• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
tgieber

PC Completely Disabled By SpyWare - Please Help

46 posts in this topic

Today my PC went completely out of control, must have done something to activate spyware or a trojan. Here is the summary:

 

- When trying to boot in either normal or safe mode, my computer does not allow me to run any executable files, hence when trying to remove any offending spyware or trojans is unsuccessful.

 

- I am running Norton 360, don't know why any viruses were not detected earlier? Had noticed recently that the computer had slowed down, but again received no warnings from my anti-virus software even with full scan.

 

- One software scan that ran before things went crazy said I had the following severe viruses:

Wild Trojan Dropper, Trojan VX15, Adware Popuper among others.

 

- I have researched many sites to figure out how to resolve. I am unable to restore to an old restore point because when I try and use it or temporarily turn off I am given the following message, "Operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

 

- I don't mind if I have to reinstall my entire PC, however I would like to pull some files off of it before I do so. I am able to see them, but can't copy them to external hard drive due to the issue at hand.

 

Can anyone help me??? It would be most appreciated!

 

Help us to help you by reviewing the forum FAQ and then posting your HijackThis log here in your original topic. - Indrid_Cold

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello

 

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Share this post


Link to post
Share on other sites

One of the issues with my malware is that from the moment of bootup in either normal or safe mode, the virus is contantly running something (hour glass continues going), and will not allow me control to run any executable. Is there any way I could say boot to a disk perhaps and run a tool - going into windows does not allow me any control whatsoever. Ideas? I am also unable to get to the internet at all given this issue.

Share this post


Link to post
Share on other sites

Lets try this way first

 

Get a USB key or something and transfer DSS.exe onto it. Boot into Safe Mode and run DSS

Share this post


Link to post
Share on other sites

Ok, was able to boot up in safe mode and run DSS.exe from memory stick. Here is the output that I received:

Please let me know next steps. At this point I have plans to wipe out my desktop however would first like to contain the virus so I can pull some pictures off of my machine to external hard drive before wiping everything out. If you could help me to contain I would greatly appreciate! thanks in advance for your time and efforts!

 

Deckard's System Scanner v20071014.68

Run by Administrator on 2008-01-13 12:39:34

Computer is in Safe Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-01-13 12:40:04

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16574)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\NOTEPAD.EXE

C:\WINDOWS\NOTEPAD.EXE

H:\dss.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe

O1 - Hosts: 10.18.250.4 ad.doubleclick.net

O1 - Hosts: 10.18.250.4 ad.fastclick.net

O1 - Hosts: 10.18.250.4 ads.fastclick.net

O1 - Hosts: 10.18.250.4 ar.atwola.com

O1 - Hosts: 10.18.250.4 atdmt.com

O1 - Hosts: 10.18.250.4 avp.ch

O1 - Hosts: 10.18.250.4 avp.com

O1 - Hosts: 10.18.250.4 avp.ru

O1 - Hosts: 10.18.250.4 awaps.net

O1 - Hosts: 10.18.250.4 banner.fastclick.net

O1 - Hosts: 10.18.250.4 banners.fastclick.net

O1 - Hosts: 10.18.250.4 ca.com

O1 - Hosts: 10.18.250.4 click.atdmt.com

O1 - Hosts: 10.18.250.4 clicks.atdmt.com

O1 - Hosts: 10.18.250.4 customer.symantec.com

O1 - Hosts: 10.18.250.4 dispatch.mcafee.com

O1 - Hosts: 10.18.250.4 download.mcafee.com

O1 - Hosts: 10.18.250.4 download.microsoft.com

O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads.microsoft.com

O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 engine.awaps.net

O1 - Hosts: 10.18.250.4 f-secure.com

O1 - Hosts: 10.18.250.4 fastclick.net

O1 - Hosts: 10.18.250.4 ftp.avp.ch

O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 ftp.f-secure.com

O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru

O1 - Hosts: 10.18.250.4 ftp.sophos.com

O1 - Hosts: 10.18.250.4 go.microsoft.com

O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 kaspersky-labs.com

O1 - Hosts: 10.18.250.4 kaspersky.com

O1 - Hosts: 10.18.250.4 liveupdate.symantec.com

O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com

O1 - Hosts: 10.18.250.4 mast.mcafee.com

O1 - Hosts: 10.18.250.4 mcafee.com

O1 - Hosts: 10.18.250.4 media.fastclick.net

O1 - Hosts: 10.18.250.4 microsoft.com

O1 - Hosts: 10.18.250.4 msdn.microsoft.com

O1 - Hosts: 10.18.250.4 my-etrust.com

O1 - Hosts: 10.18.250.4 nai.com

O1 - Hosts: 10.18.250.4 networkassociates.com

O1 - Hosts: 10.18.250.4 norton.com

O1 - Hosts: 10.18.250.4 office.microsoft.com

O1 - Hosts: 10.18.250.4 pandasoftware.com

O1 - Hosts: 10.18.250.4 phx.corporate-ir.net

O1 - Hosts: 10.18.250.4 rads.mcafee.com

O1 - Hosts: 10.18.250.4 secure.nai.com

O1 - Hosts: 10.18.250.4 securityresponse.symantec.com

O1 - Hosts: 10.18.250.4 service1.symantec.com

O1 - Hosts: 10.18.250.4 sophos.com

O1 - Hosts: 10.18.250.4 spd.atdmt.com

O1 - Hosts: 10.18.250.4 support.microsoft.com

O1 - Hosts: 10.18.250.4 symantec.com

O1 - Hosts: 10.18.250.4 trendmicro.com

O1 - Hosts: 10.18.250.4 update.symantec.com

O1 - Hosts: 10.18.250.4 updates.symantec.com

O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 us.mcafee.com

O1 - Hosts: 10.18.250.4 vil.nai.com

O1 - Hosts: 10.18.250.4 viruslist.com

O1 - Hosts: 10.18.250.4 viruslist.ru

O1 - Hosts: 10.18.250.4 virusscan.jotti.org

O1 - Hosts: 10.18.250.4 virustotal.com

O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com

O1 - Hosts: 10.18.250.4 www.avp.ch

O1 - Hosts: 10.18.250.4 www.avp.com

O1 - Hosts: 10.18.250.4 www.avp.ru

O1 - Hosts: 10.18.250.4 www.awaps.net

O1 - Hosts: 10.18.250.4 www.ca.com

O1 - Hosts: 10.18.250.4 www.f-secure.com

O1 - Hosts: 10.18.250.4 www.fastclick.net

O1 - Hosts: 10.18.250.4 www.grisoft.com

O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com

O1 - Hosts: 10.18.250.4 www.kaspersky.com

O1 - Hosts: 10.18.250.4 www.kaspersky.ru

O1 - Hosts: 10.18.250.4 www.mcafee.com

O1 - Hosts: 10.18.250.4 www.microsoft.com

O1 - Hosts: 10.18.250.4 www.my-etrust.com

O1 - Hosts: 10.18.250.4 www.nai.com

O1 - Hosts: 10.18.250.4 www.networkassociates.com

O1 - Hosts: 10.18.250.4 www.pandasoftware.com

O1 - Hosts: 10.18.250.4 www.sophos.com

O1 - Hosts: 10.18.250.4 www.symantec.com

O1 - Hosts: 10.18.250.4 www.trendmicro.com

O1 - Hosts: 10.18.250.4 www.viruslist.com

O1 - Hosts: 10.18.250.4 www.viruslist.ru

O1 - Hosts: 10.18.250.4 www.virustotal.com

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll

O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe

O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\kernelwind32.exe

O4 - HKLM\..\Run: [systemSv12] C:\WINDOWS\system32\newmaxxsv234.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9

1894E754BE54C29159A7DBE80DC744B6CDE3A516CAC59B6

O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\documents and settings\todd gieber\application data\install_en[1].exe"

O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: findfast.exe

O4 - Global Startup: autorun.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE

O4 - Global Startup: WD Backup Monitor.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/B...heckControl.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesville.lycos.com/blockdot/popcaploader_v6.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll

O20 - Winlogon Notify: crypt32chain - C:\WINDOWS\system32\crypt32.dll

O20 - Winlogon Notify: cryptnet - C:\WINDOWS\system32\cryptnet.dll

O20 - Winlogon Notify: cscdll - C:\WINDOWS\system32\cscdll.dll

O20 - Winlogon Notify: ScCertProp - C:\WINDOWS\system32\wlnotify.dll

O20 - Winlogon Notify: Schedule - C:\WINDOWS\system32\wlnotify.dll

O20 - Winlogon Notify: SensLogn - C:\WINDOWS\system32\WlNotify.dll

O20 - Winlogon Notify: termsrv - C:\WINDOWS\system32\wlnotify.dll

O20 - Winlogon Notify: wlballoon - C:\WINDOWS\system32\wlnotify.dll

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe

 

 

--

End of file - 17120 bytes

 

-- Files created between 2007-12-13 and 2008-01-13 -----------------------------

 

2008-01-13 12:33:13 0 d-------- C:\WINDOWS\LastGood

2008-01-06 15:15:44 0 d--hs---- C:\WINDOWS\CSC

2008-01-06 14:31:30 18176 --a------ C:\WINDOWS\system32\drivers\smtpdrv.sys <Not Verified; NT Kernel Resources; NDIS packet redirector driver>

2008-01-06 14:31:28 21760 --a------ C:\WINDOWS\system32\drivers\Hte00.sys

2008-01-06 14:31:20 13760 --a------ C:\WINDOWS\system32\taskmon.sys

2008-01-06 14:30:54 129792 --a------ C:\WINDOWS\system32\lrito398c-b96.sys

2008-01-06 14:30:47 142848 --a------ C:\WINDOWS\system32\drivers\Kpmw71.sys

2008-01-06 14:30:19 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe

2008-01-06 14:28:48 0 --a------ C:\WINDOWS\system32\lich.dat

2008-01-06 14:17:35 70656 --a------ C:\WINDOWS\taskmon.exe

2008-01-06 14:17:30 129792 --a------ C:\WINDOWS\system32\lrito64ec-1ac8.sys

2008-01-06 14:17:29 39936 -ra------ C:\WINDOWS\mrofinu27.exe

2008-01-06 14:17:29 32997 --a------ C:\lich.exe

2008-01-06 14:17:25 8576 --a------ C:\lich.sys

2008-01-06 14:17:23 35840 --a------ C:\WINDOWS\vmmreg32.exe

2008-01-06 14:17:23 69632 --a------ C:\WINDOWS\system32\csrssw.dll

2008-01-06 14:17:21 14900 --a------ C:\WINDOWS\system32\m1ax1d1213216143v.exe

2008-01-06 14:17:17 16384 --a------ C:\WINDOWS\system32\newmaxxsv234.exe

2008-01-06 14:17:17 53248 --a------ C:\WINDOWS\system32\mstscex.dll

2008-01-06 14:17:17 4224 --a------ C:\WINDOWS\system32\drivers\kcp.sys

2008-01-06 14:17:16 53248 --a------ C:\WINDOWS\system32\oleauth32.dll

2008-01-06 14:17:14 53986 --a------ C:\WINDOWS\system32\xpdx.sys

2008-01-06 14:17:14 14336 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

2008-01-06 14:17:12 16896 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe

2008-01-06 14:17:11 10 --a------ C:\WINDOWS\system32\kr_done1

2008-01-06 14:17:10 16384 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe

2008-01-06 14:17:07 16896 --a------ C:\WINDOWS\system32\vedxg6ame4.exe

2008-01-06 14:17:06 36352 --a------ C:\WINDOWS\system32\vedxga4me1.exe

2008-01-06 14:17:06 0 d-------- C:\Program Files\BraveSentry

2008-01-06 14:17:05 1177450 --a------ C:\Documents and Settings\Todd Gieber\Application Data\Install.dat

2008-01-06 14:17:04 35702 --a------ C:\WINDOWS\xpupdate.exe

2008-01-06 14:17:04 18294 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe

2008-01-06 14:17:04 17782 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe

2008-01-06 14:17:04 16758 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe

2008-01-06 14:17:03 35702 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe

2008-01-06 14:17:02 11638 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe

2008-01-06 14:16:54 29184 --a------ C:\WINDOWS\system32\kernelwind32.exe

2008-01-06 14:16:50 7712 --a------ C:\WINDOWS\system32\kernelw.sys

2008-01-06 14:16:41 29184 --a------ C:\WINDOWS\wsystmp_ugd.exe

2008-01-06 14:08:40 0 d-------- C:\Program Files\Ultimate Defender

2008-01-06 14:06:58 16384 --a------ C:\WINDOWS\system32\userv32.dat

2008-01-06 14:06:18 6144 --a------ C:\WINDOWS\murka.dat

2008-01-06 14:06:18 18944 --a------ C:\WINDOWS\medichi2.exe

2008-01-06 14:06:18 4608 --a------ C:\WINDOWS\medichi.exe

2008-01-06 14:04:35 16384 --a------ C:\WINDOWS\system32\users32.dat

2008-01-06 14:04:28 47616 --a------ C:\WINDOWS\wsystmp_owo.exe

2008-01-06 14:04:26 19968 --a------ C:\WINDOWS\system32\xlibgfl254.dll

2008-01-06 14:04:26 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ultra

2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\system32\spoolvs.exe

2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\system32\printer.exe

2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\shell.exe

2008-01-06 14:03:25 18944 --a------ C:\WINDOWS\system32\wowfx.dll

2008-01-06 14:03:25 9728 --a------ C:\Documents and Settings\Todd Gieber\Application Data\printer.exe

2008-01-06 12:07:03 0 d-------- C:\Program Files\Elaborate Bytes

2008-01-06 12:03:01 15872 --a------ C:\WINDOWS\windsk.dll

2008-01-06 08:06:08 34049 --a------ C:\WINDOWS\trayicon.exe

2008-01-06 08:06:07 34049 --a------ C:\Documents and Settings\Todd Gieber\wn852.exe

2008-01-02 16:16:28 0 d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari

2008-01-02 16:15:56 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-01 19:46:18 0 d-------- C:\Program Files\Edmark

2008-01-01 19:44:18 0 d-------- C:\Program Files\Creative Wonders

2007-12-30 21:02:09 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>

2007-12-30 21:01:38 0 d-------- C:\Program Files\Hooked on Phonics Learning

2007-12-30 09:32:14 20 --ahs---- C:\ArcDeviceInfo

2007-12-27 14:15:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo

2007-12-25 19:57:18 194362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

2007-12-25 19:53:01 0 d-------- C:\Program Files\U.B. Funkeys

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-01-06 17:40:54 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat

2008-01-06 17:40:54 384 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat

2008-01-06 14:30:18 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-01-06 14:27:29 502784 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

2008-01-06 14:06:42 0 d-------- C:\Program Files\iTunes

2008-01-06 12:04:55 0 d-------- C:\Program Files\SlySoft

2008-01-02 16:07:29 0 d-------- C:\Program Files\Atari

2008-01-02 16:07:28 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-01-01 19:48:22 0 d-------- C:\Program Files\The Learning Company

2008-01-01 19:45:09 1693 --a------ C:\WINDOWS\EReg077.dat

2007-12-27 14:15:31 0 d-------- C:\Program Files\MumboJumbo

2007-12-16 11:49:47 0 d-------- C:\Program Files\Puppy Luv

2007-12-14 15:22:07 1977747 --a------ C:\WINDOWS\PUZZLES.DAT

2007-12-07 20:15:28 0 d-------- C:\Program Files\Symantec

2007-11-23 09:34:13 0 d-------- C:\Program Files\QuickTime

2007-11-22 09:48:25 0 d-------- C:\Program Files\Norton 360

2007-11-21 23:02:01 0 d-------- C:\Program Files\iPod

2007-11-21 22:59:12 0 d-------- C:\Program Files\Apple Software Update

2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files

2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files\Apple

2007-11-11 12:59:56 364544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>

2007-11-11 11:57:07 0 --a------ C:\WINDOWS\system32\AleUpdt.bin

2007-10-29 14:35:13 1287680 --a------ C:\WINDOWS\system32\quartz.dll

2007-10-27 17:40:06 227328 --a------ C:\WINDOWS\system32\wmasf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>

2007-10-15 18:46:39 70 --a------ C:\WINDOWS\popcinfo.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/11/2004 08:10 PM]

"CTHelper"="CTHELPER.EXE" [03/11/2004 12:50 PM C:\WINDOWS\system32\CTHELPER.EXE]

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01/06/2008 02:04 PM]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]

"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [06/28/2007 02:09 PM]

"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [01/06/2008 02:04 PM]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]

"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [01/06/2008 02:04 PM]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/06/2008 02:04 PM]

"WD Button Manager"="WDBtnMgr.exe" [11/11/2007 12:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/06/2008 02:04 PM]

"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [01/06/2008 02:04 PM]

"Printer"="C:\WINDOWS\system32\printer.exe" [05/11/2005 09:23 PM]

"System"="C:\WINDOWS\system32\kernelwind32.exe" [01/06/2008 02:16 PM]

"SystemSv12"="C:\WINDOWS\system32\newmaxxsv234.exe" [01/06/2008 02:17 PM]

"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

"runner1"="C:\WINDOWS\mrofinu27.exe" [01/02/2008 01:33 PM]

"taskmon"="C:\WINDOWS\taskmon.exe" [01/06/2008 02:30 PM]

"NI.UGA6P_0001_N122M2210"="C:\documents and settings\todd gieber\application data\install_en[1].exe" [01/06/2008 02:31 PM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [05/11/2005 09:23 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 AM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

"DisableRegistryTools"=1 (0x1)

"DisableTaskMgr"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=1 (0x1)

"DisableTaskMgr"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoControlPanel"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg]

C:\Documents and Settings\All Users\Documents\Settings\bot.dll 01/06/2008 02:30 PM 25569 C:\Documents and Settings\All Users\Documents\Settings\bot.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll, xlibgfl254.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hte00.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]

@="Driver Group"

 

*Newly Created Service* - COMHOST

 

 

 

-- End of Deckard's System Scanner: finished at 2008-01-13 12:40:31 ------------

Share this post


Link to post
Share on other sites

We can get you cleaned up for sure

 

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

 

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.

