\rn.tmp Infected: Trojan-Downloader.Win32.Agent.chdl 1
D:\My Documents\Other\Goals\D&D\Game\DHV\Magic Tricks\David Blaine Mega Magic.exe Infected: Trojan-PSW.Win32.Agent.klk 1

The selected area was scanned.








DDS (Ver_09-06-26.01) - NTFSx86
Run by Jeremy at 11:02:34.85 on Fri 07/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1334 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3D max\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeremy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\jeremy\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7050v5\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist!
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-b7862eb598db9fe0.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
TCP: {C4D012DD-1A5A-4794-93FD-1120B279D2D7} = 128.118.25.3,130.203.1.4
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\xt5ja4n1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.personal.psu.edu/rms5158/
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-10-22 3968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-23 24652]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-1-20 238848]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-11-27 39048]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-06-30 19:19 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 18:55 <DIR> a-dshr-- C:\cmdcons
2009-06-30 18:53 <DIR> --ds---- C:\ComboFxx
2009-06-16 23:58 <DIR> --ds---- C:\Combo-Fix
2009-06-16 23:43 161,792 a------- c:\windows\SWREG.exe
2009-06-16 23:43 155,136 a------- c:\windows\PEV.exe
2009-06-16 23:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2008-01-19 14:26 58,619,176 ac------ c:\program files\iTunesSetup.exe
2008-01-01 21:12 1,362,812 ac------ c:\program files\supcom_patch_3217_to_3220.exe
2007-12-28 22:52 608,744 ac------ c:\program files\10_FOOT.exe
2007-12-28 22:51 1,530,160 ac------ c:\program files\Specialty.exe
2007-12-28 22:50 3,363,139 ac------ c:\program files\Lighting.exe
2007-12-28 22:36 16,469,848 ac------ c:\program files\Furniture.exe
2007-12-28 22:33 676,500 ac------ c:\program files\12 Furnishings.exe
2007-12-28 22:32 903,030 ac------ c:\program files\Plumbing.exe
2007-12-28 22:31 567,739 ac------ c:\program files\Electrical.exe
2007-12-28 22:30 6,913,973 ac------ c:\program files\Cabinets.exe
2007-12-28 22:09 6,116,610 ac------ c:\program files\11 Equipment.exe
2007-12-28 22:07 1,539,327 ac------ c:\program files\10 Specialties.exe
2007-12-28 22:03 15,383,765 ac------ c:\program files\02 Site.exe
2007-12-28 13:53 21,321,008 ac------ c:\program files\QuickTimeInstaller.exe
2006-08-01 20:07 56 ---shr-- c:\windows\system32\9485F0ABA8.sys
2006-10-06 19:22 88 ---shr-- c:\windows\system32\A8ABF08594.sys
2006-10-06 19:22 5,224 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:03:11.58 ===============
Attached Files
File Type: txt Attach.txt (12.1 KB, 1 views)
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-04-2009, 12:48 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-32958ad3"
"C:\Documents and Settings\Jeremy\Application Data\Sun\Java\Deployment\cache\6.0\62\2387043e-577ff80e"
"C:\WINDOWS\system32\rn.tmp"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following:

    D:\My Documents\Other\Goals\D&D\Game\DHV\Magic Tricks\David Blaine Mega Magic.exe

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the results in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2009, 07:18 PM   #9 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
Hey, completed the required tasks, I should also mention that I don't appear to be having many of the problems that were occurring before. Although I do a lot of my computing on my laptop currently. I can now work from the techsupport website from the computer in question and have been able to consistently get past the account screen when windows pops up.

Here is the log you requested:

