Processor 100% when running specific Excel spreadsheet

deckert · Dec 6, 2007

My system has been performing fair to good until the past week when I load a specific Excel spreadsheet. After only a few minutes the spreadsheet stops responding to my clicks and all other programs freeze. Under the performance tab of task manager the cpu rapidly grows to 100% and stays there, memory goes to max used and does not fall off. The entire system freezes and the system must be rebooted. As long as I stay away from this spreadsheet the system works good with some slowness from time to time.

The spreadsheet is critical with budget and expense data and several links to web sites for paying bills.

I've tried to follow your 5 step rules as best I could.

Following is my HiJackThis log. The Panda log follow HiJackThis. Extra is attached.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:43 PM, on 12/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\System32\ups.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\PROGRA~1\PopOops\PopOops.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\HOT KEY\HOTKEYCONTROL XP\hkcontrol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
G:\AUTOSIZER\AUTOSIZER.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
G:\spelling checker\DynaSpeller.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\Caps Unlock\CapsUnlock.exe
C:\Program Files\PowerQuest\DataKeeper\DataKeeper.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
G:\SpywareGuard\sgmain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Dan Eckert\Desktop\dss.exe
C:\DOCUME~1\DANECK~1\Desktop\Dan Eckert.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: TW_BHO Class - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - G:\MACRO TOOLWORKS\MTWBHO.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Acrobat Installation\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Acrobat Installation\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - (no file)
O3 - Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Hotkeycontrol] "G:\HOT KEY\HOTKEYCONTROL XP\hkcontrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Hard Disk Sentinel] C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [AutoSizer] "G:\AUTOSIZER\AUTOSIZER.EXE" /H
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: CapsUnlock.lnk = G:\Caps Unlock\CapsUnlock.exe
O4 - Startup: DataKeeper.lnk = PowerQuest\DataKeeper\DataKeeper.exe
O4 - Startup: MailWasherPro.lnk = FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: SpywareGuard.lnk = G:\SpywareGuard\sgmain.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: DynaSpeller.LNK = G:\spelling checker\DynaSpeller.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to EverNote - res://K:\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://f:\FRONTP~1\MyFiles\Users\rmorrow\fp2k\PFILES\MSOFFICE\OFFICE\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Get File Size - res://G:\Get File Size\GetFileSize.exe/130
O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINNT\Web\PopOops.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {2340D032-73C1-40b1-98E8-923290905E29} - G:\Get File Size\GetFileSize.exe (HKCU)
O9 - Extra 'Tools' menuitem: Get File Size - {2340D032-73C1-40b1-98E8-923290905E29} - G:\Get File Size\GetFileSize.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/RescueControl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/21.13/uploader2.cab
O16 - DPF: {4EFF291C-D131-4990-B3A2-ECA30614F08F} (BDUDownload.BDUDownloadCtrl) - http://www.budgetdialup.com/html/BDUDownload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://8.6.242.40/web/NetCam.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1196908659310
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196908640994
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://65.33.160.23:1047/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 15400 bytes

Incident Status Location

Adware:adware/xupiter Not disinfected C:\Documents and Settings\Dan Eckert\Favorites\Cool Stuff
Adware:adware/cws Not disinfected C:\Documents and Settings\Dan Eckert\Favorites\Health
Adware:adware/diytoolbar Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dan Eckert\Application Data\Mozilla\Firefox\Profiles\c3b30mvk.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dan Eckert\Cookies\dan [email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix\restart.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dan Eckert.SHELLS\Application Data\Mozilla\Firefox\Profiles\vlbgvbi3.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dan Eckert.SHELLS\Application Data\Mozilla\Firefox\Profiles\vlbgvbi3.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Dan Eckert.SHELLS\Application Data\Mozilla\Firefox\Profiles\vlbgvbi3.default\cookies.txt[.tribalfusion.com/]
Adware:Adware/TVMedia Not disinfected C:\WINNT\Downloaded Program Files\Install.inf
Virus:Eicar.Mod Not disinfected E:\Tool Box Downloads MS\Tool Box Disc\Spyware Removers\JustRunTheTest.exe[Help.chm][/HowCanITestDetection.html]
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\UBCD4Win\plugin\AntiVirus\AV7PE\nircmd.exe
Hacktool:Hacktool/AngryScan Not disinfected E:\UBCD4Win\plugin\Network\ipscan\ipscan.exe
Virus:Eicar.Mod Not disinfected K:\Tool Folder 2\Spyware Removers\JustRunTheTest.exe[Help.chm][/HowCanITestDetection.html]
Potentially unwanted tool:Application/Processor Not disinfected K:\Tool Folder 2\Virus\VirtumundoBeGone.exe

deckert · Dec 8, 2007

Bump please

deckert · Dec 10, 2007

Bump request for 2nd time. My computer is getting worse waiting for you.