 

 

 

 

 

Please download SmitfraudFix (by S!Ri) to your Desktop.

 

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

 

 

 

Do this one from Normal Mode

 

Download Combofix and save it to your desktop.

 

**Note: It is important that it is saved directly to your desktop**

 

--------------------------------------------------------------------

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

--------------------------------------------------------------------

 

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

 

 

Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

 

MyWebSearch

MyWebSA

Edited by Rorschach112

Share this post


Link to post
Share on other sites

Sorry, here is the contents of extra.txt:

 

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Unable to create WMI object.

 

Architecture: X86; Language: English

 

Percentage of Memory in Use: 17%

Physical Memory (total/avail): 1022.09 MiB / 842.64 MiB

Pagefile Memory (total/avail): 2460.07 MiB / 2415.17 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1956.73 MiB

 

C: is Fixed (NTFS) - 232.78 GiB total, 136.05 GiB free.

D: is CDROM (CDFS)

E: is CDROM (No Media)

F: is Fixed (FAT32) - 465.64 GiB total, 443.97 GiB free.

G: is Removable (No Media)

H: is Removable (FAT)

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is enabled.

 

FirstRunDisabled is set.

FirewallDisableNotify is set.

 

Unable to create WMI object.

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Administrator\Application Data

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=TODD

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Administrator

LOGONSERVER=\\TODD

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0404

ProgramFiles=C:\Program Files

PROMPT=$P$G

SAFEBOOT_OPTION=MINIMAL

SESSIONNAME=Console

SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

USERDOMAIN=TODD

USERNAME=Administrator

USERPROFILE=C:\Documents and Settings\Administrator

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Todd Gieber (admin)

Deanna Gieber (admin)

Sierra Gieber (admin)

Jordyn Gieber (admin)

Administrator (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\Ctzapxx.EXE" /W /U /S

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}

--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

"Doras Rapido River Rafting Race (remove only)" --> "C:\Program Files\Doras Rapido River Rafting Race\Uninstall.exe"

101 Bally Slots --> C:\Games\MasqueGames\uninstall.exe "101 Bally Slots.ilg"

A Series of Unfortunate Events (remove only) --> "C:\Program Files\A Series of Unfortunate Events\Uninstall.exe"

Adobe Acrobat Reader 3.01 --> C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock

Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}

Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}

AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"

AOL Toolbar 5.0 --> "C:\Program Files\AOL\AOL Toolbar 5.0\uninstall.exe"

AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe

AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}

Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}

Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

Arthur's Thinking Games --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative Wonders\Arthur's Thinking Games\Uninst.isu"

AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}

Backyardigans Mission to Mars (remove only) --> C:\Program Files\Backyardigans Mission to Mars\Uninstall.exe

Barbie® Pet Rescue --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mattel Interactive\Barbie®\Barbie® Pet Rescue\Uninst.isu"

Bejeweled 2 Deluxe --> "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\install.log"

Bejeweled Deluxe 1.862 -->

Bengal (CD version) --> "C:\Program Files\OXXOGames\VIVAGplayer\MyInstall.exe" ScriptUInst "C:\Program Files\OXXOGames\VIVAGplayer\Install\\Game_OxxoBengalCD.log"

Blue's Treasure Hunt --> C:\WINDOWS\IsUninst.exe -f"c:\hegames\Blues Treasure Hunt\Uninst.isu" -c"c:\hegames\Blues Treasure Hunt\Uninst.dll

Blues Room (remove only) --> C:\Program Files\Blues Room\Uninstall.exe

Bonus Mania --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C662595F-CDF9-4BF5-8323-3F7C6A7EADF7}\setup.exe" -l0x9

BookWorm Deluxe 1.03 --> C:\Program Files\PopCap Games\BookWorm Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\BookWorm Deluxe\Install.log"

Brave-Sentry --> C:\Program Files\BraveSentry\Uninstall.exe

Broadcom Advanced Control Suite --> MsiExec.exe /I{058B32E2-6310-4359-B2D4-1988390C3B83}

BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a

Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"

Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"

Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"

Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"

Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"

Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"

Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"

Canon Utilities Digital Photo Professional 2.2 --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"

Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"

Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"

Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"

CareBears --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ValuSoft\CareBears\DeIsL1.isu"

ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}

Chainz 2 (remove only) --> "C:\Program Files\MumboJumbo\Chainz 2\uninstall.exe"

Chicken Hunter - License To Grill --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime9\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00848649-B063-4672-B616-B40543807750}\Setup.exe" -l0x9

Chutes and Ladders --> C:\WINDOWS\uninst.exe -fc:\Games\CHUTES~1\DeIsL1.isu

Comcast High-Speed Internet Install Wizard --> C:\Program Files\Support.com\uninstall\chsi_uninstaller.exe

Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove

Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}

Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}

Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}

Desktop Doctor --> "C:\Program Files\Support.com\providerComcast\Uninstall.exe" /c "Remove Desktop Doctor?"

Disney's Princess Fashion Boutique --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\PRINCE~1\DeIsL1.isu

Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG

Disney's You Can Fly! with Tinker Bell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5071AC4-B0E3-11D5-AA2E-0008C760B784}\setup.exe" Disney's You Can Fly! with Tinker Bell

Dora the Explorer 3D Pyramid Adventure (remove only) --> "C:\Program Files\Dora the Explorer 3D Pyramid Adventure\Uninstall.exe"

Dora the Explorer: Animal Adventures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A34CCD1C-7738-47B9-863D-8E0C478FB8F7}\setup.exe" -l0x9 -uninst

Dora`s Magic Castle (remove only) --> C:\Program Files\Dora`s Magic Castle\Uninstall.exe

Dora`s World Adventure (remove only) --> C:\Program Files\Dora`s World Adventure\Uninstall.exe

DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"

Dynomite Deluxe 2.71 --> C:\Program Files\PopCap Games\Dynomite Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Dynomite Deluxe\Install.log"

Edmark MindTwister Math --> C:\WINDOWS\unvise32.exe C:\Program Files\Edmark\MindTwister Math\uninstal.log

eGames GameButler --> C:\PROGRA~1\eGames\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\eGames\GAMEBU~1\INSTALL.LOG

ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG

Fisher-Price® - Toddler --> D:\setup.exe -funinst.ins

GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}

GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"

Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

Grammar Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\Grammar\DeIsL1.isu"

Hello Kitty Cutie World --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3F2EC51-4473-4535-BEE4-01B8B39ACEF7}\Setup.exe" -l0x9

High Flying Act - Interactive Storybook --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\High Flying Act - Interactive Storybook\Uninstall.xml"

Hooked on Phonics Master Reader --> C:\WINDOWS\unvise32.exe C:\Program Files\Hooked on Phonics Learning\Master Reader\uninstal.log

HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}

HP Software Update --> MsiExec.exe /X{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}

IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log

Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST

Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}

Internet Lottery 1.2.0 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\SPK210.Inf, DefaultUninstall

iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033

iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}

Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}

Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}

Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}

Joes 3-D Scavenger Hunt (remove only) --> "C:\Program Files\Joes 3-D Scavenger Hunt\Uninstall.exe"

JumpStart Preschool v2.0 --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRSCHL99\DeIsL1.isu

JumpStart Toddlers 2001 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Knowledge Adventure\JSTD2001\DeIsL1.isu"

Just Grandma and Me --> C:\WINDOWS\uninst.exe -fC:\Lvg_Bks\DeIsL1.isu

Kid Pix Deluxe 3 --> C:\Program Files\Broderbund\Kid Pix Deluxe 3\uninstal.exe

Leap Ahead Kindergarten --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Kindergarten\Uninst.isu"

Leap Ahead Phonics Ages 4-7 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Phonics Ages 4-7\Uninst.isu"

Leap Ahead Preschool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Preschool\Uninst.isu"

Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall

LifeGlobe Sharks, Terrors of the Deep 2 --> "C:\Program Files\Prolific Publishing, Inc\Sharks2\unins000.exe"

LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U

LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}

Luxor 3 --> "C:\Program Files\MumboJumbo\Luxor 3\uninstall.exe"

Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}

Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Magic Ball 2 Spring Time (remove only) --> "C:\Program Files\Magic Ball 2 Spring Time\Uninstall.exe"

Mall Tycoon 3 --> MsiExec.exe /I{205140F6-F3AC-45CE-9627-9CF35C6E1C2E}

Marine Aquarium 2.5, Goldfish, Sharks & Carousel Bundle --> C:\WINDOWS\IsUninst.exe -fc:\ScreenSavers\Aquarium\Uninst.isu

Meerca Chase Screen Saver --> sstunst2.exe Meerca Chase

Mickey Saves the Day --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\MICKEY~1\DeIsL1.isu

Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}

Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}

Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall

Mike's Monstrous Adventure --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D2B1159-89F1-11D6-B2FB-0002A5E32BEF}\setup.exe" Mike's Monstrous Adventure

Monopoly Junior --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Monopoly Junior\Uninst.isu"

Monsters, Inc. Wreck Room Arcade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27CACECD-7452-41A2-B1D5-76B18E79700F}\setup.exe" Boris

My Disney Kitchen --> C:\WINDOWS\IsUninst.exe -fc:\games\MICKEY~1\DeIsL2.isu

My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O

My Web Search (Zwinky) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll,O

MysticForest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5C61666-12FE-4776-B0DB-55C82AADD222}\setup.exe" -l0x9 -removeonly

Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

netMarket --> D:\netmarkt\netmarkt\setup.exe -fNETMKTUN.ins

Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}

Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}

Norton 360 --> MsiExec.exe /I{40DA9A54-48CA-4A2C-AEAF-F67715BB046E}

Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}

Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X

Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}

Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}

Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}

Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}

NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI

Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"

Penguin Puzzle --> C:\PROGRA~1\eGames\PENGUI~1\UNWISE.EXE C:\PROGRA~1\eGames\PENGUI~1\INSTALL.LOG

Petz 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\PF.Magic\Petz 3\Uninst.isu"

Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\setup\hpzscr01.exe -datfile hphscr01.dat

Pirates of Treasure Island --> C:\PROGRA~1\eGames\PIRATE~1\UNWISE.EXE C:\PROGRA~1\eGames\PIRATE~1\INSTALL.LOG

PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

Puppy Luv --> MsiExec.exe /I{125A502F-2DF9-4948-A6A3-A7491D938CF0}

QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1

Quicken 2003 Premier --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2F3A571A-AE8C-4938-88A7-71E4F04D057A} anything

Reader Rabbit's Kindergarten --> C:\TLCWIN\RRK20\UNWISE.EXE C:\TLCWIN\RRK20\INSTALL.LOG

Reader Rabbit's Preschool --> C:\Games\READER~1\UNWISE.EXE C:\Games\READER~1\INSTALL.LOG

Reader Rabbit 1st Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 1st Grade\Uninstall.xml"

Reader Rabbit® I Can Read! With Phonics --> C:\Program Files\The Learning Company\Reader Rabbit® I Can Read! With Phonics\uninstall.exe

Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}

Rocket Mania Deluxe 1.02 --> C:\Program Files\PopCap Games\Rocket Mania Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Rocket Mania Deluxe\Install.log"

RollerCoaster Tycoon 3 Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\SETUP.EXE" -l0x9 -removeonly

School Tycoon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CFFE053-748A-44DC-A248-06EA38E4BC03}\setup.exe"

SeaWorld Adventure Park Tycoon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48A6E89E-D2D3-4DA7-8A7C-FBB8F1083409}\setup.exe"

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Snail Mail (remove only) --> "C:\Program Files\Snail Mail\Uninstall.exe"

Snowy - Treasure Hunter (remove only) --> "C:\Program Files\Snowy - Treasure Hunter\Uninstall.exe"

Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}

Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}

Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}

Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}

Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}

Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}

Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}

Sorry --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL2.isu

Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\setup.exe" -l0x9

SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}

Spinner the Space Kid (remove only) --> C:\Program Files\Spinner the Space Kid\Uninstall.exe

SpongeBob SquarePants - Battle for Bikini Bottom --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A7E6A962-C086-47E3-BAEC-9C84AF292820}\setup.exe" -l0x9 -uninst

SpongeBob SquarePants 3-D --> C:\PROGRA~1\NICKAR~1\SPONGE~1\UNWISE.EXE C:\PROGRA~1\NICKAR~1\SPONGE~1\INSTALL.LOG

SpongeBob SquarePants Employee of the Month --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\SpongeBob SquarePants\Employee of the Month\Uninst.isu"

SpongeBob SquarePants Obstacle Odyssey (remove only) --> C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\Uninstall.exe

SpongeBob SquarePants® Operation Krabby Patty --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\SpongeBob SquarePants\Operation Krabby Patty\Uninst.isu"

StarFlyers Royal Jewel Rescue --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\StarFlyers Royal Jewel Rescue\Uninstall.xml"

SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}

Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}

SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}

The Fairly OddParents --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBA98386-2B74-4C54-B085-543E7D5A3FAC}\Setup.exe" -l0x9 \ /uninst

The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"

The Land Before Time Kindergarten Adventure --> C:\Lbtkind\UNWISE.EXE C:\Lbtkind\INSTALL.LOG

TiVo Desktop 2.4a --> MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}

TurboTax Deluxe 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui

TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui

TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}

TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}

U.B. Funkeys --> C:\Program Files\U.B. Funkeys\uninstall.exe

Ultra soft --> C:\Documents and Settings\Todd Gieber\Application Data\ultra\uninstall.bat

Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) -->

Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u

VIVA MEDIA GAME CENTER --> "C:\Program Files\OXXOGames\VIVAGplayer\MyInstall.exe" UInstAllGPAndDS

WD Backup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A351224F-533A-4EED-89F4-0BF3417FD31D}\setup.exe" -l0x9

WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}

WD Firewire HID Driver --> MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}

WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"

WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate

Wild Thornberrys Australian Wildlife Rescue (remove only) --> "C:\Program Files\Wild Thornberrys Australian Wildlife Rescue\Uninstall.exe"

Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

Yahtzee --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu

Zulu Gems (remove only) --> "C:\Program Files\iWin.com\Zulu Gems\Uninstall.exe"

Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log"

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type37651 / Error

Event Submitted/Written: 01/06/2008 04:02:20 PM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application tivoserver.exe, version 1.4.265.782, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.