File David_Blaine_Mega_Magic.exe received on 2009.07.06 01:11:12 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.06 Trojan-PWS.Win32.Agent!IK
AhnLab-V3 5.0.0.2 2009.07.05 Win-Trojan/Agent.890810
AntiVir 7.9.0.204 2009.07.05 -
Antiy-AVL 2.0.3.1 2009.07.03 -
Authentium 5.1.2.4 2009.07.05 W32/PWStealerX.OOW
Avast 4.8.1335.0 2009.07.05 -
AVG 8.5.0.386 2009.07.05 -
BitDefender 7.2 2009.07.06 Trojan.Generic.1553057
CAT-QuickHeal 10.00 2009.07.03 TrojanPSW.Agent.klk
ClamAV 0.94.1 2009.07.03 -
Comodo 1538 2009.07.02 TrojWare.Win32.PSW.Agent.klk
DrWeb 5.0.0.12182 2009.07.05 -
eSafe 7.0.17.0 2009.07.02 Win32.Agent.klk
eTrust-Vet 31.6.6596 2009.07.03 -
F-Prot 4.4.4.56 2009.07.05 W32/PWStealerX.OOW
F-Secure 8.0.14470.0 2009.07.06 Trojan-PSW.Win32.Agent.klk
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.06 Trojan.Generic.1553057
Ikarus T3.1.1.64.0 2009.07.06 Trojan-PWS.Win32.Agent
Jiangmin 11.0.706 2009.07.05 Trojan/PSW.Agent.gti
K7AntiVirus 7.10.783 2009.07.03 Trojan-PSW.Win32.Agent.klk
Kaspersky 7.0.0.125 2009.07.06 Trojan-PSW.Win32.Agent.klk
McAfee 5667 2009.07.05 Generic PWS.y
McAfee+Artemis 5667 2009.07.05 Generic PWS.y
McAfee-GW-Edition 6.8.5 2009.07.06 -
Microsoft 1.4803 2009.07.06 -
NOD32 4219 2009.07.05 probably a variant of Win32/PSW.Agent
Norman 6.01.09 2009.07.04 -
nProtect 2009.1.8.0 2009.07.05 Trojan-PWS/W32.Agent.890810
Panda 10.0.0.14 2009.07.06 Suspicious file
PCTools 4.4.2.0 2009.07.05 Trojan-PSW.Agent!sd6
Prevx 3.0 2009.07.06 High Risk Cloaked Malware
Rising 21.36.62.00 2009.07.05 -
Sophos 4.43.0 2009.07.05 -
Sunbelt 3.2.1858.2 2009.07.05 Bulk Trojan
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.362 2009.07.04 Trojan/PSW.Agent.klk
TrendMicro 8.950.0.1094 2009.07.05 TSPY_AGENT.SHF
VBA32 3.12.10.7 2009.07.06 Trojan-PSW.Win32.Agent.klk
ViRobot 2009.7.3.1818 2009.07.03 Spyware.PSW.Agent.890810
VirusBuster 4.6.5.0 2009.07.05 -
Additional information
File size: 890810 bytes
MD5...: afb1dd0d57db85d94eb1922d1ccf69dc
SHA1..: 6d1ea78ea692787004e1e8e4fd9b9d5746fc877f
SHA256: 6a1ca34431daa45c4916b520839d0b7869a879ed413d5c62254764220af651c9
ssdeep: 12288:LbwWRS5sc+ID9NODMQ7XJAK4nIM4bp0kQs6UrIg8BQ+z6k0BQtlG2XtMkj<br>gd:jRS53NODMNnIM4bp0kQmUBz6tQzG8MkU<br>
PEiD..: Armadillo v1.71
TrID..: File type identification<br>Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x3b8d9<br>timedatestamp.....: 0x3caf90da (Sun Apr 07 00:20:42 2002)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.rdata 0x1000 0x11fae 0x12000 4.59 89c426fb5240425e86456fd251a2dfa3<br>.data 0x13000 0x1a124c 0x50a00 6.56 b5b36d00d1ce012c7fa54d69d948e247<br>.rsrc 0x1b5000 0xba8 0xc00 2.38 3767f2febb5dfec8ea77ad88451dc9c3<br><br>( 13 imports ) <br>&gt; KERNEL32.dll: GetStringTypeExA, GetFileSize, DeleteFileA, MoveFileA, GetShortPathNameA, LocalFileTimeToFileTime, GetDriveTypeA, RtlUnwind, SystemTimeToFileTime, HeapAlloc, SetErrorMode, SetEndOfFile, GetLocalTime, GetStartupInfoA, GetCommandLineA, HeapFree, GetACP, RaiseException, UnlockFile, HeapReAlloc, HeapDestroy, SetFilePointer, GetSystemTime, GetTimeZoneInformation, ExitProcess, LCMapStringA, LCMapStringW, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, HeapSize, DeleteCriticalSection, GetStringTypeW, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, LockFile, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, FlushFileBuffers, CreateFileA, WriteFile, ReadFile, GetOEMCP, DuplicateHandle, GetProcessVersion, GetCPInfo, GlobalFlags, GetDiskFreeSpaceA, GetThreadLocale, GetLastError, GetFullPathNameA, GetFileTime, SetFileTime, LocalReAlloc, GetFileAttributesA, TlsGetValue, GlobalReAlloc, TlsSetValue, EnterCriticalSection, GlobalHandle, LeaveCriticalSection, TlsFree, HeapCreate, TlsAlloc, GetProcAddress, GetProfileStringA, WriteProfileStringA, GetVolumeInformationA, GetTickCount, _llseek, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcatA, lstrlenA, GetWindowsDirectoryA, GetSystemDirectoryA, lstrcpyA, GetTempPathA, GetTempFileNameA, GetModuleFileNameA, _lopen, _lread, GetCurrentProcess, TerminateProcess, SetFileAttributesA, CopyFileA, _lcreat, _lwrite, InitializeCriticalSection, LocalAlloc, GlobalAlloc, GetCurrentThread, GlobalFree, GlobalLock, GlobalUnlock, MulDiv, SetLastError, FindResourceA, LoadResource, LockResource, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, GetModuleHandleA, FileTimeToLocalFileTime, FileTimeToSystemTime, lstrlenW, GetCurrentThreadId, FormatMessageA, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, RemoveDirectoryA, GetCurrentDirectoryA, SetCurrentDirectoryA, CreateDirectoryA, WinExec, OpenMutexA, CloseHandle, CreateMutexA, Sleep, ReleaseMutex, MultiByteToWideChar, FindFirstFileA, FindNextFileA, FindClose, lstrcpynA, lstrcmpA, lstrcmpiA, OutputDebugStringA, LoadLibraryA, FreeLibrary, GetFileType, GetStringTypeA, VirtualFree, VirtualAlloc, IsBadWritePtr, _lclose<br>&gt; USER32.dll: KillTimer, WindowFromPoint, UnionRect, InflateRect, RegisterClipboardFormatA, LoadStringA, SetTimer, GetSysColorBrush, DestroyIcon, CharUpperA, GetDCEx, LockWindowUpdate, SetCapture, PostThreadMessageA, SetParent, TranslateAcceleratorA, LoadAcceleratorsA, IsRectEmpty, FindWindowA, GetDesktopWindow, SetRect, CopyAcceleratorTableA, MapDialogRect, SetWindowContextHelpId, GetNextDlgGroupItem, SetCursor, ShowOwnedPopups, PostQuitMessage, MoveWindow, SetWindowTextA, IsDialogMessageA, EndDialog, CreateDialogIndirectParamA, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetActiveWindow, ScreenToClient, EqualRect, DeferWindowPos, CharNextA, PtInRect, EndDeferWindowPos, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, WinHelpA, GetClassInfoA, RegisterClassA, GetMenuItemCount, GetSubMenu, ReleaseCapture, TrackPopupMenu, GetDlgItem, GetWindowTextLengthA, GetWindowTextA, DefWindowProcA, GetClassLongA, SetPropA, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, IntersectRect, SystemParametersInfoA, GetWindowPlacement, OffsetRect, IsZoomed, SetRectEmpty, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, wsprintfA, UnhookWindowsHookEx, AdjustWindowRectEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, CallNextHookEx, ValidateRect, PeekMessageA, SetWindowsHookExA, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, LoadImageA, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, CopyRect, BeginDeferWindowPos, GetMenuItemID, FindWindowExA, IsWindowVisible, ShowWindow, BringWindowToTop, SetForegroundWindow, LoadCursorA, GetClassNameA, LoadIconA, IsClipboardFormatAvailable, IsIconic, OpenClipboard, EmptyClipboard, CloseClipboard, ChangeClipboardChain, SetClipboardViewer, GetMenu, SetMenuItemInfoA, GetDlgCtrlID, CreatePopupMenu, AppendMenuA, GetCursorPos, InvalidateRect, GetKeyState, GetClientRect, SetMenu, MessageBeep, PostMessageA, MessageBoxA, EnableWindow, CreateWindowExA, UpdateWindow, GetParent, DestroyWindow, SendMessageA, GetSystemMetrics, IsWindow, GetWindowRect, SetWindowPlacement, SetFocus, UnregisterClassA<br>&gt; GDI32.dll: DeleteObject, CreateRectRgn, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, DPtoLP, LPtoDP, GetTextColor, GetBkColor, StretchDIBits, CreateCompatibleBitmap, GetCharWidthA, CreateFontA, GetMapMode, PatBlt, SetRectRgn, CombineRgn, CreateRectRgnIndirect, CreateFontIndirectA, IntersectClipRect, ExcludeClipRect, SelectClipRgn, ScaleWindowExtEx, SetViewportExtEx, OffsetViewportOrgEx, ScaleViewportExtEx, SetMapMode, SetViewportOrgEx, GetStockObject, RestoreDC, DeleteDC, SaveDC, SetTextColor, GetClipBox, SetBkColor, SelectObject, CreateBitmap, BitBlt, GetObjectA, CreateCompatibleDC, GetTextMetricsA, SetWindowExtEx, GetTextExtentPoint32A<br>&gt; comdlg32.dll: CommDlgExtendedError, GetOpenFileNameA, PrintDlgA, GetFileTitleA, GetSaveFileNameA<br>&gt; WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter<br>&gt; ADVAPI32.dll: RegQueryValueA, RegCloseKey, RegOpenKeyA, SetFileSecurityA, GetFileSecurityA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegCreateKeyA, RegSetValueA<br>&gt; SHELL32.dll: SHGetFileInfoA, ExtractIconA, DragQueryFileA, DragFinish, ShellExecuteA<br>&gt; COMCTL32.dll: -<br>&gt; oledlg.dll: -<br>&gt; ole32.dll: CoFreeUnusedLibraries, OleUninitialize, CoRegisterMessageFilter, CoRevokeClassObject, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoCreateInstance, OleIsCurrentClipboard, OleFlushClipboard, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, OleInitialize, CoTaskMemAlloc, CoTaskMemFree<br>&gt; OLEPRO32.DLL: -<br>&gt; OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; WININET.dll: DeleteUrlCacheEntry<br><br>( 2 exports ) <br>_interfaceMap@CCustomControlSite@@1UAFX_INTERFACEMAP@@B, AEB_HostGetFunc<br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=afb1dd0d57db85d94eb1922d1ccf69dc' target='_blank'&gt;http://www.threatexpert.com/report.a...69dc&lt;/a&gt;
Prevx info: &lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=1FB0FBC9BA7CCA8197D10D39A36DFC0026DBE367' target='_blank'&gt;http://info.prevx.com/aboutprogramte...E367&lt;/a&gt;
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2009, 07:25 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Using Windows Explorer, or Windows Search, locate and delete this file:


D:\My Documents\Other\Goals\D&D\Game\DHV\Magic Tricks\David Blaine Mega Magic.exe

It's name seems innocuous, but too many vendors think it's bad to keep around.

What was the result from the batch file I had you run? Did you receive a message saying "Deleted Successfully! Press any key to continue..." ?

==================


The other items Eset found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2009, 10:48 PM   #11 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
Thank you very much for all you help. My computer appears to be working fine. I can't tell you how helpful it is to have you guys around. You guys have gotten me out of a jam multiple times. I was hoping to pick your brain on a couple of other things however, if you wouldn't mind lending your expertise.

First of all what Anti-Virus would you recommend?
I used to use AVG although now they charge money. Would you recommend buying from them or is there another equivalent software program that is free?
Also, through previous problems with the computer I currently have, (Spybot Search & Destroy), (Spyware Guard), (Malaware Anti-malaware), (Windows Security Alerts). And I have previously uninstalled (Spyware Blaster), (Panda something...), and (McAfee, which came with my computer and some of the remnants appear impossible to remove).

So while I'm not completely computer illiterate, I must confess I don't know what exactly many of these programs do. I don't want them to interfere with each other or take up my memory if they are being repetitive so I was wondering what you recommend.

Second, I still have a (system resources running low) warning I get occasionally. I don't think this is due to an infection, but rather the number of things running on my computer and it's age. I defrag my hard drives regularly, as well as do disk clean-ups, dump cookies, do scans etc. I have gone through and uninstalled my games and the programs I don't use or felt my computer didn't. My computer is very organized with 6 icons on the desktop and all data stored on the D-drive. I had also previously modified my start-up procedure to only include certain processes (one of the faults of windows being the enormous number of things running in the background). Unfortunately, I took away something important and had to restore defaults to get my system to work again properly.

Sorry for the long explanation, but my question would be is there any advice you can give me as to how to free up memory and speed up my system. Things I can uninstall. Processes I can remove etc.