deckert · Dec 27, 2007

Bump

Posted over three weeks ago and not a single response. System is getting worse. NEED YOUR HELP.... PLEASE.

Ried · Dec 27, 2007

Hello deckert and welcome to TSF,

Our apologies for the oversight of your thread. This forum is swamped with people requesting assistance. There are only so many of us and unfortunately, many threads get overlooked. :sad:

I appreciate the Panda results and the extra.txt, but the report I most need to see is the main.txt from dss.exe.

Please run dss.exe again, and post the main.txt so we can get started.

Also, how long ago did you use SmitfraudFix?

deckert · Dec 27, 2007

Reid,

Thanks for your quick response. Following is a new DSS main.txt run I did this evening.

I ran Smithfraud several weeks ago trying to clean this up myself.

Dan Eckert

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-26 21:33:35
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\system32\gearsec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\system32\ups.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\fpdisp5a.exe
C:\Program Files\PopOops\PopOops.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Hot Key\Hotkeycontrol XP\Hkcontrol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Autosizer\AutoSizer.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINNT\system32\CTFMON.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
G:\spelling checker\DynaSpeller.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\Caps Unlock\CapsUnlock.exe
C:\Program Files\PowerQuest\DataKeeper\DataKeeper.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
G:\SpywareGuard\sgmain.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
C:\WINNT\system32\wuauclt.exe
G:\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
G:\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Dan Eckert\Desktop\dss.exe
C:\Documents and Settings\Dan Eckert\Desktop\Dan Eckert.exe
C:\WINNT\system32\wbem\WinMgmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: TW_BHO Class - {1E1B2879-88FF-11D2-8D96-FFFFAC95951F} - G:\macro toolworks\mtwbho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Acrobat Installation\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Acrobat Installation\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - (no file)
O3 - Toolbar: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PopOops] C:\PROGRA~1\PopOops\PopOops.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Hotkeycontrol] "G:\HOT KEY\HOTKEYCONTROL XP\hkcontrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Hard Disk Sentinel] C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
O4 - HKLM\..\Run: [Line Speed Meter] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [AutoSizer] "G:\AUTOSIZER\AUTOSIZER.EXE" /H
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: CapsUnlock.lnk = G:\Caps Unlock\CapsUnlock.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper\DataKeeper.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: SpywareGuard.lnk = G:\SpywareGuard\sgmain.exe
O4 - Startup: Yahoo! Desktop Search.lnk = C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: DynaSpeller.LNK = G:\spelling checker\DynaSpeller.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Add to EverNote - res://K:\EverNote\enbar.dll/2000
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://f:\FRONTP~1\MyFiles\Users\rmorrow\fp2k\PFILES\MSOFFICE\OFFICE\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Get File Size - res://G:\Get File Size\GetFileSize.exe/130
O8 - Extra context menu item: Open in New &Window (PopOops) - C:\WINNT\Web\PopOops.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O10 - Unknown file in Winsock LSP: C:\WINNT\system32\NWPROVAU.DLL
O16 - DPF: ppctlcab () - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/RescueControl.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} () - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmvax.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/21.13/uploader2.cab
O16 - DPF: {4EFF291C-D131-4990-B3A2-ECA30614F08F} (BDUDownload.BDUDownloadCtrl) - http://www.budgetdialup.com/html/BDUDownload.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://8.6.242.40/web/NetCam.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1196908659310
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1196908640994
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} () - http://65.33.160.23:1047/activex/AxisCamControl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38892.8568171296
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} () - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} () - http://download.abacast.com/download/files/abasetup155.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINNT\system32\WRLogonNTF.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 19187 bytes

