Jump to content


Photo

PC Completely Disabled By SpyWare - Please Help


  • This topic is locked This topic is locked
45 replies to this topic

#1 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 06 January 2008 - 11:23 PM

Today my PC went completely out of control, must have done something to activate spyware or a trojan. Here is the summary:

- When trying to boot in either normal or safe mode, my computer does not allow me to run any executable files, hence when trying to remove any offending spyware or trojans is unsuccessful.

- I am running Norton 360, don't know why any viruses were not detected earlier? Had noticed recently that the computer had slowed down, but again received no warnings from my anti-virus software even with full scan.

- One software scan that ran before things went crazy said I had the following severe viruses:
Wild Trojan Dropper, Trojan VX15, Adware Popuper among others.

- I have researched many sites to figure out how to resolve. I am unable to restore to an old restore point because when I try and use it or temporarily turn off I am given the following message, "Operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

- I don't mind if I have to reinstall my entire PC, however I would like to pull some files off of it before I do so. I am able to see them, but can't copy them to external hard drive due to the issue at hand.

Can anyone help me??? It would be most appreciated!

Help us to help you by reviewing the forum FAQ and then posting your HijackThis log here in your original topic. - Indrid_Cold

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 09 January 2008 - 06:53 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 09 January 2008 - 07:00 AM

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#4 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 09 January 2008 - 04:49 PM

One of the issues with my malware is that from the moment of bootup in either normal or safe mode, the virus is contantly running something (hour glass continues going), and will not allow me control to run any executable. Is there any way I could say boot to a disk perhaps and run a tool - going into windows does not allow me any control whatsoever. Ideas? I am also unable to get to the internet at all given this issue.

#5 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 10 January 2008 - 08:08 AM

Lets try this way first

Get a USB key or something and transfer DSS.exe onto it. Boot into Safe Mode and run DSS
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#6 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 03:44 PM

Ok, was able to boot up in safe mode and run DSS.exe from memory stick. Here is the output that I received:
Please let me know next steps. At this point I have plans to wipe out my desktop however would first like to contain the virus so I can pull some pictures off of my machine to external hard drive before wiping everything out. If you could help me to contain I would greatly appreciate! thanks in advance for your time and efforts!

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-13 12:39:34
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-13 12:40:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
H:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 download.microsoft.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads.microsoft.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 go.microsoft.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 microsoft.com
O1 - Hosts: 10.18.250.4 msdn.microsoft.com
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 office.microsoft.com
O1 - Hosts: 10.18.250.4 pandasoftware.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 support.microsoft.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.microsoft.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.pandasoftware.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
1894E754BE54C29159A7DBE80DC744B6CDE3A516CAC59B6
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\documents and settings\todd gieber\application data\install_en[1].exe"
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE
O4 - Global Startup: WD Backup Monitor.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.38/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesvill...aploader_v6.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: crypt32chain - C:\WINDOWS\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet - C:\WINDOWS\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll - C:\WINDOWS\system32\cscdll.dll
O20 - Winlogon Notify: ScCertProp - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: SensLogn - C:\WINDOWS\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon - C:\WINDOWS\system32\wlnotify.dll
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: ZZZsvc_lich - Unknown owner - C:\lich.exe


--
End of file - 17120 bytes

-- Files created between 2007-12-13 and 2008-01-13 -----------------------------

2008-01-13 12:33:13 0 d-------- C:\WINDOWS\LastGood
2008-01-06 15:15:44 0 d--hs---- C:\WINDOWS\CSC
2008-01-06 14:31:30 18176 --a------ C:\WINDOWS\system32\drivers\smtpdrv.sys <Not Verified; NT Kernel Resources; NDIS packet redirector driver>
2008-01-06 14:31:28 21760 --a------ C:\WINDOWS\system32\drivers\Hte00.sys
2008-01-06 14:31:20 13760 --a------ C:\WINDOWS\system32\taskmon.sys
2008-01-06 14:30:54 129792 --a------ C:\WINDOWS\system32\lrito398c-b96.sys
2008-01-06 14:30:47 142848 --a------ C:\WINDOWS\system32\drivers\Kpmw71.sys
2008-01-06 14:30:19 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-01-06 14:28:48 0 --a------ C:\WINDOWS\system32\lich.dat
2008-01-06 14:17:35 70656 --a------ C:\WINDOWS\taskmon.exe
2008-01-06 14:17:30 129792 --a------ C:\WINDOWS\system32\lrito64ec-1ac8.sys
2008-01-06 14:17:29 39936 -ra------ C:\WINDOWS\mrofinu27.exe
2008-01-06 14:17:29 32997 --a------ C:\lich.exe
2008-01-06 14:17:25 8576 --a------ C:\lich.sys
2008-01-06 14:17:23 35840 --a------ C:\WINDOWS\vmmreg32.exe
2008-01-06 14:17:23 69632 --a------ C:\WINDOWS\system32\csrssw.dll
2008-01-06 14:17:21 14900 --a------ C:\WINDOWS\system32\m1ax1d1213216143v.exe
2008-01-06 14:17:17 16384 --a------ C:\WINDOWS\system32\newmaxxsv234.exe
2008-01-06 14:17:17 53248 --a------ C:\WINDOWS\system32\mstscex.dll
2008-01-06 14:17:17 4224 --a------ C:\WINDOWS\system32\drivers\kcp.sys
2008-01-06 14:17:16 53248 --a------ C:\WINDOWS\system32\oleauth32.dll
2008-01-06 14:17:14 53986 --a------ C:\WINDOWS\system32\xpdx.sys
2008-01-06 14:17:14 14336 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-06 14:17:12 16896 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2008-01-06 14:17:11 10 --a------ C:\WINDOWS\system32\kr_done1
2008-01-06 14:17:10 16384 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe
2008-01-06 14:17:07 16896 --a------ C:\WINDOWS\system32\vedxg6ame4.exe
2008-01-06 14:17:06 36352 --a------ C:\WINDOWS\system32\vedxga4me1.exe
2008-01-06 14:17:06 0 d-------- C:\Program Files\BraveSentry
2008-01-06 14:17:05 1177450 --a------ C:\Documents and Settings\Todd Gieber\Application Data\Install.dat
2008-01-06 14:17:04 35702 --a------ C:\WINDOWS\xpupdate.exe
2008-01-06 14:17:04 18294 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2008-01-06 14:17:04 17782 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2008-01-06 14:17:04 16758 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2008-01-06 14:17:03 35702 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2008-01-06 14:17:02 11638 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2008-01-06 14:16:54 29184 --a------ C:\WINDOWS\system32\kernelwind32.exe
2008-01-06 14:16:50 7712 --a------ C:\WINDOWS\system32\kernelw.sys
2008-01-06 14:16:41 29184 --a------ C:\WINDOWS\wsystmp_ugd.exe
2008-01-06 14:08:40 0 d-------- C:\Program Files\Ultimate Defender
2008-01-06 14:06:58 16384 --a------ C:\WINDOWS\system32\userv32.dat
2008-01-06 14:06:18 6144 --a------ C:\WINDOWS\murka.dat
2008-01-06 14:06:18 18944 --a------ C:\WINDOWS\medichi2.exe
2008-01-06 14:06:18 4608 --a------ C:\WINDOWS\medichi.exe
2008-01-06 14:04:35 16384 --a------ C:\WINDOWS\system32\users32.dat
2008-01-06 14:04:28 47616 --a------ C:\WINDOWS\wsystmp_owo.exe
2008-01-06 14:04:26 19968 --a------ C:\WINDOWS\system32\xlibgfl254.dll
2008-01-06 14:04:26 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ultra
2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\system32\spoolvs.exe
2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\system32\printer.exe
2008-01-06 14:03:26 9728 --a------ C:\WINDOWS\shell.exe
2008-01-06 14:03:25 18944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-01-06 14:03:25 9728 --a------ C:\Documents and Settings\Todd Gieber\Application Data\printer.exe
2008-01-06 12:07:03 0 d-------- C:\Program Files\Elaborate Bytes
2008-01-06 12:03:01 15872 --a------ C:\WINDOWS\windsk.dll
2008-01-06 08:06:08 34049 --a------ C:\WINDOWS\trayicon.exe
2008-01-06 08:06:07 34049 --a------ C:\Documents and Settings\Todd Gieber\wn852.exe
2008-01-02 16:16:28 0 d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari
2008-01-02 16:15:56 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 19:46:18 0 d-------- C:\Program Files\Edmark
2008-01-01 19:44:18 0 d-------- C:\Program Files\Creative Wonders
2007-12-30 21:02:09 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-12-30 21:01:38 0 d-------- C:\Program Files\Hooked on Phonics Learning
2007-12-30 09:32:14 20 --ahs---- C:\ArcDeviceInfo
2007-12-27 14:15:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-12-25 19:57:18 194362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>
2007-12-25 19:53:01 0 d-------- C:\Program Files\U.B. Funkeys