Processing media-specific event for [tivoserver.exe!ws!]

 

Event Record #/Type37650 / Error

Event Submitted/Written: 01/06/2008 04:02:14 PM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application tivotransfer.exe, version 1.3.265.782, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.

Processing media-specific event for [tivotransfer.exe!ws!]

 

Event Record #/Type37649 / Error

Event Submitted/Written: 01/06/2008 04:02:09 PM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application ccapp.exe, version 106.2.0.21, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.

Processing media-specific event for [ccapp.exe!ws!]

 

Event Record #/Type37648 / Error

Event Submitted/Written: 01/06/2008 04:01:46 PM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application mwsoemon.exe, version 1.2.2.4, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.

Processing media-specific event for [mwsoemon.exe!ws!]

 

Event Record #/Type37647 / Error

Event Submitted/Written: 01/06/2008 04:01:35 PM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application dssagent.exe, version 1.0.3.0, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.

Processing media-specific event for [dssagent.exe!ws!]

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type20441 / Error

Event Submitted/Written: 01/13/2008 00:32:19 PM / 01/13/2008 00:32:49 PM

Event ID/Source: 1 / sr

Event Description:

The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

 

Event Record #/Type20438 / Error

Event Submitted/Written: 01/07/2008 04:10:02 PM / 01/07/2008 04:10:34 PM

Event ID/Source: 1 / sr

Event Description:

The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

 

Event Record #/Type20432 / Error

Event Submitted/Written: 01/07/2008 09:56:22 AM / 01/07/2008 09:56:54 AM

Event ID/Source: 1 / sr

Event Description:

The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

 

Event Record #/Type20427 / Error

Event Submitted/Written: 01/06/2008 07:40:09 PM / 01/06/2008 07:40:39 PM

Event ID/Source: 1 / sr

Event Description:

The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

 

Event Record #/Type20424 / Error

Event Submitted/Written: 01/06/2008 07:31:54 PM / 01/06/2008 07:32:21 PM

Event ID/Source: 1 / sr

Event Description:

The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

 

 

 

-- End of Deckard's System Scanner: finished at 2008-01-13 12:37:03 ------------

Share this post


Link to post
Share on other sites

Just so you know, I am using my work laptop to communicate to you, while using the memory stick to pass files between home and work pc.

Share this post


Link to post
Share on other sites

Ok, here is where I am at per your instructions:

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

 

Upon trying to boot in safe mode I get a window that says, "c:\windows\shell.exe" Application not found.

 

Can I run this from safe mode via command prompt?

Share this post


Link to post
Share on other sites

Can you not get it to run with those instructions ? Just ignore that window you get and try run the program.

 

If it fails just continue on to the next step.

Share this post


Link to post
Share on other sites

Ok, here is the output of the report.txt from running SDFix:

 

 

SDFix: Version 1.126

 

Run by Administrator on Sun 01/13/2008 at 01:17 PM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

Driver

kcp

smtpdrv

taskmon.sys

ZZZdrv_lich

ZZZsvc_lich

lrito398c-b96

lrito64ec-1ac8

HTE00

 

Path:

\??\C:\WINDOWS\system32\kernelw.sys

\??\C:\WINDOWS\system32\drivers\kcp.sys

System32\DRIVERS\smtpdrv.sys

\??\C:\WINDOWS\system32\taskmon.sys

\??\C:\lich.sys

C:\lich.exe

\??\C:\WINDOWS\system32\lrito398c-b96.sys

\??\C:\WINDOWS\system32\lrito64ec-1ac8.sys

System32\Drivers\Hte00.sys

 

Driver - Deleted

kcp - Deleted

smtpdrv - Deleted

taskmon.sys - Deleted

ZZZdrv_lich - Deleted

ZZZsvc_lich - Deleted

lrito398c-b96 - Deleted

lrito64ec-1ac8 - Deleted

HTE00 - Deleted

 

 

 

Infected Winlogon.exe Found!

 

Winlogon File Locations:

 

"C:\WINDOWS\system32\winlogon.exe" 502784 01/06/2008 02:27 PM

"C:\WINDOWS\system32\dllcache\winlogon.exe" 502784 01/07/2008 04:09 PM

 

Modified Files Are Listed Below:

 

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\dllcache\winlogon.exe

 

Note: SDFix Does Not Repair This File!

 

 

Infected ip6fw.sys Found!

 

ip6fw.sys File Locations:

 

"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/10/2004 02:00 AM

 

Infected File Listed Below:

 

C:\WINDOWS\system32\drivers\ip6fw.sys

 

Trojan File copied to Backups Folder

Attempting to replace ip6fw.sys with original version...

 

Unable To Replace Infected File!

 

 

Infected Svchost.exe Found!

 

Svchost.exe File Locations:

 

"C:\WINDOWS\system32\svchost.exe" 14336 08/10/2004 02:00 AM

"C:\WINDOWS\system32\dllcache\svchost.exe" 14336 08/10/2004 02:00 AM

 

Modified file is listed below:

 

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllcache\svchost.exe

 

Infected File copied to Backups Folder

SDFix cannot repair this file!

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing SharedAccess Service

Resetting AppInit_DLLs value

 

 

Rebooting...

 

Service asc3550p - Deleted after Reboot

Service Medi35 - Deleted after Reboot

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\WINDOWS\system32\lrito398c-b96.sys - Deleted

C:\WINDOWS\system32\lrito64ec-1ac8.sys - Deleted

C:\WINDOWS\system32\drivers\Medi35.sys - Deleted

C:\WINDOWS\system32\drivers\HTE00.sys - Deleted

C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted

C:\19.TMP - Deleted

C:\1A.TMP - Deleted

C:\1B.TMP - Deleted

C:\1C.TMP - Deleted

C:\1D.TMP - Deleted

C:\1E.TMP - Deleted

C:\1F.TMP - Deleted

C:\20.TMP - Deleted

C:\WINDOWS\SYSTEM32\FORRIEPP.TMP - Deleted

C:\Documents and Settings\All Users\Documents\Settings\bot.dll - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\1.dllb - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\2.dllb - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\5.dllb - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\6.dllb - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\7.dllb - Deleted

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\ma11x1dd12111v.game - Deleted

C:\WINDOWS\system32\shift.exe.exe - Deleted

C:\Program Files\BraveSentry\BraveSentry.exe - Deleted

C:\Program Files\BraveSentry\BraveSentry.lic - Deleted

C:\Program Files\BraveSentry\BraveSentry0.bs - Deleted

C:\Program Files\BraveSentry\BraveSentry0.dll - Deleted

C:\Program Files\BraveSentry\BraveSentry1.bs - Deleted

C:\Program Files\BraveSentry\BraveSentry2.dll - Deleted

C:\Program Files\BraveSentry\BraveSentry3.dll - Deleted

C:\Program Files\BraveSentry\Uninstall.exe - Deleted

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe - Deleted

C:\.exe - Deleted

C:\?.exe - Deleted

C:\lich.exe - Deleted

C:\WINDOWS\desktop.html - Deleted

C:\WINDOWS\medichi.exe - Deleted

C:\WINDOWS\medichi2.exe - Deleted

C:\WINDOWS\mrofinu*.exe - Deleted

C:\WINDOWS\murka.dat - Deleted

C:\WINDOWS\shell.exe - Deleted

C:\WINDOWS\system32\*_exception.nls - Deleted

C:\WINDOWS\system32\dllgh8jk*.exe - Deleted

C:\WINDOWS\system32\kernelwind32.exe - Deleted

C:\WINDOWS\system32\kr_done1 - Deleted

C:\WINDOWS\system32\lich.dat - Deleted

C:\WINDOWS\system32\lrito.ini - Deleted

C:\WINDOWS\system32\m1ax1d1*.exe - Deleted

C:\WINDOWS\system32\mstscex.dll - Deleted

C:\WINDOWS\system32\n.ini - Deleted

C:\WINDOWS\system32\newmaxxsv234.exe - Deleted

C:\WINDOWS\system32\oleauth32.dll - Deleted

C:\WINDOWS\system32\printer.exe - Deleted

C:\WINDOWS\system32\spoolvs.exe - Deleted

C:\WINDOWS\system32\svcp.csv - Deleted

C:\WINDOWS\system32\users32.dat - Deleted

C:\WINDOWS\system32\vedxg*m*.exe - Deleted

C:\WINDOWS\system32\vx.tll - Deleted

C:\WINDOWS\system32\winsub.xml - Deleted

C:\WINDOWS\taskmon.exe - Deleted

C:\WINDOWS\trayicon.exe - Deleted

C:\WINDOWS\windsk.dll - Deleted

C:\WINDOWS\wr.txt - Deleted

C:\WINDOWS\xpupdate.exe - Deleted

C:\WINDOWS\system32\xpdx.sys - Deleted

C:\lich.sys - Deleted

C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted

C:\WINDOWS\system32\drivers\kcp.sys - Deleted

C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted

C:\WINDOWS\system32\drivers\symavc32.sys - Deleted

C:\WINDOWS\system32\kernelw.sys - Deleted

C:\WINDOWS\system32\taskmon.sys - Deleted

 

 

 

The files below have been patched by Trojan.Agent.zb to load users32.dat and should be replaced:

 

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

 

 

Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Folder C:\Program Files\BraveSentry - Removed

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-13 13:28:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]