-- Files created between 2007-11-26 and 2007-12-26 -----------------------------

2007-12-26 11:44:16 0 d--h----- C:\Documents and Settings\All Users.WINNT\Application Data\CanonBJ
2007-12-26 11:43:51 0 d--h----- C:\WINNT\system32\CanonIJ Uninstaller Information
2007-12-26 11:43:08 0 d--h----- C:\Program Files\CanonBJ
2007-12-25 21:54:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_a10.dat
2007-12-25 21:52:59 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_774.dat
2007-12-25 21:49:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_874.dat
2007-12-24 12:49:18 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2007-12-24 12:49:16 0 d-------- C:\WINNT\system32\Kaspersky Lab
2007-12-20 09:19:44 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\PC Drivers Headquarters
2007-12-20 09:16:37 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2007-12-19 12:38:26 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\iolo
2007-12-19 12:38:25 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\iolo
2007-12-16 02:10:26 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_8e0.dat
2007-12-15 19:31:01 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_7e8.dat
2007-12-12 12:50:17 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\Grisoft
2007-12-12 12:49:54 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2007-12-11 08:08:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_804.dat
2007-12-08 16:30:46 0 d-------- C:\Program Files\Data Doctor Recovery NTFS (Demo)
2007-12-08 15:09:12 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_74c.dat
2007-12-08 15:06:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_748.dat
2007-12-08 12:17:59 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_75c.dat
2007-12-05 23:16:17 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-12-05 21:37:56 0 d-------- C:\WINNT\system32\SoftwareDistribution
2007-12-04 23:30:18 329208 ---h----- C:\WINNT\ShellIconCache
2007-12-04 16:35:48 0 d-------- C:\WINNT\system32\ActiveScan
2007-12-03 12:46:45 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_6fc.dat
2007-12-03 08:43:38 77824 --a------ C:\WINNT\system32\xcomm.dll <Not Verified; BitDefender; BitDefender Communicator>
2007-12-02 22:19:35 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\Bitdefender
2007-12-02 22:19:02 0 d-------- C:\Program Files\BitDefender
2007-12-02 22:19:02 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\BitDefender
2007-12-02 22:17:45 0 d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\Avg7
2007-12-02 22:16:03 0 d-------- C:\Program Files\Common Files\BitDefender