-- Find3M Report ---------------------------------------------------------------

2008-01-06 17:40:54 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2008-01-06 17:40:54 384 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2008-01-06 14:30:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-06 14:27:29 502784 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-06 14:06:42 0 d-------- C:\Program Files\iTunes
2008-01-06 12:04:55 0 d-------- C:\Program Files\SlySoft
2008-01-02 16:07:29 0 d-------- C:\Program Files\Atari
2008-01-02 16:07:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-01 19:48:22 0 d-------- C:\Program Files\The Learning Company
2008-01-01 19:45:09 1693 --a------ C:\WINDOWS\EReg077.dat
2007-12-27 14:15:31 0 d-------- C:\Program Files\MumboJumbo
2007-12-16 11:49:47 0 d-------- C:\Program Files\Puppy Luv
2007-12-14 15:22:07 1977747 --a------ C:\WINDOWS\PUZZLES.DAT
2007-12-07 20:15:28 0 d-------- C:\Program Files\Symantec
2007-11-23 09:34:13 0 d-------- C:\Program Files\QuickTime
2007-11-22 09:48:25 0 d-------- C:\Program Files\Norton 360
2007-11-21 23:02:01 0 d-------- C:\Program Files\iPod
2007-11-21 22:59:12 0 d-------- C:\Program Files\Apple Software Update
2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files
2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files\Apple
2007-11-11 12:59:56 364544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2007-11-11 11:57:07 0 --a------ C:\WINDOWS\system32\AleUpdt.bin
2007-10-29 14:35:13 1287680 --a------ C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40:06 227328 --a------ C:\WINDOWS\system32\wmasf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2007-10-15 18:46:39 70 --a------ C:\WINDOWS\popcinfo.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/11/2004 08:10 PM]
"CTHelper"="CTHELPER.EXE" [03/11/2004 12:50 PM C:\WINDOWS\system32\CTHELPER.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01/06/2008 02:04 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [06/28/2007 02:09 PM]
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe" [01/06/2008 02:04 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [01/06/2008 02:04 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/06/2008 02:04 PM]
"WD Button Manager"="WDBtnMgr.exe" [11/11/2007 12:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/06/2008 02:04 PM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [01/06/2008 02:04 PM]
"Printer"="C:\WINDOWS\system32\printer.exe" [05/11/2005 09:23 PM]
"System"="C:\WINDOWS\system32\kernelwind32.exe" [01/06/2008 02:16 PM]
"SystemSv12"="C:\WINDOWS\system32\newmaxxsv234.exe" [01/06/2008 02:17 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"runner1"="C:\WINDOWS\mrofinu27.exe" [01/02/2008 01:33 PM]
"taskmon"="C:\WINDOWS\taskmon.exe" [01/06/2008 02:30 PM]
"NI.UGA6P_0001_N122M2210"="C:\documents and settings\todd gieber\application data\install_en[1].exe" [01/06/2008 02:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [05/11/2005 09:23 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg]
C:\Documents and Settings\All Users\Documents\Settings\bot.dll 01/06/2008 02:30 PM 25569 C:\Documents and Settings\All Users\Documents\Settings\bot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hte00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-01-13 12:40:31 ------------

#7 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 03:48 PM

We can get you cleaned up for sure

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.





Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.




Do this one from Normal Mode

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall




Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

MyWebSearch
MyWebSA

Edited by Rorschach112, 13 January 2008 - 03:48 PM.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#8 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 03:51 PM

Sorry, here is the contents of extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 17%
Physical Memory (total/avail): 1022.09 MiB / 842.64 MiB
Pagefile Memory (total/avail): 2460.07 MiB / 2415.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1956.73 MiB