"PendingFileRenameOperations"=str(7):"\x6264\2\xa6e0S\x5050<\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\xcf50S\\\xffff\xffff\xffff\xffff\5\x62f8O\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1I\x6f43\x746e\x6f72\x206c\x7954\x6570\x8190I\xfff8\xffff\xa950S\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5974\35\xffd8\xffff\x6b76\17\4\x8000\\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\\4\010\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x7320S\xffff\xffff\4\xa6f8O\x218\xffff\xffff\20\\32\4\3\b\x2020\x2020\x2020\x3320\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6d69\x694c\x656e\x6449\1\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xb474I\xffe0\xffff\x6b76\b\4\x8000\2\4\1v\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1Q\x6544\x7473\x64499\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x71e8S\2\\x7300P\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x72c8S\x86f8\x64f3\xffa8\xffff\x6b6e \x4d50\x9d6b\x48d8\x1c8\\x72c8S\\\xffff\xffff\xffff\xffff\5\xe5a0\34\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffb8\xffffSystem32\Drivers\GEARAspiWDM.sysv\xffd8\xffff\x6b76\16,\xa4d0S\3\1\x6146\x6c69\x7275\x4165\x7463\x6f69\x736e&\xffa8\xffff\x6b6e \xee12\xe2f1\x50b0\x1c8\\x6e98S\\\xffff\xffff\xffff\xffff\6\xb210D\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\xffff\xffff\xfff0\xffff\x686c\1\x7660S\x86f8\x64f3\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x72c8S\\\xffff\xffff\xffff\xffff\5\x2e20P\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\x66c0H\xffd8\xffff\x6b76\16\4\x8000\\4\1 \x754d\x746c\x7069\x656c\x4920\x6574\x736dn\xffd8\xffff\x6b76\r\4\x8000\2\4\1*\x6843\x6e61\x656e\x206c\x6f43\x6e75\x83740\xffd8\xffff\x6b76\17\4\x8000\\4\1H\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\\4\1-\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x7450S\xffff\xffff\4\x9dc8P\x218\xffff\xffff\20\\32\4\4\b\x2020\x2020\x2020\x3420\xffe0\xffff\x6b76\6\4\x8000\2\4\1v\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\2\4\18\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xb9749\xffe0\xffff\x6b76\b\4\x8000\4\4\1Q\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1R\x6544\x7473\x6449N\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7580S\2\\xdd50P\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7660S\\\xffff\xffff\xffff\xffff\5\xb230P\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\x8a8I\xffd8\xffff\x6b76\16\4\x8000\\4\1S\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffff\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x79c0S\x86f8\x64f3\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7660S\\\xffff\xffff\xffff\xffff\4\xd8d8P\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\35\x6f43\x746e\x6f72\x206c\x7954\x6570\xe478\35\xffd8\xffff\x6b76\16\4\x8000\\4\010\x754d\x746c\x7069\x656c\x4920\x6574\x736d0\xffd8\xffff\x6b76\r\4\x8000\1\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\x8174I\xffd8\xffff\x6b76\17\4\x8000\1\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x77d8S\xffff\xffff\4\x1d8Q\x218\xffff\xffff\20\\32\4\5\b\x2020\x2020\x2020\x3520\xffe0\xffff\x6b76\6\4\x8000\3\4\1r\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\2\4\1J\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x85740\xffe0\xffff\x6b76\b\4\x8000\5\4\1.\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\34\x6544\x7473\x6449&\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x78e0S\2\\x2fe8Q\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x79c0S\\\xffff\xffff\xffff\xffff\5\x1fe8Q\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\010\x6f43\x746e\x6f72\x206c\x7954\x6570\xadb0H\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xbe74I\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1J\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x7d20S\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x79c0S\\\xffff\xffff\xffff\xffff\4\x2960Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1J\x6f43\x746e\x6f72\x206c\x7954\x6570il\xffd8\xffff\x6b76\16\4\x8000\\4\1l\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5b74\35\xffd8\xffff\x6b76\17\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x7b38S\xffff\xffff\4\x4018Q\x218\xffff\xffff\20\\32\4\6\b\x2020\x2020\x2020\x3620\xffe0\xffff\x6b76\6\4\x8000\4\4\1\35\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xd274I\xffe0\xffff\x6b76\b\4\x8000\a\4\1Q\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1v\x6544\x7473\x6449M\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x7c40S\2\\x5fa0Q\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xae6c\xaf21\xdb7f\x1c6\\x7d20S\\\xffff\xffff\xffff\xffff\5\xa2d8K\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\010\x6f43\x746e\x6f72\x206c\x7954\x6570\xadb0H\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xbe74I\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1S\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff31\xfff0\xffff\x686c\1\xd370&\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x7d20S\\\xffff\xffff\xffff\xffff\4\x5b98Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\4\xffd8\xffff\x6b76\16\4\x8000\\4\1\30\x754d\x746c\x7069\x656c\x4920\x6574\x736d\34\xffd8\xffff\x6b76\r\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\xdc749\xffd8\xffff\x6b76\17\4\x8000\1\4\19\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x7e98S\xffff\xffff\4\x67b0Q\x218\xffff\xffff\20\\32\4\a\b\x2020\x2020\x2020\x3720\xffe0\xffff\x6b76\6\4\x8000\5\4\1\xf1db\x694c\x656e\x6449\xf1db\xffd8\xffff\x6b76\r\4\x8000\2\4\1\xf1db\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\b\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6544\x7473\x6449\xfeb8\xffff\x686c&\xd8b8Q\x9f10\xf1db\xcb78S\x9f11\xf1db\xce70S\x9f12\xf1db\x71e8S\x9f13\xf1db\x7580S\x9f14\xf1db\x78e0S\x9f15\xf1db\x7c40S\x9f16\xf1db\x7fa0S\x9f17\xf1db\x8388S\x9f18\xf1db\x86f8S\x9f19\xf1db\x8a30S\x9f21\xf1db\x8e88S\x9f22\xf1db\x8fc0S\x9f23\xf1db\x9238S\x9f24\xf1db\x94b0S\x9f25\xf1db\x9740S\x9f26\xf1db\x99e8S\xa185\xf1db\x9db8S\xa186\xf1db\xa170S\xa187\xf1db\x9138'0\x98b8'1\x9bc8'\x745\x9f80'\x746\x72b8(\x747\x7558(2\x7940(3\x7d08(4\x6100(5\x64d8(6\x6880(7\x6c48(8\x7020'9\x74f8'A\x7998'B\x7bf8'C\x7e90'D\xd278&E\xd728&F\\x5150\xffff\2\\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\31\xffd8\xffff\x6b76\16\4\x8000\\4\1\35\x754d\x746c\x7069\x656c\x4920\x6574\x736d5\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xc474I\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\xd370&\\\xffff\xffff\xffff\xffff\5\xae28Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1I\x6f43\x746e\x6f72\x206c\x7954\x6570\xbb18I\xffd8\xffff\x6b76\16\4\x8000\\4\1l\x754d\x746c\x7069\x656c\x4920\x6574\x736d4\xffd8\xffff\x6b76\r\4\x8000\2\4\1\32\x6843\x6e61\x656e\x206c\x6f43\x6e75\xf274\34\xffd8\xffff\x6b76\17\4\x8000\\4\1\34\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff30\xffd8\xffff\x6b76\17\4\x8000\\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x84c0S\xffff\xffff\4\xd288Q\x218\xffff\xffff\20\\32\4\b\b\x2020\x2020\x2020\x3820\xffe0\xffff\x6b76\6\4\x8000\6\4\1\x694c\x656e\x6449-\xffd8\xffff\x6b76\r\4\x8000\2\4\1\17\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xff74\xffff\xffe0\xffff\x6b76\b\4\x8000\t\4\1)\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6544\x7473\x6449&\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x8388S\2\\x1f0R\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x8468S\x86f8\x64f3\xffa8\xffff\x6b6e \xfe3c\x8f41\x9a7c\x1c7\\x8468S\\\xffff\xffff\xffff\xffff\5\x968\37\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\31\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffd0\xffffHID-compliant device\\xffd0\xffff\xde68\35\x83b8\37\x61b8<\x5ba8D\x6590D\x95d0D\xce0)\xd650)\x9638(\xfe50R\x73d0(\xffe8\xffff1-19-2005\xfff0\xffff\x686c\1\x87d8S\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x8468S\\\xffff\xffff\xffff\xffff\4\xe9b8Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\1\xffd8\xffff\x6b76\16\4\x8000\\4\1:\x754d\x746c\x7069\x656c\x4920\x6574\x736dD\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x85f0S\xffff\xffff\4\x3d0R\x218\xffff\xffff\20\\32\4\t\b\x2020\x2020\x2020\x3920\xffe0\xffff\x6b76\6\4\x8000\a\4\1\35\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\n\4\015\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1J\x6544\x7473\x6449J\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x86f8S\2\\x86b8R\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x87d8S\\\xffff\xffff\xffff\xffff\4\x490R\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\xffff\x6f43\x746e\x6f72\x206c\x7954\x6570\\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t \xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1o\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xfff0\xffff\x686c\1\x8b10S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x87d8S\\\xffff\xffff\xffff\xffff\4\x2fe8R\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1}\x6f43\x746e\x6f72\x206c\x7954\x6570\xe5e8\30\xffd8\xffff\x6b76\16\4\x8000\\4\1\x6469\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x8928S\xffff\xffff\4\x8f90R\x218\xffff\xffff\20\\32\4\n\b\x2020\x2020\x2020\x4120\xffe0\xffff\x6b76\6\4\x8000\b\4\1I\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\3\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\v\4\1\35\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\35\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8a30S\3\\x8e60S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\x9808R\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\1b\x6f43\x746e\x6f72\x206c\x7954\x6570ny\xffd8\xffff\x6b76\16\4\x8000\\4\1h\x754d\x746c\x7069\x656c\x4920\x6574\x736di\xffd8\xffff\x6b76\r\4\x8000\1\4\1d\x6843\x6e61\x656e\x206c\x6f43\x6e75tw\xffd8\xffff\x6b76\17\4\x8000\\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xfff0\xffff\x686c\1\x8f68S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\x9fe8R\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570$\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x1999\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\xe4f8R\x218\xffff\xffff\\\36\4\2\b\x2020\x2020\x2020\x3220\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\xffff\x6f43\x746e\x6f72\x206c\x7954\x6570\xffff\xffff\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5b74I\xffd8\xffff\x6b76\17\4\x8000\\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x686c\3\x8b68S\x9f10\xf1db\x8c70S\x9f11\xf1db\x8d68S\x9f12\xf1db\xee4\x838f\x391a\x11d3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x8c60S\xffff\xffff\4\xafe8R\x218\xffff\xffff\20\\32\4\v\b\x2020\x2020\x2020\x4220\xffe0\xffff\x6b76\6\4\x8000\t\4\1\x3136\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\\4\1\35\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xe474\35\xffe0\xffff\x6b76\b\4\x8000\f\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1e\x6544\x7473\x64495\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8e88S\\\xffff\xffff\xffff\xffff\\xffff\xffff\x218\xffff\xffff\\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x90f8S\xffff\xffff\4\x16f0S\x218\xffff\xffff\20\\32\4\f\b\x2020\x2020\x2020\x4320\xffe0\xffff\x6b76\6\4\x8000\1\4\1J\x694c\x656e\x6449I\xffd8\xffff\x6b76\r\4\x8000\1\4\1J\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x3d74J\xffe0\xffff\x6b76\b\4\x8000\2\4\1J\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1K\x6544\x7473\x6449K\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8fc0S\1\\x9228S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x90a0S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x90a0S\\\xffff\xffff\xffff\xffff\5\x1ea8S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9108S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9370S\xffff\xffff\4\x2a30S\x218\xffff\xffff\20\\32\4\r\b\x2020\x2020\x2020\x4420\xffe0\xffff\x6b76\6\4\x8000\1\1\4\1\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\3\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9238S\1\\x94a0S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9318S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9318S\\\xffff\xffff\xffff\xffff\5\x2d48S\x218\xffff\xffff\\\36\4\27\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570$\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9380S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x95e8S\xffff\xffff\4\x6330S\x218\xffff\xffff\20\\32\4\\b\x2020\x2020\x2020\x4520\xffe0\xffff\x6b76\6\4\x8000\1\2\4\1\x7274\x694c\x656e\x6449s\xffd8\xffff\x6b76\r\4\x8000\1\4\1\xffff\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xff74\xffff\xffe0\xffff\x6b76\b\4\x8000\4\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x94b0S\1\\x9730S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\oc\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9590S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9590S\\\xffff\xffff\xffff\xffff\5\x96f0S\x218\xffff\xffff\\\36\4IN\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570C:\xffd8\xffff\x6b76\16\4\x8000\\4\1s\x754d\x746c\x7069\x656c\x4920\x6574\x736dE\xffd8\xffff\x6b76\r\4\x8000\2\4\1?\x6843\x6e61\x656e\x206c\x6f43\x6e75tD\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\012\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x9650S\x9678S\x96a0S\x96c8S\x9708S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x95f8S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9890S\xffff\xffff\4\x9820S\x218\xffff\xffff\20\\32\4ys\b\x2020\x2020\x2020\x4620\xffe0\xffff\x6b76\6\4\x8000\1\3\4\1\\x694c\x656e\x6449C\xffd8\xffff\x6b76\r\4\x8000\1\4\1y\x6f43\x746e\x6f72\x206c\x6f43\x6e75tS\xffe0\xffff\x6b76\b\4\x8000\5\4\1?\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1s\x6544\x7473\x64493\xffe8\xffff\x9798S\x97b8S\x97e0S\x9800S\2\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9740S\1\\x99d8S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\02\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9838S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9838S\\\xffff\xffff\xffff\xffff\5\x9998S\x218\xffff\xffff\\\36\4\C\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1t\x6f43\x746e\x6f72\x206c\x7954\x6570?\\xffd8\xffff\x6b76\16\4\x8000\\4\1s\x754d\x746c\x7069\x656c\x4920\x6574\x736d\\xffd8\xffff\x6b76\r\4\x8000\2\4\1\\x6843\x6e61\x656e\x206c\x6f43\x6e75tI\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1m\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x98f8S\x9920S\x9948S\x9970S\x99b0S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x98a0S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9b38S\xffff\xffff\4\x9ac8S\x218\xffff\xffff\20\\32\4\xb7b8I\b\x2020\x2020\x2020\x3031\xffe0\xffff\x6b76\6\4\x8000\1\4\4\1I\x694c\x656e\x6449I\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x774J\xffe0\xffff\x6b76\b\4\x8000\6\4\1I\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1J\x6544\x7473\x6449J\xffe8\xffff\x9a40S\x9a60S\x9a88S\x9aa8S\n\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x99e8S\2\\x9da0S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\x2d58K\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9ae0S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9ae0S\\\xffff\xffff\xffff\xffff\5\x9c40S\x218\xffff\xffff\\\36\4\b\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\xa4e0H\xffd8\xffff\x6b76\16\4\x8000\\4\1e\x754d\x746c\x7069\x656c\x4920\x6574\x736du\xffd8\xffff\x6b76\r\4\x8000\2\4\1e\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1&\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x9ba0S\x9bc8S\x9bf0S\x9c18S\x9c58S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1*\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9eb0S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9ae0S\\\xffff\xffff\xffff\xffff\4\x9d88S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\015\x6f43\x746e\x6f72\x206c\x7954\x6570\x686c\xffd8\xffff\x6b76\16\4\x8000\\4\1D\x754d\x746c\x7069\x656c\x4920\x6574\x736dH\xffd8\xffff\x6b76\r\4\x8000\1\4\1H\x6843\x6e61\x656e\x206c\x6f43\x6e75\xba74\x5819\xffd8\xffff\x6b76\17\4\x8000\\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff30\xffe8\xffff\x9ce8S\x9d10S\x9d38S\x9d60S\\xffe8\xffff\x686c\2\x9b48S\x9f10\xf1db\x9c90S\x9f11\xf1db\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9058'\1\\x9c80S\xffff\xffff\4\x9e98S\x218\xffff\xffff\20\\32\4\21\b\x2020\x2020\x2020\x3131\xffe0\xffff\x6b76\6\4\x8000\1\5\4\1-\x694c\x656e\x6449F\xffd8\xffff\x6b76\r\4\x8000\2\4\010\x6f43\x746e\x6f72\x206c\x6f43\x6e75t3\xffe0\xffff\x6b76\b\4\x8000\v\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1a\x6544\x7473\x6449I\xffe8\xffff\x9e10S\x9e30S\x9e58S\x9e78S\\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9db8S\2\\xa158S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9eb0S\\\xffff\xffff\xffff\xffff\4\xd028S\x218\xffff\xffff\\\36\4ta\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\1)\x6f43\x746e\x6f72\x206c\x7954\x6570\xa470H\xffd8\xffff\x6b76\16\4\x8000\\4\1c\x754d\x746c\x7069\x656c\x4920\x6574\x736d\30\xffd8\xffff\x6b76\r\4\x8000\1\4\1\34\x6843\x6e61\x656e\x206c\x6f43\x6e75\xec748\xffd8\xffff\x6b76\17\4\x8000\\4\19\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\x6268\x6e69\xa000S\x1000\\\\\\xffa8\xffff\x6b6e \xdf5a\xfd27\xb03b\x1c7\\x9eb0S\\\xffff\xffff\xffff\xffff\5\xa58\37\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\r\4\x8000\2\4\1<\x6843\x6e61\x656e\x206c\x6f43\x6e75\x9174I\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1l\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa0\xffff{8ECC055D-047F-11D1-A537-0000F8753ED1}00\\xfff8\xffff\xad28S\xffe8\xffff\x686c\2\x9f08S\x9f10\xf1db\xa020S\x9f11\xf1db\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9058'\1\\xa2c0S\xffff\xffff\4\xa250S\x218\xffff\xffff\20\\32\4\22\b\x2020\x2020\x2020\x3231\xffe0\xffff\x6b76\6\4\x8000\1\6\4\1-\x694c\x656e\x6449 \xffd8\xffff\x6b76\r\4\x8000\1\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75tD\xffe0\xffff\x6b76\b\4\x8000\x8029\4\014\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1O\x6544\x7473\x6449D\xffe8\xffff\xa1c8S\xa1e8S\xa210S\xa230S\\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\xa170S\1\\xa408S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\xa268S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\xa268S\\\xffff\xffff\xffff\xffff\5\xa3c8S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6369\x6f43\x746e\x6f72\x206c\x7954\x6570\x8a8I\xffd8\xffff\x6b76\16\4\x8000\\4\1 \x754d\x746c\x7069\x656c\x4920\x6574\x736dD\xffd8\xffff\x6b76\r\4\x8000\2\4\1p\x6843\x6e61\x656e\x206c\x6f43\x6e75tt\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\xa328S\xa350S\xa378S\xa3a0S\xa3e0S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1a\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\xa2d0S\x9f10\xf1db\xffc8\xffff(Standard disk drives)\\\xffa8\xffff{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}er\xffd8\xffff\x6b76\r\b\x270\36\1\1U\x6e49\x5366\x6365\x6974\x6e6f\x7845\x5b74W\xffd0\xffff\x5180\1\\\3TO\1\xbba0\r\1\xbba0\r\\\xffe0\xffff\x6b76\5N\x2840f\1\1\x4c43\x4953D\xfff0\xffff\x686c\1\xae18S\x2140&\xffc8\xffff(Standard system devices)\xffe0\xffff\x6b76\5\16\xcb38P\1\1e\x6c43\x7361s?\xfff8\xffff\xad08S\xffd0\xffff\xce90\26\xcf00\26\xcf48\26\xcf98\26\x4430\x9eb8\xf598\f\xd020\26\xd100\26\x4e08R\x7574\x6573\xffa0\xffff\x6b6e \x3a7c\x4437\xdb7f\x1c6\\x7e20\r\\\xffff\xffff\xffff\xffff\1\xb4f0D\x218\xffff\xffff\\\b\2\a\f\x3530\x6361\x3231\x6130\x3030\x3230\x736f\x666f\xffc8\xffff\x10f0\32\x1570\32\x11d8\32\x1200\32\x1238\32\x12e8\32\x13c8\32\x1448\32\x13a8\32\x14f0\32\x1468\32\x3cd8\32\x7b78\32\xffe0\xffff\x6b76\b\4\x8000\\4\1(\x4955\x754e\x626d\x7265\xffd0\xffff\x99f0\27\x9a18\27\x3cf08\x67088\x3e088\x3e308\xdcd07\x2cd88\xe1287\xdc80O\x1ff\17\xffc8\xffff(Standard system devices)\xfff0\xffff\x6020Z\xa020Z\x2020Z\xffc0\xffffsystem32\DRIVERS\usbscan.sys\\xfff0\xffff-11\x4e2f\xc0ac\xffc0\xffff\x686c\5\xf020\20\x614\x439a\x23a8T\x475a\x5856\xb8e0\21\x4229\xbc14\xba80\21\xe2d0\xe465\xd138\21\xd0f9\x6141\x76e8\32\xdad8\32\b\\xffe0\xffff\x6b76\5\4\x8000\3\4\1\32\x7453\x7261\x6974\x7974\xffa8\xffff\x6b6e \x99aa\x7622\x50b3\x1c8\\x3ea8T\\\xffff\xffff\xffff\xffff\6\x8ed8D\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\xe0a8S\xffa8\xffff{36FC9E60-C465-11CF-8056-444553540000}mod\xffa8\xffffSettings storage and management service\x4d74\x7267\xffc8\xffff\x6b76\e\x4e9a\x70b0S\a\1D\x6550\x646e\x6e69\x4667\x6c69\x5265\x6e65\x6d61\x4f65\x6570\x6172\x6974\x6e6fs\x9de0D\xffe0\xffff\x6b76\4\24\x46585\1\1t\x6349\x6e6f\xbae0D\xffe0\xffff\x6b76\4\4\x8000\x120\4\1v\x7954\x6570\35\xffd8\xffff\x6b76\16,\x20b8T\3\1\x6146\x6c69\x7275\x4165\x7463\x6f69\x736e&\b\xa500S\xffe0\xffff\x6b76\b\xa8\xe2d0S\3\19\x6553\x7563\x6972\x7974\xff68\xffffUSB\Class_08&SubClass_06&Prot_50USB\Class_08&SubClass_06USB\Class_08\\\xffd8\xffff\x6b76\n\30\xbbc8N\1\19\x624f\x656a\x7463\x614e\x656d\x6174\x7574s\b\xa780S\xffd8\xffff\x6b76\n\36\xaa60S\1\1N\x6e49\x5366\x6365\x6974\x6e6fSys\xffd8\xffffvolume_installS\xf350S\xffd8\xffff\x6b76\f\24\x9e38'\1\1\x7250\x766f\x6469\x7265\x614e\x656d25\b\xa7f8S\xffd8\xffff\x6b76\n\36\xf328S\1\1N\x6e49\x5366\x6365\x6974\x6e6fSys\xffe0\xffff\x6b76\5\4\x8000\2\4\1U\x7453\x7261\x7974\x7065\xffc8\xffff\xa298\r\x9158.\xdc50\1\x1f00Q\x1f28Q\x1f50Q\x1f98Q\xee30R\xb858R\xd290R\xb508R\xd3c0R\xda68R\xffd0\xffff\x6b76\24\4\x8000\1\4\1D\x7845\x5074\x6f72\x4470\x7365\x5363\x6d65\x7061\x6f68\x6572\xba20D\xffb8\xffff%SystemRoot%\System32\spmsg.dll\xde30)\xfff0\xffffPorts\xffa0\xffff{36FC9E60-C465-11CF-8056-444553540000}19\\xffc8\xffff\xb688\32\x4500I\x4fc0J\xf6e0N\xf7c0N\xb1c8Q\x6c10K\x2e70R\x4fd8R\xc350M\xbd38N\xe700N\x5240R\xffa8\xffff\x6b6e \x7610\xe981\x562a\x1c8\\xb6a8:\1\1\x7070S\x1bb0\x8000\v\xa28M\x218\xffff\xffff\20\\36\x9204\b\x6363\x7645\x4d74\x7267\xffd0\xffff\xb898\35\x50a8\35\x96a8(\xd810)\xd908)\xb9e89\x73d0(\x9238(\x7f80(\x8130R\\xffd8\xffff\x6b76\f\4\x8000\x84\4\1n\x6143\x6170\x6962\x696c\x6974\x7365p\xffe0\xffff\x6b76\b\xa8\x5570W\3\1D\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\x7bb0W\3\1v\x6553\x7563\x6972\x7974\xffa8\xffff\x6b6e \x506a\x5775\x50bd\x1c8\\x2998S\\\xffff\xffff\xffff\xffff\a\x7a50N\xd6a8\r\xffff\xffff\16\\30N\\4\x3030\x3030\x6c61\x796c\xffe8\xffffInteloft\xffa0\xffff\x6b6e \x7647\xabe2\xdb7e\x1c6\\x738\34\1\\xa520S\xffff\xffff\1\x7260P\xd6a8\r\xffff\xffff\b\\30\4T\17\x454c\x4147\x5943\x495f\x5244\x5649\x5245T\xffa8\xffff\x6b6e \xd582\xd489\xf0e0\x1c6\\xadb8S\\\xffff\xffff\xffff\xffff\6\xd248I\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\\xffa8\xffff{36FC9E60-C465-11CF-8056-444553540000}\\\xffd8\xffff\x6b76\n*\xdc88S\1\1\x6544\x6976\x6563\x6544\x6373\\xffd8\xffff\x6b76\f\4\x8000\\4\1\x6143\x6170\x6962\x696c\x6974\x7365\\b\xb8f0\35\xffa0\xffff{4D36E967-E325-11CE-BFC1-08002BE10318}05\\xffd8\xffff\xaa08H\xc540L\x46f0Q\xde18Q\xe2c0Q\x4d78R\x81d0R\xaa08S\xa920S\xffa8\xffff\x6b6e \x8644\x9b10\xf0df\x1c6\\xad0-\\\xffff\xffff\xffff\xffff\b\x4198T\x218\xffff\xffff\\ \36\a\4\x3030\x3730\x1388I\x6268\x6e69\xb000S\x3000\\\\\\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1l\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x1c58B\1\\xbd30S\xffff\xffff\4\x7658N\x218\xffff\xffff\20\\32\4\22\b\x2020&