-- Find3M Report ---------------------------------------------------------------

2007-12-26 14:13:37 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\MailWasherPro
2007-12-26 10:37:40 0 d-a------ C:\Program Files\LogMeIn
2007-12-20 09:19:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-19 12:57:51 4212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-12-14 10:37:03 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\Adobe
2007-12-10 10:59:57 159 --a------ C:\Documents and Settings\Dan Eckert\Application Data\ntl.ini
2007-12-08 20:46:37 0 d-------- C:\Program Files\Hard Disk Sentinel
2007-12-04 18:25:07 0 d-------- C:\Program Files\TrojanHunter 4.7
2007-12-04 18:21:11 0 d-------- C:\Program Files\PopOops
2007-12-04 17:43:11 0 d-------- C:\Program Files\Common Files\soft602
2007-12-04 17:25:49 0 d-------- C:\Program Files\7-Zip
2007-12-03 23:40:05 0 d-------- C:\Program Files\Mozilla Sunbird
2007-12-03 21:50:38 3106 --a------ C:\WINNT\system32\tmp.reg
2007-12-02 22:16:03 0 d-------- C:\Program Files\Common Files
2007-11-25 22:42:00 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_65c.dat
2007-11-25 22:36:26 0 d-------- C:\Program Files\QuickTime
2007-11-25 15:02:56 0 d-------- C:\Program Files\Apple Software Update
2007-11-23 11:56:17 1869 --a------ C:\Documents and Settings\Dan Eckert\Application Data\ntl.nws
2007-11-21 17:09:51 0 d-------- C:\Documents and Settings\Dan Eckert\Application Data\AdobeUM
2007-11-21 08:43:38 0 d-------- C:\Program Files\Common Files\Scanner
2007-11-21 08:43:37 0 d-------- C:\Program Files\PCPitstop
2007-11-17 00:25:54 0 d-------- C:\Program Files\Software602
2007-11-08 07:43:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_734.dat
2007-11-07 20:28:02 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_718.dat
2007-11-06 07:33:50 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_778.dat
2007-11-05 21:45:22 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_76c.dat
2007-11-05 20:13:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_518.dat
2007-10-31 08:41:48 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_7a0.dat
2007-10-27 08:03:36 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_788.dat
2007-10-26 10:21:48 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2e8.dat
2007-10-18 07:58:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_764.dat
2007-10-14 15:15:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_116c.dat
2007-10-10 11:51:49 167936 -----n--- C:\WINNT\system32\fpres532.dll <Not Verified; FinePrint Software, LLC; FinePrint>
2007-10-10 11:50:43 307200 -----n--- C:\WINNT\system32\fpmon5.dll <Not Verified; FinePrint Software, LLC; FinePrint>
2007-10-01 09:29:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_758.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [10/10/07 11:51a]
"PopOops"="C:\PROGRA~1\PopOops\PopOops.exe" [11/01/04 05:00p]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/07 04:05p]
"Hotkeycontrol"="G:\HOT KEY\HOTKEYCONTROL XP\hkcontrol.exe" [07/08/03 08:01p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 12:11a]
"Hard Disk Sentinel"="C:\Program Files\Hard Disk Sentinel\HDSentinel.exe" [04/21/07 08:47a]
"Line Speed Meter"="C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe" [11/04/06 01:09p]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/07 03:46p]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [12/03/07 08:44a]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/07 04:25a]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/06 12:03p C:\WINNT\KHALMNPR.Exe]
"@"="" []
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [07/19/06 12:03p C:\WINNT\KHALMNPR.Exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoSizer"="G:\AUTOSIZER\AUTOSIZER.exe" [08/26/03 05:17p]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [07/11/06 07:23a]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [07/11/06 07:24a]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [07/11/06 07:26a]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [01/23/07 07:06a]
"ctfmon.exe"="ctfmon.exe" [02/20/01 02:09p C:\WINNT\system32\CTFMON.EXE]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [11/25/07 02:26p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\
CapsUnlock.lnk - G:\Caps Unlock\CapsUnlock.exe [06/09/2004 8:22:02 PM]
DataKeeper.lnk - C:\Program Files\PowerQuest\DataKeeper\DataKeeper.exe [07/17/2003 2:25:41 PM]
MailWasherPro.lnk - C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [03/13/2007 9:06:51 AM]
SpywareGuard.lnk - G:\SpywareGuard\sgmain.exe [08/29/2003 7:05:35 PM]
Yahoo! Desktop Search.lnk - C:\Program Files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe [04/01/2005 6:21:29 PM]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [08/28/2003 10:44:27 PM]
DynaSpeller.LNK - G:\spelling checker\DynaSpeller.exe [01/17/2007 10:07:10 AM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [07/24/2006 9:47:09 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMFUprogramsList"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= F:\Winfax\WfxSeh32.Dll [07/27/98 03:54a 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Controller.LNK]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Controller.LNK
backup=C:\WINNT\pss\Controller.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=C:\WINNT\pss\Lotus QuickStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINNT^Start Menu^Programs^Startup^RemoteDialer.lnk]
path=C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\RemoteDialer.lnk
backup=C:\WINNT\pss\RemoteDialer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^DATEwise3.lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\DATEwise3.lnk
backup=C:\WINNT\pss\DATEwise3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^MailWasherPro.lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\MailWasherPro.lnk
backup=C:\WINNT\pss\MailWasherPro.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^PowerPro.lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\PowerPro.lnk
backup=C:\WINNT\pss\PowerPro.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^Secunia PSI (BETA).lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\Secunia PSI (BETA).lnk
backup=C:\WINNT\pss\Secunia PSI (BETA).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^Yahoo! Desktop Search System Tray.lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\Yahoo! Desktop Search System Tray.lnk
backup=C:\WINNT\pss\Yahoo! Desktop Search System Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan Eckert^Start Menu^Programs^Startup^Yahoo! Desktop Search.lnk]
path=C:\Documents and Settings\Dan Eckert\Start Menu\Programs\Startup\Yahoo! Desktop Search.lnk
backup=C:\WINNT\pss\Yahoo! Desktop Search.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Check&Get]
"G:\Check&Get\Check&Get\Check&Get.exe" /Tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc]
"G:\CALEND~1\dc.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
G:\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magic Notes]
"C:\Program Files\Magic Notes\Sticky32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
F:\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"C:\Program Files\TrojanHunter 4.7\THGuard.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Memory Card Detector]
c:\program files\common files\ulead systems\autodetector\monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
G:\SpeedUpMyPC\SpeedUpMyPC.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
wfxsnt40.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PopOops"=C:\PROGRA~1\PopOops\PopOops.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