C: is Fixed (NTFS) - 232.78 GiB total, 136.05 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Fixed (FAT32) - 465.64 GiB total, 443.97 GiB free.
G: is Removable (No Media)
H: is Removable (FAT)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
FirewallDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TODD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\TODD
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=TODD
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Todd Gieber (admin)
Deanna Gieber (admin)
Sierra Gieber (admin)
Jordyn Gieber (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\Ctzapxx.EXE" /W /U /S
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72A810B1-EE62-455A-A086-E1C9FEDE7F29}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
"Doras Rapido River Rafting Race (remove only)" --> "C:\Program Files\Doras Rapido River Rafting Race\Uninstall.exe"
101 Bally Slots --> C:\Games\MasqueGames\uninstall.exe "101 Bally Slots.ilg"
A Series of Unfortunate Events (remove only) --> "C:\Program Files\A Series of Unfortunate Events\Uninstall.exe"
Adobe Acrobat Reader 3.01 --> C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Toolbar 5.0 --> "C:\Program Files\AOL\AOL Toolbar 5.0\uninstall.exe"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Arthur's Thinking Games --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative Wonders\Arthur's Thinking Games\Uninst.isu"
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Backyardigans Mission to Mars (remove only) --> C:\Program Files\Backyardigans Mission to Mars\Uninstall.exe
Barbie® Pet Rescue --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mattel Interactive\Barbie®\Barbie® Pet Rescue\Uninst.isu"
Bejeweled 2 Deluxe --> "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\Uninstall.exe" "C:\Program Files\Oberon Media\Bejeweled 2 Deluxe\install.log"
Bejeweled Deluxe 1.862 -->
Bengal (CD version) --> "C:\Program Files\OXXOGames\VIVAGplayer\MyInstall.exe" ScriptUInst "C:\Program Files\OXXOGames\VIVAGplayer\Install\\Game_OxxoBengalCD.log"
Blue's Treasure Hunt --> C:\WINDOWS\IsUninst.exe -f"c:\hegames\Blues Treasure Hunt\Uninst.isu" -c"c:\hegames\Blues Treasure Hunt\Uninst.dll
Blues Room (remove only) --> C:\Program Files\Blues Room\Uninstall.exe
Bonus Mania --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C662595F-CDF9-4BF5-8323-3F7C6A7EADF7}\setup.exe" -l0x9
BookWorm Deluxe 1.03 --> C:\Program Files\PopCap Games\BookWorm Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\BookWorm Deluxe\Install.log"
Brave-Sentry --> C:\Program Files\BraveSentry\Uninstall.exe
Broadcom Advanced Control Suite --> MsiExec.exe /I{058B32E2-6310-4359-B2D4-1988390C3B83}
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 2.2 --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.1.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CareBears --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ValuSoft\CareBears\DeIsL1.isu"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Chainz 2 (remove only) --> "C:\Program Files\MumboJumbo\Chainz 2\uninstall.exe"
Chicken Hunter - License To Grill --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime9\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00848649-B063-4672-B616-B40543807750}\Setup.exe" -l0x9
Chutes and Ladders --> C:\WINDOWS\uninst.exe -fc:\Games\CHUTES~1\DeIsL1.isu
Comcast High-Speed Internet Install Wizard --> C:\Program Files\Support.com\uninstall\chsi_uninstaller.exe
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Desktop Doctor --> "C:\Program Files\Support.com\providerComcast\Uninstall.exe" /c "Remove Desktop Doctor?"
Disney's Princess Fashion Boutique --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\PRINCE~1\DeIsL1.isu
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
Disney's You Can Fly! with Tinker Bell --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5071AC4-B0E3-11D5-AA2E-0008C760B784}\setup.exe" Disney's You Can Fly! with Tinker Bell
Dora the Explorer 3D Pyramid Adventure (remove only) --> "C:\Program Files\Dora the Explorer 3D Pyramid Adventure\Uninstall.exe"
Dora the Explorer: Animal Adventures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A34CCD1C-7738-47B9-863D-8E0C478FB8F7}\setup.exe" -l0x9 -uninst
Dora`s Magic Castle (remove only) --> C:\Program Files\Dora`s Magic Castle\Uninstall.exe
Dora`s World Adventure (remove only) --> C:\Program Files\Dora`s World Adventure\Uninstall.exe
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Dynomite Deluxe 2.71 --> C:\Program Files\PopCap Games\Dynomite Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Dynomite Deluxe\Install.log"
Edmark MindTwister Math --> C:\WINDOWS\unvise32.exe C:\Program Files\Edmark\MindTwister Math\uninstal.log
eGames GameButler --> C:\PROGRA~1\eGames\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\eGames\GAMEBU~1\INSTALL.LOG
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
Fisher-Price® - Toddler --> D:\setup.exe -funinst.ins
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Grammar Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Davidson\Grammar\DeIsL1.isu"
Hello Kitty Cutie World --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3F2EC51-4473-4535-BEE4-01B8B39ACEF7}\Setup.exe" -l0x9
High Flying Act - Interactive Storybook --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\High Flying Act - Interactive Storybook\Uninstall.xml"
Hooked on Phonics Master Reader --> C:\WINDOWS\unvise32.exe C:\Program Files\Hooked on Phonics Learning\Master Reader\uninstal.log
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Software Update --> MsiExec.exe /X{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}
IncrediMail Xe --> C:\PROGRA~1\INCRED~1\bin\imsetup.exe /remove /addon:IncrediMail /log:IncMail.log
Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Internet Lottery 1.2.0 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\SPK210.Inf, DefaultUninstall
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Joes 3-D Scavenger Hunt (remove only) --> "C:\Program Files\Joes 3-D Scavenger Hunt\Uninstall.exe"
JumpStart Preschool v2.0 --> C:\WINDOWS\IsUninst.exe -fC:\KA\PRSCHL99\DeIsL1.isu
JumpStart Toddlers 2001 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Knowledge Adventure\JSTD2001\DeIsL1.isu"
Just Grandma and Me --> C:\WINDOWS\uninst.exe -fC:\Lvg_Bks\DeIsL1.isu
Kid Pix Deluxe 3 --> C:\Program Files\Broderbund\Kid Pix Deluxe 3\uninstal.exe
Leap Ahead Kindergarten --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Kindergarten\Uninst.isu"
Leap Ahead Phonics Ages 4-7 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Phonics Ages 4-7\Uninst.isu"
Leap Ahead Preschool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Leap Ahead Preschool\Uninst.isu"
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LifeGlobe Sharks, Terrors of the Deep 2 --> "C:\Program Files\Prolific Publishing, Inc\Sharks2\unins000.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Luxor 3 --> "C:\Program Files\MumboJumbo\Luxor 3\uninstall.exe"
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic Ball 2 Spring Time (remove only) --> "C:\Program Files\Magic Ball 2 Spring Time\Uninstall.exe"
Mall Tycoon 3 --> MsiExec.exe /I{205140F6-F3AC-45CE-9627-9CF35C6E1C2E}
Marine Aquarium 2.5, Goldfish, Sharks & Carousel Bundle --> C:\WINDOWS\IsUninst.exe -fc:\ScreenSavers\Aquarium\Uninst.isu
Meerca Chase Screen Saver --> sstunst2.exe Meerca Chase
Mickey Saves the Day --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\MICKEY~1\DeIsL1.isu
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Mike's Monstrous Adventure --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D2B1159-89F1-11D6-B2FB-0002A5E32BEF}\setup.exe" Mike's Monstrous Adventure
Monopoly Junior --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Monopoly Junior\Uninst.isu"
Monsters, Inc. Wreck Room Arcade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27CACECD-7452-41A2-B1D5-76B18E79700F}\setup.exe" Boris
My Disney Kitchen --> C:\WINDOWS\IsUninst.exe -fc:\games\MICKEY~1\DeIsL2.isu
My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
My Web Search (Zwinky) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll,O
MysticForest --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5C61666-12FE-4776-B0DB-55C82AADD222}\setup.exe" -l0x9 -removeonly
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
netMarket --> D:\netmarkt\netmarkt\setup.exe -fNETMKTUN.ins
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{40DA9A54-48CA-4A2C-AEAF-F67715BB046E}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Penguin Puzzle --> C:\PROGRA~1\eGames\PENGUI~1\UNWISE.EXE C:\PROGRA~1\eGames\PENGUI~1\INSTALL.LOG
Petz 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\PF.Magic\Petz 3\Uninst.isu"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\setup\hpzscr01.exe -datfile hphscr01.dat
Pirates of Treasure Island --> C:\PROGRA~1\eGames\PIRATE~1\UNWISE.EXE C:\PROGRA~1\eGames\PIRATE~1\INSTALL.LOG
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Puppy Luv --> MsiExec.exe /I{125A502F-2DF9-4948-A6A3-A7491D938CF0}
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
Quicken 2003 Premier --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2F3A571A-AE8C-4938-88A7-71E4F04D057A} anything
Reader Rabbit's Kindergarten --> C:\TLCWIN\RRK20\UNWISE.EXE C:\TLCWIN\RRK20\INSTALL.LOG
Reader Rabbit's Preschool --> C:\Games\READER~1\UNWISE.EXE C:\Games\READER~1\INSTALL.LOG
Reader Rabbit 1st Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Reader Rabbit 1st Grade\Uninstall.xml"
Reader Rabbit® I Can Read! With Phonics --> C:\Program Files\The Learning Company\Reader Rabbit® I Can Read! With Phonics\uninstall.exe
Rhapsody Player Engine --> MsiExec.exe /I{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}
Rocket Mania Deluxe 1.02 --> C:\Program Files\PopCap Games\Rocket Mania Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Rocket Mania Deluxe\Install.log"
RollerCoaster Tycoon 3 Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\SETUP.EXE" -l0x9 -removeonly
School Tycoon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CFFE053-748A-44DC-A248-06EA38E4BC03}\setup.exe"
SeaWorld Adventure Park Tycoon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48A6E89E-D2D3-4DA7-8A7C-FBB8F1083409}\setup.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Snail Mail (remove only) --> "C:\Program Files\Snail Mail\Uninstall.exe"
Snowy - Treasure Hunter (remove only) --> "C:\Program Files\Snowy - Treasure Hunter\Uninstall.exe"
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sorry --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL2.isu
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\setup.exe" -l0x9
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spinner the Space Kid (remove only) --> C:\Program Files\Spinner the Space Kid\Uninstall.exe
SpongeBob SquarePants - Battle for Bikini Bottom --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A7E6A962-C086-47E3-BAEC-9C84AF292820}\setup.exe" -l0x9 -uninst
SpongeBob SquarePants 3-D --> C:\PROGRA~1\NICKAR~1\SPONGE~1\UNWISE.EXE C:\PROGRA~1\NICKAR~1\SPONGE~1\INSTALL.LOG
SpongeBob SquarePants Employee of the Month --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\SpongeBob SquarePants\Employee of the Month\Uninst.isu"
SpongeBob SquarePants Obstacle Odyssey (remove only) --> C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\Uninstall.exe
SpongeBob SquarePants® Operation Krabby Patty --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\SpongeBob SquarePants\Operation Krabby Patty\Uninst.isu"
StarFlyers Royal Jewel Rescue --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\StarFlyers Royal Jewel Rescue\Uninstall.xml"
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
The Fairly OddParents --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBA98386-2B74-4C54-B085-543E7D5A3FAC}\Setup.exe" -l0x9 \ /uninst
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
The Land Before Time Kindergarten Adventure --> C:\Lbtkind\UNWISE.EXE C:\Lbtkind\INSTALL.LOG
TiVo Desktop 2.4a --> MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}
TurboTax Deluxe 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
U.B. Funkeys --> C:\Program Files\U.B. Funkeys\uninstall.exe
Ultra soft --> C:\Documents and Settings\Todd Gieber\Application Data\ultra\uninstall.bat
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) -->
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VIVA MEDIA GAME CENTER --> "C:\Program Files\OXXOGames\VIVAGplayer\MyInstall.exe" UInstAllGPAndDS
WD Backup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A351224F-533A-4EED-89F4-0BF3417FD31D}\setup.exe" -l0x9
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WD Firewire HID Driver --> MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Wild Thornberrys Australian Wildlife Rescue (remove only) --> "C:\Program Files\Wild Thornberrys Australian Wildlife Rescue\Uninstall.exe"
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Yahtzee --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
Zulu Gems (remove only) --> "C:\Program Files\iWin.com\Zulu Gems\Uninstall.exe"
Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log"


-- Application Event Log -------------------------------------------------------

Event Record #/Type37651 / Error
Event Submitted/Written: 01/06/2008 04:02:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application tivoserver.exe, version 1.4.265.782, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.
Processing media-specific event for [tivoserver.exe!ws!]