Share this post


Link to post
Share on other sites

Ok, next snag...

 

I am able to download SmitfraudFix to my memorystick, but when I try and copy to desktop, the "Paste" option is disabled and cannot figure out how to get to desktop. Can I run right from memory stick?

Share this post


Link to post
Share on other sites

Ok, here is the output from rapport.txt:

 

SmitFraudFix v2.274

 

Scan done at 13:55:23.35, Sun 01/13/2008

Run from H:\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

10.18.250.4 ad.doubleclick.net

10.18.250.4 ad.fastclick.net

10.18.250.4 ads.fastclick.net

10.18.250.4 ar.atwola.com

10.18.250.4 atdmt.com

10.18.250.4 avp.ch

10.18.250.4 avp.com

10.18.250.4 avp.ru

10.18.250.4 awaps.net

10.18.250.4 banner.fastclick.net

10.18.250.4 banners.fastclick.net

10.18.250.4 ca.com

10.18.250.4 click.atdmt.com

10.18.250.4 clicks.atdmt.com

10.18.250.4 customer.symantec.com

10.18.250.4 dispatch.mcafee.com

10.18.250.4 download.mcafee.com

10.18.250.4 downloads-us1.kaspersky-labs.com

10.18.250.4 downloads-us2.kaspersky-labs.com

10.18.250.4 downloads-us3.kaspersky-labs.com

10.18.250.4 downloads1.kaspersky-labs.com

10.18.250.4 downloads2.kaspersky-labs.com

10.18.250.4 downloads3.kaspersky-labs.com

10.18.250.4 downloads4.kaspersky-labs.com

10.18.250.4 engine.awaps.net

10.18.250.4 f-secure.com

10.18.250.4 fastclick.net

10.18.250.4 ftp.avp.ch

10.18.250.4 ftp.downloads1.kaspersky-labs.com

10.18.250.4 ftp.downloads2.kaspersky-labs.com

10.18.250.4 ftp.downloads3.kaspersky-labs.com

10.18.250.4 ftp.f-secure.com

10.18.250.4 ftp.kasperskylab.ru

10.18.250.4 ftp.sophos.com

10.18.250.4 ids.kaspersky-labs.com

10.18.250.4 kaspersky-labs.com

10.18.250.4 kaspersky.com

10.18.250.4 liveupdate.symantec.com

10.18.250.4 liveupdate.symantecliveupdate.com

10.18.250.4 mast.mcafee.com

10.18.250.4 mcafee.com

10.18.250.4 media.fastclick.net

10.18.250.4 my-etrust.com

10.18.250.4 nai.com

10.18.250.4 networkassociates.com

10.18.250.4 norton.com

10.18.250.4 phx.corporate-ir.net

10.18.250.4 rads.mcafee.com

10.18.250.4 secure.nai.com

10.18.250.4 securityresponse.symantec.com

10.18.250.4 service1.symantec.com

10.18.250.4 sophos.com

10.18.250.4 spd.atdmt.com

10.18.250.4 symantec.com

10.18.250.4 trendmicro.com

10.18.250.4 update.symantec.com

10.18.250.4 updates.symantec.com

10.18.250.4 updates1.kaspersky-labs.com

10.18.250.4 updates2.kaspersky-labs.com

10.18.250.4 updates3.kaspersky-labs.com

10.18.250.4 updates4.kaspersky-labs.com

10.18.250.4 updates5.kaspersky-labs.com

10.18.250.4 us.mcafee.com

10.18.250.4 vil.nai.com

10.18.250.4 viruslist.com

10.18.250.4 viruslist.ru

10.18.250.4 virusscan.jotti.org

10.18.250.4 virustotal.com

10.18.250.4 www.avp.ch

10.18.250.4 www.avp.com

10.18.250.4 www.avp.ru

10.18.250.4 www.awaps.net

10.18.250.4 www.ca.com

10.18.250.4 www.f-secure.com

10.18.250.4 www.fastclick.net

10.18.250.4 www.grisoft.com

10.18.250.4 www.kaspersky-labs.com

10.18.250.4 www.kaspersky.com

10.18.250.4 www.kaspersky.ru

10.18.250.4 www.mcafee.com

10.18.250.4 www.my-etrust.com

10.18.250.4 www.nai.com

10.18.250.4 www.networkassociates.com

10.18.250.4 www.sophos.com

10.18.250.4 www.symantec.com

10.18.250.4 www.trendmicro.com

10.18.250.4 www.viruslist.com

10.18.250.4 www.viruslist.ru

10.18.250.4 www.virustotal.com

 

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

 

S!Ri's WS2Fix: LSP not Found.

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\shell.exe Deleted

C:\WINDOWS\system32\printer.exe Deleted

C:\WINDOWS\system32\spoolvs.exe Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

 

IEDFix.exe by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Ok, a bit hesitant on this last step with ComboFix, again I am unable to copy/paste files given the current state of my PC I assume. I downloaded ComboFix to my memory stick, but cannot place it directly on desktop as instructed prior to running. What is your suggestion here?

 

Do this one from Normal Mode

 

Download Combofix and save it to your desktop.

 

**Note: It is important that it is saved directly to your desktop**

Share this post


Link to post
Share on other sites

After ComboFix was done it rebooted my machine and prepared log. Been waiting quite some time with no action. Two windows did come up that I closed down (from my previous setup). Wonder if I messed up the log from finishing to run. Suggestions? Should I run ComboFix again? Seems stalled out.

Share this post


Link to post
Share on other sites

Sorry, it finally finished, here is the output of log.txt:

 

ComboFix 08-01-14.1 - Todd Gieber 2008-01-13 14:42:29.1 - NTFSx86

Running from: H:\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe

C:\Documents and Settings\Sierra Gieber\Application Data\FunWebProducts

C:\Documents and Settings\Sierra Gieber\Application Data\FunWebProducts\Data\Sierra Gieber\avatar.dat

C:\Documents and Settings\Sierra Gieber\Start Menu\Programs\Startup\findfast.exe

C:\Documents and Settings\Todd Gieber\Application Data\Install.dat

C:\Documents and Settings\Todd Gieber\Application Data\install_en[1].exe

C:\Documents and Settings\Todd Gieber\Application Data\printer.exe

C:\Documents and Settings\Todd Gieber\Application Data\trant.exe

C:\Documents and Settings\Todd Gieber\Application Data\ultra

C:\Documents and Settings\Todd Gieber\Application Data\ultra\ultra.inf

C:\Documents and Settings\Todd Gieber\Application Data\ultra\uninstall.bat

C:\Documents and Settings\Todd Gieber\Desktop\bravesentry.lnk

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data.\n.ini

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\n.ini

C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry

C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk

C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry\Uninstall.lnk

C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Startup\findfast.exe

C:\Program Files\FunWebProducts

C:\Program Files\FunWebProducts\Shared\000D4547.dat

C:\Program Files\FunWebProducts\Shared\00173FE7.dat

C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html

C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

C:\Program Files\internet explorer\msimg32.dll

C:\Program Files\MyWebSearch

C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG

C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR

C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE

C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL

C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV

C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT

C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR

C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST

C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE

C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR

C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST

C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL

C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE

C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE

C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE

C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe

C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL

C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif

C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico

C:\Program Files\MyWebSearch\bar\Cache\00039A0E

C:\Program Files\MyWebSearch\bar\Cache\00079BD0

C:\Program Files\MyWebSearch\bar\Cache\0008DCDC.bin

C:\Program Files\MyWebSearch\bar\Cache\0008DFCA.bin

C:\Program Files\MyWebSearch\bar\Cache\0008E1CD.bin

C:\Program Files\MyWebSearch\bar\Cache\0008EE50.bin

C:\Program Files\MyWebSearch\bar\Cache\0008FB31.bin

C:\Program Files\MyWebSearch\bar\Cache\0008FCD7.bin

C:\Program Files\MyWebSearch\bar\Cache\0009092B.bin

C:\Program Files\MyWebSearch\bar\Cache\00090A06.bin

C:\Program Files\MyWebSearch\bar\Cache\001D3F1F.bin

C:\Program Files\MyWebSearch\bar\Cache\001D4048.bin

C:\Program Files\MyWebSearch\bar\Cache\001D4113.bin

C:\Program Files\MyWebSearch\bar\Cache\00206AB4

C:\Program Files\MyWebSearch\bar\Cache\00CEF802

C:\Program Files\MyWebSearch\bar\Cache\00EED22F

C:\Program Files\MyWebSearch\bar\Cache\00EED78E

C:\Program Files\MyWebSearch\bar\Cache\00EED953.bin

C:\Program Files\MyWebSearch\bar\Cache\00EEDA7C.bin

C:\Program Files\MyWebSearch\bar\Cache\00EEDB66.bin

C:\Program Files\MyWebSearch\bar\Cache\00EEDC41.bin

C:\Program Files\MyWebSearch\bar\Cache\00EEDD5A.bin

C:\Program Files\MyWebSearch\bar\Cache\files.ini

C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S

C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S

C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S

C:\Program Files\MyWebSearch\bar\History\search2

C:\Program Files\MyWebSearch\bar\icons\CM.ICO

C:\Program Files\MyWebSearch\bar\icons\MFC.ICO

C:\Program Files\MyWebSearch\bar\icons\PSS.ICO

C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO

C:\Program Files\MyWebSearch\bar\icons\WB.ICO

C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO

C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm

C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif

C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif

C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S

C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S

C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S

C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S

C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S

C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S

C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S

C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S

C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S

C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S

C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S

C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm

C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat

C:\Program Files\MyWebSearch\bar\Settings\setting2.htm

C:\Program Files\MyWebSearch\bar\Settings\settings.dat

C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

C:\Program Files\Ultimate Defender

C:\WINDOWS\Help\agt037b.hlp

C:\WINDOWS\inf\ultra.inf

C:\WINDOWS\shell.exe

C:\WINDOWS\system32\_000009_.tmp.dll

C:\WINDOWS\system32\bszip.dll

C:\WINDOWS\system32\drivers\ip6fw.sys

C:\WINDOWS\system32\f3PSSavr.scr

C:\WINDOWS\system32\msacm32.drv

C:\WINDOWS\system32\mscore.dll

C:\WINDOWS\system32\printer.exe

C:\WINDOWS\system32\spoolvs.exe

C:\WINDOWS\system32\wowfx.dll

C:\WINDOWS\system32\xlibgfl254.dll

C:\WINDOWS\wsystmp_owo.exe

C:\WINDOWS\wsystmp_ugd.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_DRIVER

-------\LEGACY_RUNTIME

-------\LEGACY_SMTPDRV

-------\LEGACY_ZZZDRV_LICH

 

 

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))

.