*Newly Created Service* - 17E8F6CB
*Newly Created Service* - C0AA6807

-- End of Deckard's System Scanner: finished at 2007-12-26 21:38:09 ------------

deckert · Dec 27, 2007

Reid

I'm trying to be sure my extra.txt is correctly attached. I went looking for where it was stored in c:\deckard\... and found that the only copy there is the original sent on 12/05/07. When running DSS again tonight it did not make a copy of extra.txt with today's date.

Why is that?

Here is the 12/05/07 extra.txt file.

Thanks

Dan

Ried · Dec 27, 2007

dss.exe will only produce the extra.txt automatically on it's first run. If you'd like to obtain that output in subsequent scans, run dss.exe as follows:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce main.txt and extra.txt for you--but I do not need to see another extra.txt. :wink:

-------------------------------------------------------

Do you still have the report that SmitfraudFix would have created? I'd like to see that as well, and you'll find it located at C:\rapport.txt

-------------------------------------------------------

Delete this folder, although you won't notice any improvement in your issue:

C:\Documents and Settings\Dan Eckert\Favorites\Health

-------------------------------------------------------

Let's see if this online scanner will pick up anything lurking about...

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\rapport.txt
Kaspersky results

deckert · Dec 27, 2007

Ried

Here is the SmithFraud from 12/03/07.

I will run Kaspersky in a couple hours, as I have business to complete for the next three hours. I did run it earlier this week and if found several things.

I have deleted the Health folder.

Thanks.

Dan

SmitFraudFix v2.201

Scan done at 21:50:30.11, Mon 12/03/2007
Run from C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS1\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS2\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

deckert · Dec 28, 2007

Ried

I am running the Kaspersky on line scan on the full system now. It's at 3 1/2 hours running with 2 viruses, 3 infected objects and 2 suspicious objects.

I ran a "critical areas" scan and it showed no problems. So now I'm running on the full pc, all drives to get a more indepth look.

I have a large database I do numerous sorts for clients once a week, like today, and it's running very slow... and getting worse since the first of the month.

This scan will probably run all night so I will post the report as soon as it finishes. The scan is at 18% after 3 1/2 hours running. CPU is running at 100% most of the time while the scan is running, memory is at 1/2 available.

Thanks for your help. I hope solving this one doesn't take long.

Dan

Ried · Dec 28, 2007

I'm hoping the Kaspersky report will provide some clue as to what's causing your problem with that spreadsheet. :sigh:

It would help speed up the scan a bit if you'd make sure all real-time scanners are disabled while the scan is running. Every file that Kaspersky is looking at, the other scanners want to look at as well.

deckert · Dec 28, 2007

Ried

Kaspersky has run all night and were up to the E drive. Kaspersky has listed 10 virus, 20 infected and 2 suspicious files.

At you suggestion I turned off Bit Defender (free trial) and AVG spyware (free trial) this morning.

The Kaspersky scan is at 38% and has run for almost 13 hours. At this pace maybe it will finish by late today or this evening.

Right now I'm using a second pc to keep you updated. Where are you from in Ohio. I grew up in Cincinnati, lived in Texas for 30 years and now in Florida.

Dan

deckert · Dec 29, 2007

Ried

Twenty eight hours later is the full Kaspersky report.