Event Record #/Type37650 / Error
Event Submitted/Written: 01/06/2008 04:02:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application tivotransfer.exe, version 1.3.265.782, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.
Processing media-specific event for [tivotransfer.exe!ws!]

Event Record #/Type37649 / Error
Event Submitted/Written: 01/06/2008 04:02:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ccapp.exe, version 106.2.0.21, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.
Processing media-specific event for [ccapp.exe!ws!]

Event Record #/Type37648 / Error
Event Submitted/Written: 01/06/2008 04:01:46 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mwsoemon.exe, version 1.2.2.4, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.
Processing media-specific event for [mwsoemon.exe!ws!]

Event Record #/Type37647 / Error
Event Submitted/Written: 01/06/2008 04:01:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dssagent.exe, version 1.0.3.0, faulting module users32.dat, version 0.0.0.0, fault address 0x000012a2.
Processing media-specific event for [dssagent.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20441 / Error
Event Submitted/Written: 01/13/2008 00:32:19 PM / 01/13/2008 00:32:49 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type20438 / Error
Event Submitted/Written: 01/07/2008 04:10:02 PM / 01/07/2008 04:10:34 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type20432 / Error
Event Submitted/Written: 01/07/2008 09:56:22 AM / 01/07/2008 09:56:54 AM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type20427 / Error
Event Submitted/Written: 01/06/2008 07:40:09 PM / 01/06/2008 07:40:39 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

Event Record #/Type20424 / Error
Event Submitted/Written: 01/06/2008 07:31:54 PM / 01/06/2008 07:32:21 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'wowfx.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.



-- End of Deckard's System Scanner: finished at 2008-01-13 12:37:03 ------------

#9 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 03:52 PM

Thanks, you can follow the steps in my previous post while I examine this.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#10 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 03:53 PM

Just so you know, I am using my work laptop to communicate to you, while using the memory stick to pass files between home and work pc.

#11 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 04:06 PM

Ok, here is where I am at per your instructions:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.

Upon trying to boot in safe mode I get a window that says, "c:\windows\shell.exe" Application not found.

Can I run this from safe mode via command prompt?

#12 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 04:08 PM

Can you not get it to run with those instructions ? Just ignore that window you get and try run the program.

If it fails just continue on to the next step.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#13 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 04:25 PM

sorry, working now...Just finished SDfix. Will keep you posted.

#14 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 04:37 PM

Ok, here is the output of the report.txt from running SDFix:


SDFix: Version 1.126

Run by Administrator on Sun 01/13/2008 at 01:17 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Driver
kcp
smtpdrv
taskmon.sys
ZZZdrv_lich
ZZZsvc_lich
lrito398c-b96
lrito64ec-1ac8
HTE00

Path:
\??\C:\WINDOWS\system32\kernelw.sys
\??\C:\WINDOWS\system32\drivers\kcp.sys
System32\DRIVERS\smtpdrv.sys
\??\C:\WINDOWS\system32\taskmon.sys
\??\C:\lich.sys
C:\lich.exe
\??\C:\WINDOWS\system32\lrito398c-b96.sys
\??\C:\WINDOWS\system32\lrito64ec-1ac8.sys
System32\Drivers\Hte00.sys

Driver - Deleted
kcp - Deleted
smtpdrv - Deleted
taskmon.sys - Deleted
ZZZdrv_lich - Deleted
ZZZsvc_lich - Deleted
lrito398c-b96 - Deleted
lrito64ec-1ac8 - Deleted
HTE00 - Deleted



Infected Winlogon.exe Found!

Winlogon File Locations:

"C:\WINDOWS\system32\winlogon.exe" 502784 01/06/2008 02:27 PM
"C:\WINDOWS\system32\dllcache\winlogon.exe" 502784 01/07/2008 04:09 PM

Modified Files Are Listed Below:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe

Note: SDFix Does Not Repair This File!


Infected ip6fw.sys Found!

ip6fw.sys File Locations:

"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/10/2004 02:00 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\ip6fw.sys

Trojan File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Unable To Replace Infected File!


Infected Svchost.exe Found!

Svchost.exe File Locations:

"C:\WINDOWS\system32\svchost.exe" 14336 08/10/2004 02:00 AM
"C:\WINDOWS\system32\dllcache\svchost.exe" 14336 08/10/2004 02:00 AM

Modified file is listed below:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllcache\svchost.exe

Infected File copied to Backups Folder
SDFix cannot repair this file!

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service
Resetting AppInit_DLLs value


Rebooting...

Service asc3550p - Deleted after Reboot
Service Medi35 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\lrito398c-b96.sys - Deleted
C:\WINDOWS\system32\lrito64ec-1ac8.sys - Deleted
C:\WINDOWS\system32\drivers\Medi35.sys - Deleted
C:\WINDOWS\system32\drivers\HTE00.sys - Deleted
C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\19.TMP - Deleted
C:\1A.TMP - Deleted
C:\1B.TMP - Deleted
C:\1C.TMP - Deleted
C:\1D.TMP - Deleted
C:\1E.TMP - Deleted
C:\1F.TMP - Deleted
C:\20.TMP - Deleted
C:\WINDOWS\SYSTEM32\FORRIEPP.TMP - Deleted
C:\Documents and Settings\All Users\Documents\Settings\bot.dll - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\7.dllb - Deleted
C:\Documents and Settings\Todd Gieber\Local Settings\Temp\ma11x1dd12111v.game - Deleted
C:\WINDOWS\system32\shift.exe.exe - Deleted
C:\Program Files\BraveSentry\BraveSentry.exe - Deleted
C:\Program Files\BraveSentry\BraveSentry.lic - Deleted
C:\Program Files\BraveSentry\BraveSentry0.bs - Deleted
C:\Program Files\BraveSentry\BraveSentry0.dll - Deleted
C:\Program Files\BraveSentry\BraveSentry1.bs - Deleted
C:\Program Files\BraveSentry\BraveSentry2.dll - Deleted
C:\Program Files\BraveSentry\BraveSentry3.dll - Deleted
C:\Program Files\BraveSentry\Uninstall.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\.exe - Deleted
C:\?.exe - Deleted
C:\lich.exe - Deleted
C:\WINDOWS\desktop.html - Deleted
C:\WINDOWS\medichi.exe - Deleted
C:\WINDOWS\medichi2.exe - Deleted
C:\WINDOWS\mrofinu*.exe - Deleted
C:\WINDOWS\murka.dat - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\*_exception.nls - Deleted
C:\WINDOWS\system32\dllgh8jk*.exe - Deleted
C:\WINDOWS\system32\kernelwind32.exe - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\lich.dat - Deleted
C:\WINDOWS\system32\lrito.ini - Deleted
C:\WINDOWS\system32\m1ax1d1*.exe - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\newmaxxsv234.exe - Deleted
C:\WINDOWS\system32\oleauth32.dll - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\vedxg*m*.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\taskmon.exe - Deleted
C:\WINDOWS\trayicon.exe - Deleted
C:\WINDOWS\windsk.dll - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\WINDOWS\system32\xpdx.sys - Deleted
C:\lich.sys - Deleted
C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted
C:\WINDOWS\system32\drivers\kcp.sys - Deleted
C:\WINDOWS\system32\drivers\smtpdrv.sys - Deleted
C:\WINDOWS\system32\drivers\symavc32.sys - Deleted
C:\WINDOWS\system32\kernelw.sys - Deleted
C:\WINDOWS\system32\taskmon.sys - Deleted



The files below have been patched by Trojan.Agent.zb to load users32.dat and should be replaced:

C:\WINDOWS\BBSTORE\DSS\DSSAGENT.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe


Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\Program Files\BraveSentry - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 13:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=str(7):"\x6264\2\xa6e0S\x5050<\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\xcf50S\\\xffff\xffff\xffff\xffff\5\x62f8O\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1I\x6f43\x746e\x6f72\x206c\x7954\x6570\x8190I\xfff8\xffff\xa950S\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5974\35\xffd8\xffff\x6b76\17\4\x8000\\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\\4\010\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x7320S\xffff\xffff\4\xa6f8O\x218\xffff\xffff\20\\32\4\3\b\x2020\x2020\x2020\x3320\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6d69\x694c\x656e\x6449\1\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xb474I\xffe0\xffff\x6b76\b\4\x8000\2\4\1v\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1Q\x6544\x7473\x64499\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x71e8S\2\\x7300P\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x72c8S\x86f8\x64f3\xffa8\xffff\x6b6e \x4d50\x9d6b\x48d8\x1c8\\x72c8S\\\xffff\xffff\xffff\xffff\5\xe5a0\34\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffb8\xffffSystem32\Drivers\GEARAspiWDM.sysv\xffd8\xffff\x6b76\16,\xa4d0S\3\1\x6146\x6c69\x7275\x4165\x7463\x6f69\x736e&\xffa8\xffff\x6b6e \xee12\xe2f1\x50b0\x1c8\\x6e98S\\\xffff\xffff\xffff\xffff\6\xb210D\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\xffff\xffff\xfff0\xffff\x686c\1\x7660S\x86f8\x64f3\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x72c8S\\\xffff\xffff\xffff\xffff\5\x2e20P\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\x66c0H\xffd8\xffff\x6b76\16\4\x8000\\4\1 \x754d\x746c\x7069\x656c\x4920\x6574\x736dn\xffd8\xffff\x6b76\r\4\x8000\2\4\1*\x6843\x6e61\x656e\x206c\x6f43\x6e75\x83740\xffd8\xffff\x6b76\17\4\x8000\\4\1H\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\\4\1-\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x7450S\xffff\xffff\4\x9dc8P\x218\xffff\xffff\20\\32\4\4\b\x2020\x2020\x2020\x3420\xffe0\xffff\x6b76\6\4\x8000\2\4\1v\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\2\4\18\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xb9749\xffe0\xffff\x6b76\b\4\x8000\4\4\1Q\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1R\x6544\x7473\x6449N\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7580S\2\\xdd50P\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7660S\\\xffff\xffff\xffff\xffff\5\xb230P\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\x8a8I\xffd8\xffff\x6b76\16\4\x8000\\4\1S\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffff\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x79c0S\x86f8\x64f3\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x7660S\\\xffff\xffff\xffff\xffff\4\xd8d8P\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\35\x6f43\x746e\x6f72\x206c\x7954\x6570\xe478\35\xffd8\xffff\x6b76\16\4\x8000\\4\010\x754d\x746c\x7069\x656c\x4920\x6574\x736d0\xffd8\xffff\x6b76\r\4\x8000\1\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\x8174I\xffd8\xffff\x6b76\17\4\x8000\1\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xf41c\xf371\xd799\x1c6\\x9058'\1\\x77d8S\xffff\xffff\4\x1d8Q\x218\xffff\xffff\20\\32\4\5\b\x2020\x2020\x2020\x3520\xffe0\xffff\x6b76\6\4\x8000\3\4\1r\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\2\4\1J\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x85740\xffe0\xffff\x6b76\b\4\x8000\5\4\1.\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\34\x6544\x7473\x6449&\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x78e0S\2\\x2fe8Q\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x79c0S\\\xffff\xffff\xffff\xffff\5\x1fe8Q\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\010\x6f43\x746e\x6f72\x206c\x7954\x6570\xadb0H\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xbe74I\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1J\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x7d20S\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x79c0S\\\xffff\xffff\xffff\xffff\4\x2960Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1J\x6f43\x746e\x6f72\x206c\x7954\x6570il\xffd8\xffff\x6b76\16\4\x8000\\4\1l\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5b74\35\xffd8\xffff\x6b76\17\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x7b38S\xffff\xffff\4\x4018Q\x218\xffff\xffff\20\\32\4\6\b\x2020\x2020\x2020\x3620\xffe0\xffff\x6b76\6\4\x8000\4\4\1\35\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xd274I\xffe0\xffff\x6b76\b\4\x8000\a\4\1Q\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1v\x6544\x7473\x6449M\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x7c40S\2\\x5fa0Q\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xae6c\xaf21\xdb7f\x1c6\\x7d20S\\\xffff\xffff\xffff\xffff\5\xa2d8K\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\010\x6f43\x746e\x6f72\x206c\x7954\x6570\xadb0H\xffd8\xffff\x6b76\16\4\x8000\\4\1I\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xbe74I\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1I\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1S\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff31\xfff0\xffff\x686c\1\xd370&\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x7d20S\\\xffff\xffff\xffff\xffff\4\x5b98Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\4\xffd8\xffff\x6b76\16\4\x8000\\4\1\30\x754d\x746c\x7069\x656c\x4920\x6574\x736d\34\xffd8\xffff\x6b76\r\4\x8000\1\4\1\35\x6843\x6e61\x656e\x206c\x6f43\x6e75\xdc749\xffd8\xffff\x6b76\17\4\x8000\1\4\19\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x7e98S\xffff\xffff\4\x67b0Q\x218\xffff\xffff\20\\32\4\a\b\x2020\x2020\x2020\x3720\xffe0\xffff\x6b76\6\4\x8000\5\4\1\xf1db\x694c\x656e\x6449\xf1db\xffd8\xffff\x6b76\r\4\x8000\2\4\1\xf1db\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\b\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6544\x7473\x6449\xfeb8\xffff\x686c&\xd8b8Q\x9f10\xf1db\xcb78S\x9f11\xf1db\xce70S\x9f12\xf1db\x71e8S\x9f13\xf1db\x7580S\x9f14\xf1db\x78e0S\x9f15\xf1db\x7c40S\x9f16\xf1db\x7fa0S\x9f17\xf1db\x8388S\x9f18\xf1db\x86f8S\x9f19\xf1db\x8a30S\x9f21\xf1db\x8e88S\x9f22\xf1db\x8fc0S\x9f23\xf1db\x9238S\x9f24\xf1db\x94b0S\x9f25\xf1db\x9740S\x9f26\xf1db\x99e8S\xa185\xf1db\x9db8S\xa186\xf1db\xa170S\xa187\xf1db\x9138'0\x98b8'1\x9bc8'\x745\x9f80'\x746\x72b8(\x747\x7558(2\x7940(3\x7d08(4\x6100(5\x64d8(6\x6880(7\x6c48(8\x7020'9\x74f8'A\x7998'B\x7bf8'C\x7e90'D\xd278&E\xd728&F\\x5150\xffff\2\\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\31\xffd8\xffff\x6b76\16\4\x8000\\4\1\35\x754d\x746c\x7069\x656c\x4920\x6574\x736d5\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6843\x6e61\x656e\x206c\x6f43\x6e75\xc474I\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\xd370&\\\xffff\xffff\xffff\xffff\5\xae28Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1I\x6f43\x746e\x6f72\x206c\x7954\x6570\xbb18I\xffd8\xffff\x6b76\16\4\x8000\\4\1l\x754d\x746c\x7069\x656c\x4920\x6574\x736d4\xffd8\xffff\x6b76\r\4\x8000\2\4\1\32\x6843\x6e61\x656e\x206c\x6f43\x6e75\xf274\34\xffd8\xffff\x6b76\17\4\x8000\\4\1\34\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff30\xffd8\xffff\x6b76\17\4\x8000\\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x9058'\1\\x84c0S\xffff\xffff\4\xd288Q\x218\xffff\xffff\20\\32\4\b\b\x2020\x2020\x2020\x3820\xffe0\xffff\x6b76\6\4\x8000\6\4\1\x694c\x656e\x6449-\xffd8\xffff\x6b76\r\4\x8000\2\4\1\17\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xff74\xffff\xffe0\xffff\x6b76\b\4\x8000\t\4\1)\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\x6544\x7473\x6449&\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x8388S\2\\x1f0R\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x8468S\x86f8\x64f3\xffa8\xffff\x6b6e \xfe3c\x8f41\x9a7c\x1c7\\x8468S\\\xffff\xffff\xffff\xffff\5\x968\37\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\31\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xffff\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffd0\xffffHID-compliant