 

2008-01-13 14:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-13 13:55 . 2008-01-13 13:55 3,982 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-13 13:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-13 13:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-13 13:54 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-13 13:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-13 13:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-13 13:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-13 13:16 . 2008-01-13 13:16 <DIR> d-------- C:\WINDOWS\ERUNT

2008-01-13 12:34 . 2008-01-13 12:34 <DIR> d-------- C:\Deckard

2008-01-06 14:30 . 2008-01-06 14:30 142,848 --a------ C:\WINDOWS\system32\drivers\Kpmw71.sys

2008-01-06 14:19 . 2008-01-07 16:09 502,784 --a------ C:\WINDOWS\system32\dllcache\winlogon.exe

2008-01-06 14:17 . 2008-01-06 14:17 69,632 --a------ C:\WINDOWS\system32\csrssw.dll

2008-01-06 14:17 . 2008-01-06 14:05 61,440 --a------ C:\WINDOWS\system32\drivers\OLD19.tmp

2008-01-06 14:17 . 2008-01-06 14:17 35,840 --a------ C:\WINDOWS\vmmreg32.exe

2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\svchost.exe

2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe

2008-01-06 14:06 . 2008-01-06 14:12 16,384 --a------ C:\WINDOWS\system32\userv32.dat

2008-01-06 12:07 . 2008-01-06 12:07 <DIR> d-------- C:\Program Files\Elaborate Bytes

2008-01-06 08:06 . 2008-01-06 08:06 34,049 --a------ C:\Documents and Settings\Todd Gieber\wn852.exe

2008-01-02 16:16 . 2008-01-02 16:16 <DIR> d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari

2008-01-02 16:15 . 2008-01-02 16:15 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-01 19:46 . 2008-01-01 19:46 <DIR> d-------- C:\Program Files\Edmark

2008-01-01 19:46 . 1999-07-20 18:37 519 --------- C:\WINDOWS\pipeline.ini

2008-01-01 19:46 . 2008-01-01 19:46 0 --a------ C:\WINDOWS\Edmark.ini

2008-01-01 19:44 . 2008-01-01 19:44 <DIR> d-------- C:\Program Files\Creative Wonders

2007-12-30 21:02 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe

2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Hooked on Phonics Learning

2007-12-30 09:32 . 2007-12-30 09:32 20 --ahs---- C:\ArcDeviceInfo

2007-12-27 14:15 . 2007-12-27 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo

2007-12-25 19:57 . 2007-04-16 09:28 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys

2007-12-25 19:53 . 2007-12-25 19:57 <DIR> d-------- C:\Program Files\U.B. Funkeys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-06 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-06 22:27 502,784 ----a-w C:\WINDOWS\system32\winlogon.exe

2008-01-06 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-01-06 22:06 --------- d-----w C:\Program Files\iTunes

2008-01-06 20:04 --------- d-----w C:\Program Files\SlySoft

2008-01-03 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-03 00:07 --------- d-----w C:\Program Files\Atari

2008-01-02 22:14 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX

2008-01-02 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser

2008-01-02 03:48 --------- d-----w C:\Program Files\The Learning Company

2007-12-30 17:32 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft

2007-12-27 22:15 --------- d-----w C:\Program Files\MumboJumbo

2007-12-16 19:49 --------- d-----w C:\Program Files\Puppy Luv

2007-12-08 04:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-12-08 04:15 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-12-08 04:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-12-08 04:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-12-08 04:15 --------- d-----w C:\Program Files\Symantec

2007-12-03 23:47 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\SlySoft

2007-12-03 23:45 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\ArcSoft

2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys

2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys

2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys

2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat

2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat

2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat

2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf

2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf

2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf

2007-11-23 17:34 --------- d-----w C:\Program Files\QuickTime

2007-11-22 17:48 --------- d-----w C:\Program Files\Norton 360

2007-11-22 07:02 --------- d-----w C:\Program Files\iPod

2007-11-22 06:59 --------- d-----w C:\Program Files\Apple Software Update

2007-11-22 06:58 --------- d-----w C:\Program Files\Common Files\Apple

2007-11-22 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2007-11-15 04:02 --------- d-----w C:\Documents and Settings\Sierra Gieber\Application Data\ArcSoft

2007-11-11 20:59 364,544 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe

2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-28 01:40 227,328 ------w C:\WINDOWS\system32\dllcache\wmasf.dll

2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2006-05-21 04:06 167 ---ha-w C:\Documents and Settings\Todd Gieber\hpothb07.dat

2005-10-10 06:11 251 ----a-w C:\Program Files\wt3d.ini

2007-06-08 21:55 1,808,519 --sha-w C:\WINDOWS\system32\kjkkj.bak1

2007-06-12 16:49 1,810,873 --sha-w C:\WINDOWS\system32\kjkkj.bak2

2007-06-13 04:02 1,811,495 --sh--w C:\WINDOWS\system32\kjkkj.ini2

.

Infected C:\WINDOWS\system32\svchost.exe hex repaired

 

Files Infected - Win32.Agent.zb

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoServer.exe

.

 

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 368,706 2002-09-11 04:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

 

----a-w 50,792 2006-04-20 17:10:13 C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe

 

----a-w 124,520 2006-02-17 16:59:46 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe

 

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

 

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

 

----a-w 48,752 2005-10-06 02:06:34 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 115,816 2008-01-06 22:04:36 C:\Program Files\Common Files\Symantec Shared\ccapp.exe

 

----a-w 45,056 2003-06-18 06:00:00 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE

 

----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe

 

----a-w 53,248 2005-02-23 21:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

 

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

 

----a-w 49,152 2003-12-05 22:41:44 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

 

----a-w 49,152 2003-11-12 13:23:42 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe

 

----a-w 241,664 2003-12-22 15:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

 

----a-w 200,747 2006-06-05 02:52:32 C:\Program Files\IncrediMail\bin\bak\IncMail.exe

----a-w 204,843 2008-01-06 22:04:35 C:\Program Files\IncrediMail\bin\incmail.exe

 

----a-w 139,264 2005-04-25 13:50:08 C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

 

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 267,048 2008-01-06 22:04:36 C:\Program Files\iTunes\ituneshelper.exe

 

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

 

----a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe

 

----a-w 100,056 2005-08-06 06:36:29 C:\Program Files\SymNetDrv\bak\SNDMon.exe

 

----a-w 497,376 1998-12-01 02:04:28 C:\WINDOWS\bak\p_981116.exe

 

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE

 

----a-w 59,392 2004-08-10 09:04:42 C:\WINDOWS\ehome\bak\ehtray.exe

 

----a-w 495,616 2004-02-02 08:41:58 C:\WINDOWS\system32\bak\hphmon05.exe

 

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

 

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

 

----a-w 176,128 2003-12-04 12:44:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

 

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-01-06 14:04 204843]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:04 68856]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]

"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-01-06 14:04 1193472]

"TivoNotify"="C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoNotify.exe" [2007-05-02 13:13 373760]

"TivoServer"="C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoServer.exe" [2008-01-06 14:04 1463296]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 20:10 4583424]

"CTHelper"="CTHELPER.EXE" [2004-03-11 12:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-01-06 14:04 1773568]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [2008-01-06 14:04 546304]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-06 14:04 115816]

"WD Button Manager"="WDBtnMgr.exe" [2007-11-11 12:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:04 267048]

"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-01-06 14:04 462848]

 

C:\Documents and Settings\Deanna Gieber\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2006-11-07 11:17:25]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [2002-09-20 10:50:32]

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]

Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [2002-09-20 10:50:46]

Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [2002-09-20 10:50:50]

WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-11-11 13:01:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

 

R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" [2007-05-02 13:12]

R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 21:20]

R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2007-04-16 09:28]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\autoplay.exe

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-01-04 01:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-06 19:47:01 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-14 14:53:13

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-14 15:14:41 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-14 23:14:38

.

2007-12-13 04:46:07 --- E O F ---

Share this post


Link to post
Share on other sites

Ok, all steps have been successfully completed as instructed. Please let me know if there is anything else I need to do?

Can't tell you how much I truly appreciate your help and support!

 

By the way, what kind of issue did I have on my PC? First real issue I've had. I use Norton 360, cannot believe that it did not detect or block this issue, any ideas?

Share this post


Link to post
Share on other sites

Hello

 

By the way, what kind of issue did I have on my PC?

It would take a long time to explain all your problems. Your PC is one of the most badly infected I've worked on :)

 

 

 

1. Close any open browsers.

 

2. Open notepad and copy/paste the text in the quotebox below into it:

 

KillAll::

 

File::

C:\WINDOWS\system32\drivers\Kpmw71.sys

C:\WINDOWS\system32\csrssw.dll

C:\WINDOWS\system32\drivers\OLD19.tmp

C:\WINDOWS\vmmreg32.exe

C:\WINDOWS\system32\userv32.dat

C:\Documents and Settings\Todd Gieber\wn852.exe

C:\WINDOWS\system32\kjkkj.bak1

C:\WINDOWS\system32\kjkkj.bak2

C:\WINDOWS\system32\kjkkj.ini2

C:\WINDOWS\system32\jkkjk.dll

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

When finished, it shall produce a log for you at "C:\ComboFix.txt"

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

 

 

Also post a new HijackThis log

Share this post


Link to post
Share on other sites

Ok, here is the log file produced from your instructions:

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

 

 

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

When finished, it shall produce a log for you at "C:\ComboFix.txt"

 

ComboFix 08-01-14.1 - Todd Gieber 2008-01-14 15:53:46.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.646 [GMT -8:00]

Running from: C:\Documents and Settings\Todd Gieber\Desktop\ComboFix.exe

Command switches used :: H:\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\Documents and Settings\Todd Gieber\wn852.exe

C:\WINDOWS\system32\csrssw.dll

C:\WINDOWS\system32\drivers\Kpmw71.sys

C:\WINDOWS\system32\drivers\OLD19.tmp

C:\WINDOWS\system32\jkkjk.dll

C:\WINDOWS\system32\kjkkj.bak1

C:\WINDOWS\system32\kjkkj.bak2

C:\WINDOWS\system32\kjkkj.ini2

C:\WINDOWS\system32\userv32.dat

C:\WINDOWS\vmmreg32.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Todd Gieber\wn852.exe

C:\WINDOWS\system32\csrssw.dll

C:\WINDOWS\system32\drivers\Kpmw71.sys

C:\WINDOWS\system32\drivers\OLD19.tmp

C:\WINDOWS\system32\kjkkj.bak1

C:\WINDOWS\system32\kjkkj.bak2

C:\WINDOWS\system32\kjkkj.ini2

C:\WINDOWS\system32\userv32.dat

C:\WINDOWS\vmmreg32.exe

F:\Autorun.inf

 

.

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))

.

 

2008-01-13 14:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-13 13:55 . 2008-01-13 13:55 3,982 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-13 13:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-01-13 13:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-01-13 13:54 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-01-13 13:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-01-13 13:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-13 13:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-13 13:16 . 2008-01-13 13:16 <DIR> d-------- C:\WINDOWS\ERUNT

2008-01-13 12:34 . 2008-01-13 12:34 <DIR> d-------- C:\Deckard

2008-01-06 14:19 . 2008-01-07 16:09 502,784 --a------ C:\WINDOWS\system32\dllcache\winlogon.exe

2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\svchost.exe

2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe

2008-01-06 12:07 . 2008-01-06 12:07 <DIR> d-------- C:\Program Files\Elaborate Bytes

2008-01-02 16:16 . 2008-01-02 16:16 <DIR> d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari

2008-01-02 16:15 . 2008-01-02 16:15 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-01 19:46 . 2008-01-01 19:46 <DIR> d-------- C:\Program Files\Edmark

2008-01-01 19:46 . 1999-07-20 18:37 519 --------- C:\WINDOWS\pipeline.ini

2008-01-01 19:46 . 2008-01-01 19:46 0 --a------ C:\WINDOWS\Edmark.ini

2008-01-01 19:44 . 2008-01-01 19:44 <DIR> d-------- C:\Program Files\Creative Wonders

2007-12-30 21:02 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe

2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Hooked on Phonics Learning

2007-12-30 09:32 . 2007-12-30 09:32 20 --ahs---- C:\ArcDeviceInfo

2007-12-27 14:15 . 2007-12-27 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo

2007-12-25 19:57 . 2007-04-16 09:28 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys

2007-12-25 19:53 . 2007-12-25 19:57 <DIR> d-------- C:\Program Files\U.B. Funkeys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-14 23:39 --------- d-----w C:\Program Files\Common Files\TiVo Shared

2008-01-06 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-01-06 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-01-06 22:06 --------- d-----w C:\Program Files\iTunes

2008-01-06 20:04 --------- d-----w C:\Program Files\SlySoft

2008-01-03 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-01-03 00:07 --------- d-----w C:\Program Files\Atari

2008-01-02 22:14 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX

2008-01-02 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser

2008-01-02 03:48 --------- d-----w C:\Program Files\The Learning Company

2007-12-30 17:32 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft

2007-12-27 22:15 --------- d-----w C:\Program Files\MumboJumbo

2007-12-16 19:49 --------- d-----w C:\Program Files\Puppy Luv

2007-12-08 04:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-12-08 04:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-12-08 04:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-12-08 04:15 --------- d-----w C:\Program Files\Symantec

2007-12-03 23:47 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\SlySoft

2007-12-03 23:45 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\ArcSoft

2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys

2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys

2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys

2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat

2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat

2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat

2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf

2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf

2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf

2007-11-23 17:34 --------- d-----w C:\Program Files\QuickTime

2007-11-22 17:48 --------- d-----w C:\Program Files\Norton 360

2007-11-22 07:02 --------- d-----w C:\Program Files\iPod

2007-11-22 06:59 --------- d-----w C:\Program Files\Apple Software Update

2007-11-22 06:58 --------- d-----w C:\Program Files\Common Files\Apple

2007-11-22 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple

2007-11-15 04:02 --------- d-----w C:\Documents and Settings\Sierra Gieber\Application Data\ArcSoft

2006-05-21 04:06 167 ---ha-w C:\Documents and Settings\Todd Gieber\hpothb07.dat

2005-10-10 06:11 251 ----a-w C:\Program Files\wt3d.ini

.

Files Infected - Win32.Agent.zb

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-14_15.12.27.57 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-13 22:42:07 5,025,792 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-14 23:53:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-13 22:42:07 135,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-14 23:53:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-14 23:53:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-14 23:53:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-14 23:53:05 5,033,984 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-14 23:53:05 135,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 368,706 2002-09-11 04:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

 

----a-w 50,792 2006-04-20 17:10:13 C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe

 

----a-w 124,520 2006-02-17 16:59:46 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe

 

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

 

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

 

----a-w 48,752 2005-10-06 02:06:34 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 115,816 2008-01-06 22:04:36 C:\Program Files\Common Files\Symantec Shared\ccapp.exe

 

----a-w 45,056 2003-06-18 06:00:00 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE

 

----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe

 

----a-w 53,248 2005-02-23 21:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

 

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

 

----a-w 49,152 2003-12-05 22:41:44 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

 

----a-w 49,152 2003-11-12 13:23:42 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe

 

----a-w 241,664 2003-12-22 15:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

 

----a-w 200,747 2006-06-05 02:52:32 C:\Program Files\IncrediMail\bin\bak\IncMail.exe

----a-w 204,843 2008-01-06 22:04:35 C:\Program Files\IncrediMail\bin\incmail.exe

 

----a-w 139,264 2005-04-25 13:50:08 C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

 

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 267,048 2008-01-06 22:04:36 C:\Program Files\iTunes\ituneshelper.exe

 

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

 

----a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe

 

----a-w 100,056 2005-08-06 06:36:29 C:\Program Files\SymNetDrv\bak\SNDMon.exe

 

----a-w 497,376 1998-12-01 02:04:28 C:\WINDOWS\bak\p_981116.exe

 

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE

 

----a-w 59,392 2004-08-10 09:04:42 C:\WINDOWS\ehome\bak\ehtray.exe

 

----a-w 495,616 2004-02-02 08:41:58 C:\WINDOWS\system32\bak\hphmon05.exe

 

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

 

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

 

----a-w 176,128 2003-12-04 12:44:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

 

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]

C:\WINDOWS\system32\jkkjk.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-01-06 14:04 204843]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:04 68856]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 20:10 4583424]

"CTHelper"="CTHELPER.EXE" [2004-03-11 12:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-01-06 14:04 1773568]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [2008-01-06 14:04 546304]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-06 14:04 115816]

"WD Button Manager"="WDBtnMgr.exe" [2007-11-11 12:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:04 267048]

 

C:\Documents and Settings\Deanna Gieber\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2006-11-07 11:17:25]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [2002-09-20 10:50:32]

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]

Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [2002-09-20 10:50:46]

Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [2002-09-20 10:50:50]

WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-11-11 13:01:16]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

 

R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 21:20]

R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2007-04-16 09:28]

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-01-04 01:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-14 23:47:20 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-14 16:04:36

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-14 16:18:02 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-15 00:17:59

ComboFix2.txt 2008-01-14 23:14:41

.

2007-12-13 04:46:07 --- E O F ---

Share this post


Link to post
Share on other sites

Hello

 

Download FindAWF.exe from here or here, and save it to your desktop.

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders

    2. Press 2 then Enter to restore files from bak folders

    3. Press 3 then Enter to remove bak folders

    4. Press 4 then Enter to reset domain zones

    5. Press E then Enter to EXIT


  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Share this post


Link to post
Share on other sites

Here is the log file produce from hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:26:17 PM, on 1/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Todd Gieber\My Documents\HighJackThis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE

O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm035MFUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesville.lycos.com/blockdot/popcaploader_v6.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8966 bytes

Share this post


Link to post
Share on other sites

Ok here is the awf log as requested: Please reply with next instructions.