Dan
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 10:29:01 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/12/2007
Kaspersky Anti-Virus database records: 497933
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan Statistics:
Total number of scanned objects: 162469
Number of viruses found: 13
Number of infected objects: 47
Number of suspicious objects: 2
Duration of the scan process: 27:57:44

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/imsmain.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Dan Eckert\Application Data\Bitdefender\Desktop\Profiles\asdict.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\Application Data\MailWasherPro\tmpLog.txt Object is locked skipped
C:\Documents and Settings\Dan Eckert\Application Data\MailWasherPro\Training\Training archive - junk.rot135 Object is locked skipped
C:\Documents and Settings\Dan Eckert\Application Data\MailWasherPro\Training\Training archive - legitimate.rot135 Object is locked skipped
C:\Documents and Settings\Dan Eckert\Application Data\MailWasherPro\Trash.rot135 Object is locked skipped
C:\Documents and Settings\Dan Eckert\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Application Data\DataKeeper\DkLog.txt Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\History\History.IE5\MSHist012007122720071228\index.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temp\~DF2D92.tmp Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temp\~DF7291.tmp Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temp\~DF87D2.tmp Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temp\~DF95D4.tmp Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temp\~DFCE1B.tmp Object is locked skipped
C:\Documents and Settings\Dan Eckert\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan Eckert\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dan Eckert\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\as2core\antispam_sig_8108\aspdict.dat Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db-journal Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\SHELLS.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_80c.dat Object is locked skipped
C:\WINNT\Temp\JET4D3E.tmp Object is locked skipped
C:\WINNT\Temp\JET7AEF.tmp Object is locked skipped
C:\WINNT\Temp\tmp00005c0e\tmp00000000 Object is locked skipped
C:\WINNT\Temp\ZLT05ad8.TMP Object is locked skipped
C:\WINNT\Temp\ZLT05adb.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
E:\Tool Box Downloads MS\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
E:\Tool Box Downloads MS\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Tool Box Downloads MS\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\Tool Box Downloads MS\Tool Box Disc\DNS2GO\d2gsetup.exe WiseSFX: infected - 3 skipped
E:\Tool Box Downloads MS\Tool Box Disc\Registry Tools\registry-clean-expert.exe/data0002 Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
E:\Tool Box Downloads MS\Tool Box Disc\Registry Tools\registry-clean-expert.exe Inno: infected - 1 skipped
E:\Tool Box Downloads MS\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
E:\Tool Box Downloads MS\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
E:\Tool Box Downloads MS\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
E:\UBCD4Win\plugin\Network\ipscan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
E:\UBCD4Win\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
E:\UBCD4Win\plugin\Network\ultravnc\files\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
E:\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
E:\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\UBCD4Win\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
G:\PopOops\PopOopsSetup.exe/data0003 Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g skipped
G:\PopOops\PopOopsSetup.exe NSIS: infected - 1 skipped
G:\RAR\install.exe/data0001.bin/file17 Infected: Trojan-Downloader.Win32.QDown.v skipped
G:\RAR\install.exe/data0001.bin Infected: Trojan-Downloader.Win32.QDown.v skipped
G:\RAR\install.exe EmbeddedEXE: infected - 2 skipped
G:\Registry Clean Expert\RegCleanExpert.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
K:\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
K:\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Box Disc\DNS2GO\d2gsetup.exe/WISE0019.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Box Disc\DNS2GO\d2gsetup.exe WiseSFX: infected - 3 skipped
K:\Tool Box Disc\Registry Tools\registry-clean-expert.exe/data0002 Infected: not-a-virus:AdWare.Win32.SearchAssistant.h skipped
K:\Tool Box Disc\Registry Tools\registry-clean-expert.exe Inno: infected - 1 skipped
K:\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
K:\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
K:\Tool Box Disc\Remote Access\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3145 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3324 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3326 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3329 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3382 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3385 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3386 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3387 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3587/data.rar/officekey.exe Infected: not-a-virus

SWTool.Win32.RAS.a skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3587/data.rar Infected: not-a-virus

SWTool.Win32.RAS.a skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe/file3587 Infected: not-a-virus

SWTool.Win32.RAS.a skipped
K:\Tool Folder 2\Ultimate Boot Disk\UBCD4WinV306.exe Inno: infected - 11 skipped

Scan process completed.

Ried · Dec 29, 2007

Don't go anywhere...I'm reviewing it now.

Ried · Dec 29, 2007

Most of what Kaspersky reported are VNC based and it's simply alerting to their presence. As long as it was installed by you, ignore it.