device\\xffd0\xffff\xde68\35\x83b8\37\x61b8<\x5ba8D\x6590D\x95d0D\xce0)\xd650)\x9638(\xfe50R\x73d0(\xffe8\xffff1-19-2005\xfff0\xffff\x686c\1\x87d8S\x86f8\x64f3\xffa8\xffff\x6b6e \x5676\xf374\xd799\x1c6\\x8468S\\\xffff\xffff\xffff\xffff\4\xe9b8Q\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\1\xffd8\xffff\x6b76\16\4\x8000\\4\1:\x754d\x746c\x7069\x656c\x4920\x6574\x736dD\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x85f0S\xffff\xffff\4\x3d0R\x218\xffff\xffff\20\\32\4\t\b\x2020\x2020\x2020\x3920\xffe0\xffff\x6b76\6\4\x8000\a\4\1\35\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\n\4\015\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1J\x6544\x7473\x6449J\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x86f8S\2\\x86b8R\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x87d8S\\\xffff\xffff\xffff\xffff\4\x490R\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\xffff\x6f43\x746e\x6f72\x206c\x7954\x6570\\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t \xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1o\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xfff0\xffff\x686c\1\x8b10S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x87d8S\\\xffff\xffff\xffff\xffff\4\x2fe8R\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1}\x6f43\x746e\x6f72\x206c\x7954\x6570\xe5e8\30\xffd8\xffff\x6b76\16\4\x8000\\4\1\x6469\x754d\x746c\x7069\x656c\x4920\x6574\x736dI\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x8928S\xffff\xffff\4\x8f90R\x218\xffff\xffff\20\\32\4\n\b\x2020\x2020\x2020\x4120\xffe0\xffff\x6b76\6\4\x8000\b\4\1I\x694c\x656e\x6449\35\xffd8\xffff\x6b76\r\4\x8000\3\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\v\4\1\35\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1\35\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8a30S\3\\x8e60S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\x9808R\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\1b\x6f43\x746e\x6f72\x206c\x7954\x6570ny\xffd8\xffff\x6b76\16\4\x8000\\4\1h\x754d\x746c\x7069\x656c\x4920\x6574\x736di\xffd8\xffff\x6b76\r\4\x8000\1\4\1d\x6843\x6e61\x656e\x206c\x6f43\x6e75tw\xffd8\xffff\x6b76\17\4\x8000\\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xfff0\xffff\x686c\1\x8f68S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\x9fe8R\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570$\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x1999\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8b10S\\\xffff\xffff\xffff\xffff\4\xe4f8R\x218\xffff\xffff\\\36\4\2\b\x2020\x2020\x2020\x3220\xffd8\xffff\x6b76\f\4\x8000\2\x2001\4\1\xffff\x6f43\x746e\x6f72\x206c\x7954\x6570\xffff\xffff\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75\x5b74I\xffd8\xffff\x6b76\17\4\x8000\\4\1\35\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x686c\3\x8b68S\x9f10\xf1db\x8c70S\x9f11\xf1db\x8d68S\x9f12\xf1db\xee4\x838f\x391a\x11d3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x8c60S\xffff\xffff\4\xafe8R\x218\xffff\xffff\20\\32\4\v\b\x2020\x2020\x2020\x4220\xffe0\xffff\x6b76\6\4\x8000\t\4\1\x3136\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\\4\1\35\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xe474\35\xffe0\xffff\x6b76\b\4\x8000\f\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\1\4\1e\x6544\x7473\x64495\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8e88S\\\xffff\xffff\xffff\xffff\\xffff\xffff\x218\xffff\xffff\\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x90f8S\xffff\xffff\4\x16f0S\x218\xffff\xffff\20\\32\4\f\b\x2020\x2020\x2020\x4320\xffe0\xffff\x6b76\6\4\x8000\1\4\1J\x694c\x656e\x6449I\xffd8\xffff\x6b76\r\4\x8000\1\4\1J\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x3d74J\xffe0\xffff\x6b76\b\4\x8000\2\4\1J\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1K\x6544\x7473\x6449K\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x8fc0S\1\\x9228S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x90a0S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x90a0S\\\xffff\xffff\xffff\xffff\5\x1ea8S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570\\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9108S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9370S\xffff\xffff\4\x2a30S\x218\xffff\xffff\20\\32\4\r\b\x2020\x2020\x2020\x4420\xffe0\xffff\x6b76\6\4\x8000\1\1\4\1\x694c\x656e\x6449\xffd8\xffff\x6b76\r\4\x8000\1\4\1\x6f43\x746e\x6f72\x206c\x6f43\x6e75t\xffe0\xffff\x6b76\b\4\x8000\3\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9238S\1\\x94a0S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9318S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9318S\\\xffff\xffff\xffff\xffff\5\x2d48S\x218\xffff\xffff\\\36\4\27\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570$\xffd8\xffff\x6b76\16\4\x8000\\4\1\x754d\x746c\x7069\x656c\x4920\x6574\x736d\xffd8\xffff\x6b76\r\4\x8000\2\4\1\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9380S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x95e8S\xffff\xffff\4\x6330S\x218\xffff\xffff\20\\32\4\\b\x2020\x2020\x2020\x4520\xffe0\xffff\x6b76\6\4\x8000\1\2\4\1\x7274\x694c\x656e\x6449s\xffd8\xffff\x6b76\r\4\x8000\1\4\1\xffff\x6f43\x746e\x6f72\x206c\x6f43\x6e75\xff74\xffff\xffe0\xffff\x6b76\b\4\x8000\4\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1\x6544\x7473\x6449\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x94b0S\1\\x9730S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\oc\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9590S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9590S\\\xffff\xffff\xffff\xffff\5\x96f0S\x218\xffff\xffff\\\36\4IN\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6f43\x746e\x6f72\x206c\x7954\x6570C:\xffd8\xffff\x6b76\16\4\x8000\\4\1s\x754d\x746c\x7069\x656c\x4920\x6574\x736dE\xffd8\xffff\x6b76\r\4\x8000\2\4\1?\x6843\x6e61\x656e\x206c\x6f43\x6e75tD\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\012\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x9650S\x9678S\x96a0S\x96c8S\x9708S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x95f8S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9890S\xffff\xffff\4\x9820S\x218\xffff\xffff\20\\32\4ys\b\x2020\x2020\x2020\x4620\xffe0\xffff\x6b76\6\4\x8000\1\3\4\1\\x694c\x656e\x6449C\xffd8\xffff\x6b76\r\4\x8000\1\4\1y\x6f43\x746e\x6f72\x206c\x6f43\x6e75tS\xffe0\xffff\x6b76\b\4\x8000\5\4\1?\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1s\x6544\x7473\x64493\xffe8\xffff\x9798S\x97b8S\x97e0S\x9800S\2\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9740S\1\\x99d8S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\02\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9838S\x86f8\x64f3\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9838S\\\xffff\xffff\xffff\xffff\5\x9998S\x218\xffff\xffff\\\36\4\C\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1t\x6f43\x746e\x6f72\x206c\x7954\x6570?\\xffd8\xffff\x6b76\16\4\x8000\\4\1s\x754d\x746c\x7069\x656c\x4920\x6574\x736d\\xffd8\xffff\x6b76\r\4\x8000\2\4\1\\x6843\x6e61\x656e\x206c\x6f43\x6e75tI\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1m\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x98f8S\x9920S\x9948S\x9970S\x99b0S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x98a0S\x9f10\xf1db\xffa8\xffff\x6b6e \xb8d0\xf376\xd799\x1c6\\x9058'\1\\x9b38S\xffff\xffff\4\x9ac8S\x218\xffff\xffff\20\\32\4\xb7b8I\b\x2020\x2020\x2020\x3031\xffe0\xffff\x6b76\6\4\x8000\1\4\4\1I\x694c\x656e\x6449I\xffd8\xffff\x6b76\r\4\x8000\2\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75\x774J\xffe0\xffff\x6b76\b\4\x8000\6\4\1I\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1J\x6544\x7473\x6449J\xffe8\xffff\x9a40S\x9a60S\x9a88S\x9aa8S\n\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x99e8S\2\\x9da0S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\x2d58K\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\x9ae0S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9ae0S\\\xffff\xffff\xffff\xffff\5\x9c40S\x218\xffff\xffff\\\36\4\b\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1D\x6f43\x746e\x6f72\x206c\x7954\x6570\xa4e0H\xffd8\xffff\x6b76\16\4\x8000\\4\1e\x754d\x746c\x7069\x656c\x4920\x6574\x736du\xffd8\xffff\x6b76\r\4\x8000\2\4\1e\x6843\x6e61\x656e\x206c\x6f43\x6e75t\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1&\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\x9ba0S\x9bc8S\x9bf0S\x9c18S\x9c58S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1*\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\x9eb0S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9ae0S\\\xffff\xffff\xffff\xffff\4\x9d88S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\015\x6f43\x746e\x6f72\x206c\x7954\x6570\x686c\xffd8\xffff\x6b76\16\4\x8000\\4\1D\x754d\x746c\x7069\x656c\x4920\x6574\x736dH\xffd8\xffff\x6b76\r\4\x8000\1\4\1H\x6843\x6e61\x656e\x206c\x6f43\x6e75\xba74\x5819\xffd8\xffff\x6b76\17\4\x8000\\4\1:\x6843\x6e61\x656e\x206c\x2020\x2020\x2020\xff30\xffe8\xffff\x9ce8S\x9d10S\x9d38S\x9d60S\\xffe8\xffff\x686c\2\x9b48S\x9f10\xf1db\x9c90S\x9f11\xf1db\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9058'\1\\x9c80S\xffff\xffff\4\x9e98S\x218\xffff\xffff\20\\32\4\21\b\x2020\x2020\x2020\x3131\xffe0\xffff\x6b76\6\4\x8000\1\5\4\1-\x694c\x656e\x6449F\xffd8\xffff\x6b76\r\4\x8000\2\4\010\x6f43\x746e\x6f72\x206c\x6f43\x6e75t3\xffe0\xffff\x6b76\b\4\x8000\v\4\1\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1a\x6544\x7473\x6449I\xffe8\xffff\x9e10S\x9e30S\x9e58S\x9e78S\\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9db8S\2\\xa158S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9eb0S\\\xffff\xffff\xffff\xffff\4\xd028S\x218\xffff\xffff\\\36\4ta\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x2001\4\1)\x6f43\x746e\x6f72\x206c\x7954\x6570\xa470H\xffd8\xffff\x6b76\16\4\x8000\\4\1c\x754d\x746c\x7069\x656c\x4920\x6574\x736d\30\xffd8\xffff\x6b76\r\4\x8000\1\4\1\34\x6843\x6e61\x656e\x206c\x6f43\x6e75\xec748\xffd8\xffff\x6b76\17\4\x8000\\4\19\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\x6268\x6e69\xa000S\x1000\\\\\\xffa8\xffff\x6b6e \xdf5a\xfd27\xb03b\x1c7\\x9eb0S\\\xffff\xffff\xffff\xffff\5\xa58\37\x218\xffff\xffff\\\36\4\1\b\x2020\x2020\x2020\x3120\xffd8\xffff\x6b76\r\4\x8000\2\4\1<\x6843\x6e61\x656e\x206c\x6f43\x6e75\x9174I\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1l\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa0\xffff{8ECC055D-047F-11D1-A537-0000F8753ED1}00\\xfff8\xffff\xad28S\xffe8\xffff\x686c\2\x9f08S\x9f10\xf1db\xa020S\x9f11\xf1db\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x9058'\1\\xa2c0S\xffff\xffff\4\xa250S\x218\xffff\xffff\20\\32\4\22\b\x2020\x2020\x2020\x3231\xffe0\xffff\x6b76\6\4\x8000\1\6\4\1-\x694c\x656e\x6449 \xffd8\xffff\x6b76\r\4\x8000\1\4\1I\x6f43\x746e\x6f72\x206c\x6f43\x6e75tD\xffe0\xffff\x6b76\b\4\x8000\x8029\4\014\x6f53\x7275\x6563\x6449\xffe0\xffff\x6b76\6\4\x8000\r\4\1O\x6544\x7473\x6449D\xffe8\xffff\xa1c8S\xa1e8S\xa210S\xa230S\\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\xa170S\1\\xa408S\xffff\xffff\\xffff\xffff\x218\xffff\xffff\20\\\\\b\x6f43\x746e\x6f72\x736c\xfff0\xffff\x686c\1\xa268S\x86f8\x64f3\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\xa268S\\\xffff\xffff\xffff\xffff\5\xa3c8S\x218\xffff\xffff\\\36\4\\b\x2020\x2020\x2020\x3020\xffd8\xffff\x6b76\f\4\x8000\1\x5003\4\1\x6369\x6f43\x746e\x6f72\x206c\x7954\x6570\x8a8I\xffd8\xffff\x6b76\16\4\x8000\\4\1 \x754d\x746c\x7069\x656c\x4920\x6574\x736dD\xffd8\xffff\x6b76\r\4\x8000\2\4\1p\x6843\x6e61\x656e\x206c\x6f43\x6e75tt\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffe8\xffff\xa328S\xa350S\xa378S\xa3a0S\xa3e0S\xffd8\xffff\x6b76\17\4\x8000\x7ffe\4\1a\x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xfff0\xffff\x686c\1\xa2d0S\x9f10\xf1db\xffc8\xffff(Standard disk drives)\\\xffa8\xffff{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}er\xffd8\xffff\x6b76\r\b\x270\36\1\1U\x6e49\x5366\x6365\x6974\x6e6f\x7845\x5b74W\xffd0\xffff\x5180\1\\\3TO\1\xbba0\r\1\xbba0\r\\\xffe0\xffff\x6b76\5N\x2840f\1\1\x4c43\x4953D\xfff0\xffff\x686c\1\xae18S\x2140&\xffc8\xffff(Standard system devices)\xffe0\xffff\x6b76\5\16\xcb38P\1\1e\x6c43\x7361s?\xfff8\xffff\xad08S\xffd0\xffff\xce90\26\xcf00\26\xcf48\26\xcf98\26\x4430\x9eb8\xf598\f\xd020\26\xd100\26\x4e08R\x7574\x6573\xffa0\xffff\x6b6e \x3a7c\x4437\xdb7f\x1c6\\x7e20\r\\\xffff\xffff\xffff\xffff\1\xb4f0D\x218\xffff\xffff\\\b\2\a\f\x3530\x6361\x3231\x6130\x3030\x3230\x736f\x666f\xffc8\xffff\x10f0\32\x1570\32\x11d8\32\x1200\32\x1238\32\x12e8\32\x13c8\32\x1448\32\x13a8\32\x14f0\32\x1468\32\x3cd8\32\x7b78\32\xffe0\xffff\x6b76\b\4\x8000\\4\1(\x4955\x754e\x626d\x7265\xffd0\xffff\x99f0\27\x9a18\27\x3cf08\x67088\x3e088\x3e308\xdcd07\x2cd88\xe1287\xdc80O\x1ff\17\xffc8\xffff(Standard system devices)\xfff0\xffff\x6020Z\xa020Z\x2020Z\xffc0\xffffsystem32\DRIVERS\usbscan.sys\\xfff0\xffff-11\x4e2f\xc0ac\xffc0\xffff\x686c\5\xf020\20\x614\x439a\x23a8T\x475a\x5856\xb8e0\21\x4229\xbc14\xba80\21\xe2d0\xe465\xd138\21\xd0f9\x6141\x76e8\32\xdad8\32\b\\xffe0\xffff\x6b76\5\4\x8000\3\4\1\32\x7453\x7261\x6974\x7974\xffa8\xffff\x6b6e \x99aa\x7622\x50b3\x1c8\\x3ea8T\\\xffff\xffff\xffff\xffff\6\x8ed8D\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\xe0a8S\xffa8\xffff{36FC9E60-C465-11CF-8056-444553540000}mod\xffa8\xffffSettings storage and management service\x4d74\x7267\xffc8\xffff\x6b76\e\x4e9a\x70b0S\a\1D\x6550\x646e\x6e69\x4667\x6c69\x5265\x6e65\x6d61\x4f65\x6570\x6172\x6974\x6e6fs\x9de0D\xffe0\xffff\x6b76\4\24\x46585\1\1t\x6349\x6e6f\xbae0D\xffe0\xffff\x6b76\4\4\x8000\x120\4\1v\x7954\x6570\35\xffd8\xffff\x6b76\16,\x20b8T\3\1\x6146\x6c69\x7275\x4165\x7463\x6f69\x736e&\b\xa500S\xffe0\xffff\x6b76\b\xa8\xe2d0S\3\19\x6553\x7563\x6972\x7974\xff68\xffffUSB\Class_08&SubClass_06&Prot_50USB\Class_08&SubClass_06USB\Class_08\\\xffd8\xffff\x6b76\n\30\xbbc8N\1\19\x624f\x656a\x7463\x614e\x656d\x6174\x7574s\b\xa780S\xffd8\xffff\x6b76\n\36\xaa60S\1\1N\x6e49\x5366\x6365\x6974\x6e6fSys\xffd8\xffffvolume_installS\xf350S\xffd8\xffff\x6b76\f\24\x9e38'\1\1\x7250\x766f\x6469\x7265\x614e\x656d25\b\xa7f8S\xffd8\xffff\x6b76\n\36\xf328S\1\1N\x6e49\x5366\x6365\x6974\x6e6fSys\xffe0\xffff\x6b76\5\4\x8000\2\4\1U\x7453\x7261\x7974\x7065\xffc8\xffff\xa298\r\x9158.\xdc50\1\x1f00Q\x1f28Q\x1f50Q\x1f98Q\xee30R\xb858R\xd290R\xb508R\xd3c0R\xda68R\xffd0\xffff\x6b76\24\4\x8000\1\4\1D\x7845\x5074\x6f72\x4470\x7365\x5363\x6d65\x7061\x6f68\x6572\xba20D\xffb8\xffff%SystemRoot%\System32\spmsg.dll\xde30)\xfff0\xffffPorts\xffa0\xffff{36FC9E60-C465-11CF-8056-444553540000}19\\xffc8\xffff\xb688\32\x4500I\x4fc0J\xf6e0N\xf7c0N\xb1c8Q\x6c10K\x2e70R\x4fd8R\xc350M\xbd38N\xe700N\x5240R\xffa8\xffff\x6b6e \x7610\xe981\x562a\x1c8\\xb6a8:\1\1\x7070S\x1bb0\x8000\v\xa28M\x218\xffff\xffff\20\\36\x9204\b\x6363\x7645\x4d74\x7267\xffd0\xffff\xb898\35\x50a8\35\x96a8(\xd810)\xd908)\xb9e89\x73d0(\x9238(\x7f80(\x8130R\\xffd8\xffff\x6b76\f\4\x8000\x84\4\1n\x6143\x6170\x6962\x696c\x6974\x7365p\xffe0\xffff\x6b76\b\xa8\x5570W\3\1D\x6553\x7563\x6972\x7974\xffe0\xffff\x6b76\b\xa8\x7bb0W\3\1v\x6553\x7563\x6972\x7974\xffa8\xffff\x6b6e \x506a\x5775\x50bd\x1c8\\x2998S\\\xffff\xffff\xffff\xffff\a\x7a50N\xd6a8\r\xffff\xffff\16\\30N\\4\x3030\x3030\x6c61\x796c\xffe8\xffffInteloft\xffa0\xffff\x6b6e \x7647\xabe2\xdb7e\x1c6\\x738\34\1\\xa520S\xffff\xffff\1\x7260P\xd6a8\r\xffff\xffff\b\\30\4T\17\x454c\x4147\x5943\x495f\x5244\x5649\x5245T\xffa8\xffff\x6b6e \xd582\xd489\xf0e0\x1c6\\xadb8S\\\xffff\xffff\xffff\xffff\6\xd248I\xd6a8\r\xffff\xffff\16\\26N\\4\x3030\x3030\\xffa8\xffff{36FC9E60-C465-11CF-8056-444553540000}\\\xffd8\xffff\x6b76\n*\xdc88S\1\1\x6544\x6976\x6563\x6544\x6373\\xffd8\xffff\x6b76\f\4\x8000\\4\1\x6143\x6170\x6962\x696c\x6974\x7365\\b\xb8f0\35\xffa0\xffff{4D36E967-E325-11CE-BFC1-08002BE10318}05\\xffd8\xffff\xaa08H\xc540L\x46f0Q\xde18Q\xe2c0Q\x4d78R\x81d0R\xaa08S\xa920S\xffa8\xffff\x6b6e \x8644\x9b10\xf0df\x1c6\\xad0-\\\xffff\xffff\xffff\xffff\b\x4198T\x218\xffff\xffff\\ \36\a\4\x3030\x3730\x1388I\x6268\x6e69\xb000S\x3000\\\\\\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1l\x6843\x6e61\x656e\x206c\x2020\x2020\x20200\xffd8\xffff\x6b76\17\4\x8000\xa8f3\4\1 \x6843\x6e61\x656e\x206c\x2020\x2020\x20201\xffa8\xffff\x6b6e \x1b2a\xf379\xd799\x1c6\\x1c58B\1\\xbd30S\xffff\xffff\4\x7658N\x218\xffff\xffff\20\\32\4\22\b\x2020&