 

 

Find AWF report by noahdfear ©2006

Version 1.40

 

The current date is: Mon 01/14/2008

The current time is: 16:48:47.87

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\WINDOWS\BAK

 

11/30/1998 06:04 PM 497,376 p_981116.exe

05/10/2000 10:00 PM 90,112 UpdReg.EXE

2 File(s) 587,488 bytes

 

Directory of C:\PROGRA~1\DELLSU~1\BAK

 

05/14/2005 11:04 PM 332,800 DSAgnt.exe

1 File(s) 332,800 bytes

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

09/25/2006 01:54 PM 229,952 iTunesHelper.exe

1 File(s) 229,952 bytes

 

Directory of C:\PROGRA~1\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

09/24/2006 02:24 AM 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\PROGRA~1\SYMNET~1\BAK

 

08/05/2005 10:36 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

 

Directory of C:\WINDOWS\EHOME\BAK

 

08/10/2004 01:04 AM 59,392 ehtray.exe

1 File(s) 59,392 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

02/02/2004 12:41 AM 495,616 hphmon05.exe

07/09/2001 10:50 AM 155,648 NeroCheck.exe

2 File(s) 651,264 bytes

 

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

 

09/10/2002 08:26 PM 368,706 CFD.exe

1 File(s) 368,706 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

10/05/2005 06:06 PM 48,752 ccApp.exe

1 File(s) 48,752 bytes

 

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

 

02/23/2005 01:19 PM 53,248 DVDLauncher.exe

1 File(s) 53,248 bytes

 

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

 

12/05/2003 02:41 PM 49,152 HPWuSchd2.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\HEWLET~1\{D9466~1\BAK

 

11/12/2003 05:23 AM 49,152 hphupd05.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

 

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe

1 File(s) 241,664 bytes

 

Directory of C:\PROGRA~1\INCRED~1\BIN\BAK

 

06/04/2006 06:52 PM 200,747 IncMail.exe

1 File(s) 200,747 bytes

 

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

 

04/25/2005 05:50 AM 139,264 iaanotif.exe

1 File(s) 139,264 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

12/05/2004 10:05 PM 127,035 tfswctrl.exe

1 File(s) 127,035 bytes

 

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

 

02/17/2006 08:59 AM 124,520 IPHSend.exe

1 File(s) 124,520 bytes

 

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

 

07/27/2004 01:50 PM 81,920 issch.exe

07/27/2004 01:50 PM 221,184 ISUSPM.exe

2 File(s) 303,104 bytes

 

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

 

06/17/2003 10:00 PM 45,056 CTDVDDET.EXE

1 File(s) 45,056 bytes

 

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

 

09/17/2003 07:43 AM 57,344 CTSysVol.exe

1 File(s) 57,344 bytes

 

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

 

11/19/2003 02:48 PM 32,881 jusched.exe

1 File(s) 32,881 bytes

 

Directory of C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK

 

04/20/2006 09:10 AM 50,792 AOLSoftware.exe

1 File(s) 50,792 bytes

 

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

 

12/04/2003 04:44 AM 176,128 hpztsb09.exe

1 File(s) 176,128 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

497376 Nov 30 1998 "C:\WINDOWS\bak\p_981116.exe"

90112 May 10 2000 "C:\WINDOWS\bak\UpdReg.EXE"

332800 May 14 2005 "C:\Program Files\Dell Support\bak\DSAgnt.exe"

267048 Jan 6 2008 "C:\Program Files\iTunes\ituneshelper.exe"

229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

102400 Nov 21 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"

116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"

282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"

495616 Feb 2 2004 "C:\WINDOWS\system32\bak\hphmon05.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"

368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"

115816 Jan 6 2008 "C:\Program Files\Common Files\Symantec Shared\ccapp.exe"

48752 Oct 5 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"

49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe"

241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"

204843 Jan 6 2008 "C:\Program Files\IncrediMail\bin\incmail.exe"

200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\bak\IncMail.exe"

139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"

127035 Dec 5 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"

127035 Dec 5 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"

124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"

81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"

57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"

32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"

50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe"

176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Hello

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
     
    "C:\WINDOWS\BAK\p_981116.exe"
    "C:\WINDOWS\BAK\UpdReg.EXE"
    "C:\PROGRA~1\DELLSU~1\BAK\DSAgnt.exe"
    "C:\PROGRA~1\ITUNES\BAK\iTunesHelper.exe"
    "C:\PROGRA~1\QUICKT~1\BAK\qttask.exe"
    "C:\PROGRA~1\SYMNET~1\BAK\SNDMon.exe"
    "C:\WINDOWS\EHOME\BAK\ehtray.exe"
    "C:\WINDOWS\SYSTEM32\BAK\hphmon05.exe"
    "C:\WINDOWS\SYSTEM32\BAK\NeroCheck.exe"
    "C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK\CFD.exe"
    "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccApp.exe"
    "C:\PROGRA~1\CYBERL~1\POWERDVD\BAK\DVDLauncher.exe"
    "C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK\HPWuSchd2.exe"
    "C:\PROGRA~1\HEWLET~1\{D9466~1\BAK\hphupd05.exe"
    "C:\PROGRA~1\HP\HPCORE~1\BAK\hpcmpmgr.exe"
    "C:\PROGRA~1\INCRED~1\BIN\BAK\IncMail.exe"
    "C:\PROGRA~1\INTEL\INTELM~1\BAK\iaanotif.exe"
    "C:\WINDOWS\SYSTEM32\DLA\BAK\tfswctrl.exe"
    "C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK\IPHSend.exe"
    "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK\issch.exe"
    "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK\ISUSPM.exe"
    "C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK\CTDVDDET.EXE"
    "C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK\CTSysVol.exe"
    "C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK\jusched.exe"
    "C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK\AOLSoftware.exe"
    "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK\hpztsb09.exe"
     
     
     
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders

    2. Press 2 then Enter to restore files from bak folders

    3. Press 3 then Enter to remove bak folders

    4. Press 4 then Enter to reset domain zones

    5. Press E then Enter to EXIT


  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Share this post


Link to post
Share on other sites

Here are the contents of the log file:

 

 

Find AWF report by noahdfear ©2006

Version 1.40

Option 2 run successfully

 

The current date is: Mon 01/14/2008

The current time is: 18:00:54.23

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\WINDOWS\BAK

 

11/30/1998 06:04 PM 497,376 p_981116.exe

05/10/2000 10:00 PM 90,112 UpdReg.EXE

2 File(s) 587,488 bytes

 

Directory of C:\PROGRA~1\DELLSU~1\BAK

 

05/14/2005 11:04 PM 332,800 DSAgnt.exe

1 File(s) 332,800 bytes

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

09/25/2006 01:54 PM 229,952 iTunesHelper.exe

1 File(s) 229,952 bytes

 

Directory of C:\PROGRA~1\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

09/24/2006 02:24 AM 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\PROGRA~1\SYMNET~1\BAK

 

08/05/2005 10:36 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

 

Directory of C:\WINDOWS\EHOME\BAK

 

08/10/2004 01:04 AM 59,392 ehtray.exe

1 File(s) 59,392 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

02/02/2004 12:41 AM 495,616 hphmon05.exe

07/09/2001 10:50 AM 155,648 NeroCheck.exe

2 File(s) 651,264 bytes

 

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

 

09/10/2002 08:26 PM 368,706 CFD.exe

1 File(s) 368,706 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

10/05/2005 06:06 PM 48,752 ccApp.exe

1 File(s) 48,752 bytes

 

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

 

02/23/2005 01:19 PM 53,248 DVDLauncher.exe

1 File(s) 53,248 bytes

 

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

 

12/05/2003 02:41 PM 49,152 HPWuSchd2.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\HEWLET~1\{D9466~1\BAK

 

11/12/2003 05:23 AM 49,152 hphupd05.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

 

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe

1 File(s) 241,664 bytes

 

Directory of C:\PROGRA~1\INCRED~1\BIN\BAK

 

06/04/2006 06:52 PM 200,747 IncMail.exe

1 File(s) 200,747 bytes

 

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

 

04/25/2005 05:50 AM 139,264 iaanotif.exe

1 File(s) 139,264 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

12/05/2004 10:05 PM 127,035 tfswctrl.exe

1 File(s) 127,035 bytes

 

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

 

02/17/2006 08:59 AM 124,520 IPHSend.exe

1 File(s) 124,520 bytes

 

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

 

07/27/2004 01:50 PM 81,920 issch.exe

07/27/2004 01:50 PM 221,184 ISUSPM.exe

2 File(s) 303,104 bytes

 

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

 

06/17/2003 10:00 PM 45,056 CTDVDDET.EXE

1 File(s) 45,056 bytes

 

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

 

09/17/2003 07:43 AM 57,344 CTSysVol.exe

1 File(s) 57,344 bytes

 

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

 

11/19/2003 02:48 PM 32,881 jusched.exe

1 File(s) 32,881 bytes

 

Directory of C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK

 

04/20/2006 09:10 AM 50,792 AOLSoftware.exe

1 File(s) 50,792 bytes

 

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

 

12/04/2003 04:44 AM 176,128 hpztsb09.exe

1 File(s) 176,128 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

497376 Nov 30 1998 "C:\WINDOWS\p_981116.exe"

497376 Nov 30 1998 "C:\WINDOWS\bak\p_981116.exe"

90112 May 10 2000 "C:\WINDOWS\UpdReg.EXE"

90112 May 10 2000 "C:\WINDOWS\bak\UpdReg.EXE"

332800 May 14 2005 "C:\Program Files\Dell Support\DSAgnt.exe"

332800 May 14 2005 "C:\Program Files\Dell Support\bak\DSAgnt.exe"

229952 Sep 25 2006 "C:\Program Files\iTunes\iTunesHelper.exe"

229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

102400 Nov 21 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"

116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"

282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"

282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"

59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"

495616 Feb 2 2004 "C:\WINDOWS\system32\hphmon05.exe"

495616 Feb 2 2004 "C:\WINDOWS\system32\bak\hphmon05.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"

155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"

368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"

368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"

115816 Jan 6 2008 "C:\Program Files\Common Files\Symantec Shared\ccapp.exe"

48752 Oct 5 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"

49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe"

49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe"

241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"

200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\IncMail.exe"

200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\bak\IncMail.exe"

139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"

139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"

127035 Dec 5 2004 "C:\WINDOWS\system32\dla\tfswctrl.exe"

127035 Dec 5 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"

127035 Dec 5 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"

124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"

124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"

81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"

81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"

221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"

57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"

57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"

32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"

32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"

50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\AOLSoftware.exe"

50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe"

176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"

176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

When you get a free moment, please advise on next steps.

 

PC is much improved at this point, able to run things prior to issues. I appreciate the amount of time you spent working on it yesterday.

Share this post


Link to post
Share on other sites

Hello

 

When you get a free moment, please advise on next steps.

I reply whenever I have the free time, you don't need to make extra posts like this as it just means I get more email notifications. Your logs require a lot of time to go over since your PC is so horribly infected

 

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
     
    C:\WINDOWS\bak
    C:\Program Files\Dell Support\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\ehome\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\BroadJump\Client Foundation\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\CyberLink\PowerDVD\bak
    C:\Program Files\Hewlett-Packard\HP Software Update\bak
    C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak
    C:\Program Files\HP\hpcoretech\bak
    C:\Program Files\IncrediMail\bin\bak
    C:\Program Files\Intel\Intel Matrix Storage Manager\bak
    C:\WINDOWS\system32\dla\bak
    C:\Program Files\Common Files\AOL\IPHSend\bak
    C:\Program Files\Common Files\InstallShield\UpdateService\bak
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
    C:\Program Files\Java\j2re1.4.2_03\bin\bak
    C:\Program Files\Common Files\AOL\1148597462\ee\bak
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
     
     
     
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders

    2. Press 2 then Enter to restore files from bak folders

    3. Press 3 then Enter to remove bak folders

    4. Press 4 then Enter to reset domain zones

    5. Press E then Enter to EXIT


  • Press 3, then press Enter.
    [*Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Share this post


Link to post
Share on other sites

Here is the results from the log file:

 

 

Find AWF report by noahdfear ©2006

Version 1.40

Option 3 run successfully

 

The current date is: Tue 01/15/2008

The current time is: 20:24:16.45

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\PROGRA~1\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\SYMNET~1\BAK

 

08/05/2005 10:36 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Hello

 

Please do an online scan with Kaspersky WebScanner

 

Click on Kaspersky Online Scanner and click Accept

 

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

 

Also post a new HijackThis log

Share this post


Link to post
Share on other sites

Here is the log from the online scan:

 

KASPERSKY ONLINE SCANNER REPORT

Wednesday, January 16, 2008 9:36:06 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 16/01/2008

Kaspersky Anti-Virus database records: 512565

 

 

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

 

Scan Target My Computer

C:\

D:\

E:\

F:\

G:\

 

Scan Statistics

Total number of scanned objects 168577

Number of viruses found 61

Number of infected objects 142

Number of suspicious objects 2

Duration of the scan process 01:39:58

 

Infected Object Name Virus Name Last Action

C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

 

C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\temp\254671.exe Infected: Trojan-Dropper.Win32.Small.bde skipped

 

C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\temp\checkmemory.exe Infected: Trojan.Win32.Agent.drm skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/Medi35.sys Infected: Rootkit.Win32.Agent.sc skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/HTE00.sys Infected: Trojan-Downloader.Win32.Agent.ggt skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/lich.sys Infected: Trojan-PSW.Win32.LdPinch.edw skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/kernelw.sys Infected: Packed.Win32.Tibs.ap skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/taskmon.sys Infected: Rootkit.Win32.Agent.sw skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/xpdx.sys Infected: Trojan-Clicker.Win32.Costrat.db skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/asc3550p.sys Infected: Trojan.Win32.KillAV.lz skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/kcp.sys Infected: Trojan-Downloader.Win32.Agent.bnm skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/smtpdrv.sys Infected: Email-Worm.Win32.Agent.l skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip/symavc32.sys Infected: Rootkit.Win32.Agent.sc skipped

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 10 skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9fa911ff579600a20244055378148e95_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\acda40c4464575b4220dba625f016156_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Todd Gieber\triggers.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2073394E.TMP Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3975994838_11141120_59191 Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3975994838_12976128_49727 Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{DDAA8975-1BFF-42F6-A3BB-CA06183DB361}.TmpSBE Object is locked skipped

 

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E2DD3D6F-807C-4CF6-BC82-A75DB269A555}.TmpSBE Object is locked skipped

 

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Temp\Perflib_Perfdata_594.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\index[7].htm Object is locked skipped

 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\index[8].htm Object is locked skipped

 

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

 

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

 

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

 

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-569f3328.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped

 

C:\Documents and Settings\Todd Gieber\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-569f3328.zip ZIP: infected - 1 skipped

 

C:\Documents and Settings\Todd Gieber\Cookies\index.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\History\History.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\History\History.IE5\MSHist012008011620080117\index.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\Perflib_Perfdata_9c4.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DF86F4.tmp Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DF870F.tmp Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DFBC6F.tmp Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DFBC8A.tmp Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\NTUSER.DAT Object is locked skipped

 

C:\Documents and Settings\Todd Gieber\ntuser.dat.LOG Object is locked skipped

 

C:\Downloads\zulu_gemsSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

 

C:\Downloads\ZumaSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

 

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe/data0000.cab/nickarcade.dll Infected: not-a-virus:AdWare.Win32.BHO.w skipped

 

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.w skipped

 

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe Rsrc-Package: infected - 2 skipped

 

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

 

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

 

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe/data0000.cab/nickarcade.dll Infected: not-a-virus:AdWare.Win32.BHO.w skipped

 

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.w skipped

 

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe Rsrc-Package: infected - 2 skipped

 

C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped

 

C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Sierra Gieber\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\install_en[1].exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\printer.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\trant.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\wn852.exe.vir Infected: Trojan.Win32.Agent.drm skipped

 

C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

 

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

 