These need to be deleted:

G:\PopOops
G:\Registry Clean Expert\RegCleanExpert.exe
E:\Tool Box Downloads MS\Tool Box Disc\Registry Tools\registry-clean-expert.exe
K:\Tool Box Disc\Registry Tools\registry-clean-expert.exe

Do you know what this is:

G:\RAR\install.exe/data0001.bin ------> Trojan-Downloader.Win32.QDown.v
G:\RAR\install.exe EmbeddedEXE: infected - 2

Additionally, I'd like you to delete your current SmitfraudFix.exe as it's outdated. The version you used was from July.

Download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.

Select option #1 - Search by typing 1 and press "Enter"
A text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

deckert · Dec 29, 2007

Ried

G:\PopOops
G:\Registry Clean Expert\RegCleanExpert.exe
E:\Tool Box Downloads MS\Tool Box Disc\Registry Tools\registry-clean-expert.exe
K:\Tool Box Disc\Registry Tools\registry-clean-expert.exe

I deleted all of the above.

Do you know what this is:

Quote:
G:\RAR\install.exe/data0001.bin ------> Trojan-Downloader.Win32.QDown.v
G:\RAR\install.exe EmbeddedEXE: infected - 2

I don't have a clue. Based on the folder name "Process ...." I thought it might be there from SystemInternals. I deleted it.

Following is the new SmithFraudFix Report.

Thanks.

Dan

SmitFraudFix v2.274

Scan done at 23:40:52.98, Fri 12/28/2007
Run from C:\Documents and Settings\Dan Eckert\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINNT\System32\ups.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\HOT KEY\HOTKEYCONTROL XP\hkcontrol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hard Disk Sentinel\HDSentinel.exe
C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
G:\AUTOSIZER\AUTOSIZER.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
G:\spelling checker\DynaSpeller.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\Caps Unlock\CapsUnlock.exe
C:\Program Files\PowerQuest\DataKeeper\DataKeeper.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\SpywareGuard\sgmain.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
G:\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dan Eckert

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dan Eckert\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DANECK~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"
"Appinit_Dlls"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys EG1032 v3 Instant Gigabit Desktop Network Adapter Driver
DNS Server Search Order: 65.32.5.74
DNS Server Search Order: 65.32.5.75

HKLM\SYSTEM\CCS\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS1\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS2\Services\Tcpip\..\{964C0110-2D15-4B1D-B133-A664B81D18C6}: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.32.5.74 65.32.5.75

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Ried · Dec 29, 2007

Hi Dan,

That new SmitfraudFix report appears clean as well. Based on the fact that Spybot had found Zlob earlier, I'd like you to do the following anyway:

From Normal Mode--

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Notes

1. If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

How is that spreadsheet working for you now?

deckert · Dec 29, 2007

Ried

Between entertaining family & friends I have a chance to try the spreadsheet some and it seems to be "somewhat better". I say somewhat because although I could not see it run up to 100% CPU and stay there like it has in the past, I do see it peak and drop when nothing is going on that I know of.

More, the system still seems to drag somewhat with long pauses from keystroke to seeing the key in the address bar when entering web addresses, and slow to respond when clicking a link.

Some of this is a factor of an older PIII system but it's still slower then normal.

I watch Performance on the Task Manager a lot and it still seems to be processing with unexplained peaks more then it should when nothing is going on. Right now when I'm just watching and not keying it's jumping from 6 to 40% and back to 20%, constantly. I run Yahoo Desktop Search and Power Quest Diskkeeper so that is some of it. MEM usage is constant at about 1/2 available.

What do you think we should try next?

Dan

Ried · Dec 30, 2007

Well Dan, I'm not finding any malware. At this point, I think it's best you discuss this issue with the folks in Microsoft Office Support.

deckert · Dec 30, 2007

Ried

I've shut down more items in MSCONFIG to free up more RAM. I'm currently running 49 processes. That's down from 60 I normally run.

Do you think reinstalling Office to refresh any corrupted files might help?

I do appreciate you working with me through the holidays.

Thanks,

Dan

Processor 100% when running specific Excel spreadsheet

deckert

Attachments

deckert

deckert

deckert

Ried

deckert

deckert

Ried

deckert

deckert

Ried

deckert

deckert

Ried

Ried

deckert

Ried

deckert

Ried

deckert

Top Contributors this Month