Thank you again for all your help
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-08-2009, 08:29 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Hi -

Many of the answers you seek are in the links I've provided, such as this one:

PC Safety and Security--What Do I Need?

Also some good information in this other sticky topic

Is your PC running slow...?


Please post a new set of logs from DDS.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 10:55 AM   #13 (permalink)
Registered User
 
Join Date: Aug 2008
Posts: 13
OS: xp


Re: Start up Problem
DDS (Ver_09-06-26.01) - NTFSx86
Run by Jeremy at 12:52:37.79 on Fri 07/10/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1384 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3D max\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeremy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\jeremy\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7050v5\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist!
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-b7862eb598db9fe0.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
TCP: {C4D012DD-1A5A-4794-93FD-1120B279D2D7} = 128.118.25.3,130.203.1.4
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\xt5ja4n1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.personal.psu.edu/rms5158/
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2006-10-22 3968]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-23 24652]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-1-20 238848]
S3 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-11-27 39048]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-07-03 11:08 389,120 a------- c:\windows\system32\CF16002.exe
2009-07-03 11:08 <DIR> --ds---- C:\ComboFxx
2009-06-30 19:19 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-30 18:55 <DIR> a-dshr-- C:\cmdcons
2009-06-16 23:58 <DIR> --ds---- C:\Combo-Fix
2009-06-16 23:43 161,792 a------- c:\windows\SWREG.exe
2009-06-16 23:43 155,136 a------- c:\windows\PEV.exe
2009-06-16 23:43 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2008-01-19 14:26 58,619,176 ac------ c:\program files\iTunesSetup.exe
2008-01-01 21:12 1,362,812 ac------ c:\program files\supcom_patch_3217_to_3220.exe
2007-12-28 22:52 608,744 ac------ c:\program files\10_FOOT.exe
2007-12-28 22:51 1,530,160 ac------ c:\program files\Specialty.exe
2007-12-28 22:50 3,363,139 ac------ c:\program files\Lighting.exe
2007-12-28 22:36 16,469,848 ac------ c:\program files\Furniture.exe
2007-12-28 22:33 676,500 ac------ c:\program files\12 Furnishings.exe
2007-12-28 22:32 903,030 ac------ c:\program files\Plumbing.exe
2007-12-28 22:31 567,739 ac------ c:\program files\Electrical.exe
2007-12-28 22:30 6,913,973 ac------ c:\program files\Cabinets.exe
2007-12-28 22:09 6,116,610 ac------ c:\program files\11 Equipment.exe
2007-12-28 22:07 1,539,327 ac------ c:\program files\10 Specialties.exe
2007-12-28 22:03 15,383,765 ac------ c:\program files\02 Site.exe
2007-12-28 13:53 21,321,008 ac------ c:\program files\QuickTimeInstaller.exe
2006-08-01 20:07 56 ---shr-- c:\windows\system32\9485F0ABA8.sys
2006-10-06 19:22 88 ---shr-- c:\windows\system32\A8ABF08594.sys
2006-10-06 19:22 5,224 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:53:06.54 ===============
Attached Files
File Type: txt Attach.txt (12.1 KB, 1 views)
jfw04 is online now  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-10-2009, 11:19 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
We need to get an AntiVirus installed on this machine, I seem to have overlooked that.

AVG AntiSpyware is no longer supported, and has been incorporated into AVG's AntiVirus products. As such, it's not likely doing you much good, so I'd suggest you uninstall it.

With Malwarebytes' Antimalware installed, you're covered with that type of application.

Uninstall the following via the Add/Remove Panel (Start ->Control Panel->Add or Remove Programs) if they exist:

Need2Find Bar

You may receive a message that it's been uninstalled already or is otherwise corrupt, would you like to remove it from the list. Please click on Yes, or OK.

---------------------------------------------------------------------------------------------

These folders can be deleted.

Using Windows Explorer, or Windows Search, locate and delete the following:

C:\ComboFxx
C:\Combo-Fix

---------------------------------------------------------------------------------------------


AVG still has freeware, as do Avira and Avast. Of the three, I prefer Avira, but I'll leave that choice to you.

Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Install, update definitions, and run a full system scan.

For paid AntiVirus, I like Eset's NOD32 or Kaspersky.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-15-2009, 06:34 PM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,119
OS: 2000 Pro; XP Pro; XP Home


Re: Start up Problem
Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:18 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85