C:\QooBox\Quarantine\C\WINDOWS\shell.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Kpmw71.sys.vir Infected: Rootkit.Win32.Agent.sc skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\OLD19.tmp.vir Infected: Rootkit.Win32.Agent.sv skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\mscore.dll.vir Infected: Trojan.Win32.Zapchast.dz skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\printer.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Infected: Trojan.Win32.Patched.bh skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\userv32.dat.vir Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

 

C:\QooBox\Quarantine\C\WINDOWS\system32\xlibgfl254.dll.vir Infected: Trojan-Downloader.Win32.Agent.bfj skipped

 

C:\QooBox\Quarantine\C\WINDOWS\vmmreg32.exe.vir Infected: Trojan.Win32.Agent.dqx skipped

 

C:\QooBox\Quarantine\C\WINDOWS\wsystmp_owo.exe.vir Infected: Trojan-Dropper.Win32.Small.bdf skipped

 

C:\QooBox\Quarantine\C\WINDOWS\wsystmp_ugd.exe.vir Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\QooBox\Quarantine\catchme2008-01-14_145042.37.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped

 

C:\QooBox\Quarantine\catchme2008-01-14_145042.37.zip ZIP: infected - 1 skipped

 

C:\SDFix\backups\backups.zip/backups/1.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/2.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/5.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/6.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/7.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.adl skipped

 

C:\SDFix\backups\backups.zip/backups/bot.dll Infected: Trojan-Proxy.Win32.Xorpix.cq skipped

 

C:\SDFix\backups\backups.zip/backups/BraveSentry.exe Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

 

C:\SDFix\backups\backups.zip/backups/BraveSentry0.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

 

C:\SDFix\backups\backups.zip/backups/BraveSentry2.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

 

C:\SDFix\backups\backups.zip/backups/BraveSentry3.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

 

C:\SDFix\backups\backups.zip/backups/desktop.html Infected: not-virus:Hoax.Win32.Renos.cy skipped

 

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q1.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q2.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q5.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q6.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q7.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/findfast.exe Infected: Trojan.Win32.Qhost.adl skipped

 

C:\SDFix\backups\backups.zip/backups/ip6fw.sys Infected: Rootkit.Win32.Agent.pr skipped

 

C:\SDFix\backups\backups.zip/backups/kernelwind32.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/lich.exe Infected: Trojan-Downloader.Win32.Agent.fyj skipped

 

C:\SDFix\backups\backups.zip/backups/lrito398c-b96.sys Infected: Email-Worm.Win32.Zhelatin.qe skipped

 

C:\SDFix\backups\backups.zip/backups/lrito64ec-1ac8.sys Infected: Email-Worm.Win32.Zhelatin.qe skipped

 

C:\SDFix\backups\backups.zip/backups/m1ax1d1213216143v.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

 

C:\SDFix\backups\backups.zip/backups/ma11x1dd12111v.game Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

 

C:\SDFix\backups\backups.zip/backups/medichi.exe Infected: not-virus:Hoax.Win32.Renos.aom skipped

 

C:\SDFix\backups\backups.zip/backups/medichi2.exe Infected: Trojan.Win32.Agent.dqz skipped

 

C:\SDFix\backups\backups.zip/backups/mrofinu27.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped

 

C:\SDFix\backups\backups.zip/backups/mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped

 

C:\SDFix\backups\backups.zip/backups/murka.dat Infected: Backdoor.Win32.Small.cbo skipped

 

C:\SDFix\backups\backups.zip/backups/newmaxxsv234.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped

 

C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.adl skipped

 

C:\SDFix\backups\backups.zip/backups/shell.exe Infected: Trojan.Win32.Qhost.adl skipped

 

C:\SDFix\backups\backups.zip/backups/shift.exe.exe Infected: Email-Worm.Win32.Zhelatin.rm skipped

 

C:\SDFix\backups\backups.zip/backups/spoolvs.exe Infected: Trojan.Win32.Qhost.adl skipped

 

C:\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan.Win32.Patched.bh skipped

 

C:\SDFix\backups\backups.zip/backups/taskmon.exe Infected: Trojan-Downloader.Win32.Tibs.to skipped

 

C:\SDFix\backups\backups.zip/backups/trayicon.exe Infected: Trojan.Win32.Agent.drm skipped

 

C:\SDFix\backups\backups.zip/backups/users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

 

C:\SDFix\backups\backups.zip/backups/vedxg4am1et2.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/vedxg6ame4.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/vedxga1me4t1.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip/backups/vedxga4me1.exe Infected: Trojan-Proxy.Win32.Xorpix.cq skipped

 

C:\SDFix\backups\backups.zip/backups/windsk.dll Infected: not-a-virus:AdWare.Win32.Agent.yz skipped

 

C:\SDFix\backups\backups.zip/backups/xpupdate.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

 

C:\SDFix\backups\backups.zip ZIP: infected - 46 skipped

 

C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.nl skipped

 

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP744\A0218868.exe Suspicious: not-a-virus:Porn-Dialer.Win32.Generic skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0234336.exe Infected: not-virus:Hoax.Win32.Renos.aom skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0234337.exe Infected: Trojan.Win32.Agent.dqz skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0238337.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0240336.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0243337.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0244337.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0246337.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0248337.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0272338.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0273338.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0277386.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277439.exe Infected: Trojan.Win32.Agent.drm skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277441.sys Infected: Rootkit.Win32.Agent.sc skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277442.exe Infected: Trojan.Win32.Agent.dqx skipped

 

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP805\change.log Object is locked skipped

 

C:\WINDOWS\BBSTORE\DSS\dssagent.exe Infected: not-a-virus:AdWare.Win32.Background skipped

 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

 

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{44260E4E-2484-456D-A51F-FA5CBD13D48C}.crmlog Object is locked skipped

 

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

 

C:\WINDOWS\SoftwareDistribution\EventCache\{87D2DF72-640A-4C9E-859A-98FAB96B5E85}.bin Object is locked skipped

 

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

 

C:\WINDOWS\Sti_Trace.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

 

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

 

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

 

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

 

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

 

C:\WINDOWS\system32\config\SAM Object is locked skipped

 

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

 

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

 

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

 

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

 

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

 

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

 

C:\WINDOWS\system32\dllcache\winlogon.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\WINDOWS\system32\h323log.txt Object is locked skipped

 

C:\WINDOWS\system32\wbem\csrss.exe Infected: Trojan-Downloader.Win32.Agent.gbh skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

 

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

 

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.q skipped

 

C:\WINDOWS\Temp\JETDC91.tmp Object is locked skipped

 

C:\WINDOWS\Temp\JETE674.tmp Object is locked skipped

 

C:\WINDOWS\wiadebug.log Object is locked skipped

 

C:\WINDOWS\wiaservc.log Object is locked skipped

 

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

C:\WINDOWS\{00000005-00000000-00000003-00001102-00000004-20061102}.CDF Object is locked skipped

 

F:\My Cool Stuff\mame\roms\hotchick.exe Suspicious: not-a-virus:Porn-Dialer.Win32.Generic skipped

 

Scan process completed.

 

 

 

Here is the latest log from HiJackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:39:00 PM, on 1/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Support.com\bin\tgcmd.exe

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\TODDGI~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE

O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm035MFUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesville.lycos.com/blockdot/popcaploader_v6.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 9136 bytes

Share this post


Link to post
Share on other sites

Hello

 

Please download the OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    C:\Documents and Settings\Administrator\Desktop\catchme.zip
    C:\Downloads\zulu_gemsSetup-dm[1].exe
    C:\Downloads\ZumaSetup-dm[1].exe
    C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe
    C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe
    C:\WINDOWS\system32\wbem\csrss.exe


     

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
     
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    purity


     

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
     
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

 

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

 

O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm035MFUS

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

 

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

 

 

 

Reboot and post a new DSS log

Share this post


Link to post
Share on other sites

Here are the results of OTMoveIt2:

 

C:\Documents and Settings\Administrator\Desktop\catchme.zip moved successfully.

C:\Downloads\zulu_gemsSetup-dm[1].exe moved successfully.

C:\Downloads\ZumaSetup-dm[1].exe moved successfully.

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe moved successfully.

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe moved successfully.

C:\WINDOWS\system32\wbem\csrss.exe moved successfully.

[Custom Input]

< purity >

 

OTMoveIt2 v1.0.8 log created on 01202008_101102

Share this post


Link to post
Share on other sites

Here is the new DSS log:

 

Deckard's System Scanner v20071014.68

Run by Todd Gieber on 2008-01-20 10:29:09

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

82: 2008-01-20 18:29:17 UTC - RP807 - Deckard's System Scanner Restore Point

81: 2008-01-18 02:00:19 UTC - RP806 - System Checkpoint

80: 2008-01-16 23:28:02 UTC - RP805 - System Checkpoint

79: 2008-01-15 07:03:13 UTC - RP804 - Software Distribution Service 3.0

78: 2008-01-14 23:52:58 UTC - RP803 - ComboFix created restore point

 

 

-- First Restore Point --

1: 2007-10-20 09:44:57 UTC - RP726 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

 

 

-- HijackThis (run as Todd Gieber.exe) -----------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:31:00 AM, on 1/20/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\My Book\WD Backup\uBBMonitor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

H:\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Todd Gieber.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE

O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.38/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesville.lycos.com/blockdot/popcaploader_v6.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8598 bytes

 

-- File Associations -----------------------------------------------------------

 

.scr - scrfile - shell\open\command - "C:\WINDOWS\Temp\checkmemory.exe" exec "%1" /S

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

 

S3 catchme - c:\docume~1\toddgi~1\locals~1\temp\catchme.sys (file missing)

S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

No disabled devices found.

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2008-01-17 19:47:01 354 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job

2008-01-17 17:59:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-12-20 and 2008-01-20 -----------------------------

 

2008-01-20 10:30:41 0 d-------- C:\Program Files\Trend Micro

2008-01-16 18:56:08 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-01-16 18:56:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-01-14 18:00:51 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>

2008-01-14 18:00:50 495616 --a------ C:\WINDOWS\system32\hphmon05.exe <Not Verified; Hewlett-Packard; HP Photosmart>

2008-01-14 18:00:49 497376 --a------ C:\WINDOWS\p_981116.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>

2008-01-13 13:55:52 3982 --a------ C:\WINDOWS\system32\tmp.reg

2008-01-13 13:54:56 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-01-13 13:54:56 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2008-01-13 13:54:56 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2008-01-13 13:54:56 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>

2008-01-13 13:54:56 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>

2008-01-13 13:54:56 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-01-13 13:16:25 0 d-------- C:\WINDOWS\ERUNT

2008-01-06 15:15:44 0 d--hs---- C:\WINDOWS\CSC

2008-01-06 12:07:03 0 d-------- C:\Program Files\Elaborate Bytes

2008-01-02 16:16:28 0 d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari

2008-01-02 16:15:56 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll

2008-01-01 19:46:18 0 d-------- C:\Program Files\Edmark

2008-01-01 19:44:18 0 d-------- C:\Program Files\Creative Wonders

2007-12-30 21:02:09 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>

2007-12-30 21:01:38 0 d-------- C:\Program Files\Hooked on Phonics Learning

2007-12-30 09:32:14 20 --ahs---- C:\ArcDeviceInfo

2007-12-27 14:15:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo

2007-12-25 19:57:18 194362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

2007-12-25 19:53:01 0 d-------- C:\Program Files\U.B. Funkeys

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-01-20 10:25:59 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat

2008-01-20 10:25:59 384 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat

2008-01-20 10:07:40 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-01-15 20:24:14 0 d-------- C:\Program Files\QuickTime

2008-01-15 20:24:14 0 d-------- C:\Program Files\iTunes

2008-01-15 20:24:13 0 d-------- C:\Program Files\Dell Support

2008-01-14 15:39:28 0 d-------- C:\Program Files\Common Files

2008-01-14 15:39:27 0 d-------- C:\Program Files\Common Files\TiVo Shared

2008-01-06 14:27:29 502784 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

2008-01-06 12:04:55 0 d-------- C:\Program Files\SlySoft

2008-01-02 16:07:29 0 d-------- C:\Program Files\Atari

2008-01-02 16:07:28 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-01-02 14:14:41 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX

2008-01-01 19:48:22 0 d-------- C:\Program Files\The Learning Company

2008-01-01 19:45:09 1693 --a------ C:\WINDOWS\EReg077.dat

2007-12-30 09:32:12 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft

2007-12-27 14:15:31 0 d-------- C:\Program Files\MumboJumbo

2007-12-16 11:49:47 0 d-------- C:\Program Files\Puppy Luv

2007-12-14 15:22:07 1977747 --a------ C:\WINDOWS\PUZZLES.DAT

2007-12-07 20:15:28 0 d-------- C:\Program Files\Symantec

2007-11-23 21:25:44 85 ---hs---- C:\Documents and Settings\Todd Gieber\Application Data\.zreglib

2007-11-22 09:48:25 0 d-------- C:\Program Files\Norton 360

2007-11-21 23:02:01 0 d-------- C:\Program Files\iPod

2007-11-21 22:59:12 0 d-------- C:\Program Files\Apple Software Update

2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files\Apple

2007-11-11 12:59:56 364544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>

2007-11-11 11:57:07 0 --a------ C:\WINDOWS\system32\AleUpdt.bin

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/11/2004 08:10 PM]

"CTHelper"="CTHELPER.EXE" [03/11/2004 12:50 PM C:\WINDOWS\system32\CTHELPER.EXE]

"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01/06/2008 02:04 PM]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]

"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [01/06/2008 02:04 PM]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/06/2008 02:04 PM]

"WD Button Manager"="WDBtnMgr.exe" [11/11/2007 12:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/25/2006 01:54 PM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [06/04/2006 06:52 PM]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/06/2008 02:04 PM]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 AM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [9/20/2002 10:50:32 AM]

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 8:59:36 AM]

Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [9/20/2002 10:50:46 AM]

Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [9/20/2002 10:50:50 AM]

WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [11/11/2007 1:01:16 PM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

*Newly Created Service* - COMHOST

 

 

 

-- End of Deckard's System Scanner: finished at 2008-01-20 10:31:35 ------------

Share this post


Link to post
Share on other sites

I would say overall much more responsive. Many little items to fix such as no sound, e-mail issues sending, but these can be repaired.

 

Per the logs do you believe my PC is free from viruses at this point?

 

I have been running Norton 360 and prior Norton Internet Security. Any idea why it would have never caught all of these problems?

Share this post


Link to post
Share on other sites

Probably cause you had an insanely infected PC that targeted a lot of legitimate files

 

Few things to do

 

Now we need to create a new System Restore point.

 

Click Start Menu > Run > type (or copy and paste)

 

%SystemRoot%\System32\restore\rstrui.exe

 

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

 

Next goto Start Menu > Run > type

 

cleanmgr

 

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

 

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

 

 

 

You now need to update your Java and remove your older versions.

 

Please follow these steps to remove older version Java components.

 

* Click Start > Control Panel.

* Click Add/Remove Programs.

* Check any item with Java Runtime Environment (JRE) in the name.

* Click the Remove or Change/Remove button.

 

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from

here

 

 

 

Below I have included a number of recommendations for how to protect your computer against malware infections.

 

* Keep Windows updated by regularly checking their website at :

http://windowsupdate.microsoft.com/

This will ensure your computer has always the latest security updates available installed on your computer.

 

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

Have a look at this tutorial for IE-Spyad here

 

* SpywareGuard offers realtime protection from spyware installation attempts.

 

Make Internet Explorer more secure

  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

 

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more

secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up

blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from

Here

 

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'

Here

 

Thank you for your patience, and performing all of the procedures requested.

Share this post


Link to post
Share on other sites

Hello.

 

My assumption from your last post is that the latest logs show my PC is free from viruses?

 

I want to sincerely thank you for your time, efforts, and patience in working with me to correct my problems, I can't believe what an incredible service this site offers! In any event, wanted to let you know that I appreciated your efforts and you've given me a new outlook on how to protect my PC going forward.

 

It looks as though our journey ends here...

 

Best Wishes!

Share this post


Link to post
Share on other sites

Yes it is indeed clean

 

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0