#15 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 04:42 PM

Ok, next snag...

I am able to download SmitfraudFix to my memorystick, but when I try and copy to desktop, the "Paste" option is disabled and cannot figure out how to get to desktop. Can I run right from memory stick?

#16 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 04:59 PM

Disregard previous post, I ran from my memory stick.

#17 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 05:02 PM

Ok, here is the output from rapport.txt:

SmitFraudFix v2.274

Scan done at 13:55:23.35, Sun 01/13/2008
Run from H:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.com
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.ca.com
10.18.250.4 www.f-secure.com
10.18.250.4 www.fastclick.net
10.18.250.4 www.grisoft.com
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.mcafee.com
10.18.250.4 www.my-etrust.com
10.18.250.4 www.nai.com
10.18.250.4 www.networkassociates.com
10.18.250.4 www.sophos.com
10.18.250.4 www.symantec.com
10.18.250.4 www.trendmicro.com
10.18.250.4 www.viruslist.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#18 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 05:12 PM

Ok, a bit hesitant on this last step with ComboFix, again I am unable to copy/paste files given the current state of my PC I assume. I downloaded ComboFix to my memory stick, but cannot place it directly on desktop as instructed prior to running. What is your suggestion here?

Do this one from Normal Mode

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

#19 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 05:27 PM

Try run right from your memory stick, if it fails then go onto the ComboFix step.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#20 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 06:09 PM

After ComboFix was done it rebooted my machine and prepared log. Been waiting quite some time with no action. Two windows did come up that I closed down (from my previous setup). Wonder if I messed up the log from finishing to run. Suggestions? Should I run ComboFix again? Seems stalled out.

#21 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 06:16 PM

Sorry, it finally finished, here is the output of log.txt:

ComboFix 08-01-14.1 - Todd Gieber 2008-01-13 14:42:29.1 - NTFSx86
Running from: H:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Sierra Gieber\Application Data\FunWebProducts
C:\Documents and Settings\Sierra Gieber\Application Data\FunWebProducts\Data\Sierra Gieber\avatar.dat
C:\Documents and Settings\Sierra Gieber\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Todd Gieber\Application Data\Install.dat
C:\Documents and Settings\Todd Gieber\Application Data\install_en[1].exe
C:\Documents and Settings\Todd Gieber\Application Data\printer.exe
C:\Documents and Settings\Todd Gieber\Application Data\trant.exe
C:\Documents and Settings\Todd Gieber\Application Data\ultra
C:\Documents and Settings\Todd Gieber\Application Data\ultra\ultra.inf
C:\Documents and Settings\Todd Gieber\Application Data\ultra\uninstall.bat
C:\Documents and Settings\Todd Gieber\Desktop\bravesentry.lnk
C:\Documents and Settings\Todd Gieber\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\n.ini
C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Documents and Settings\Todd Gieber\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\000D4547.dat
C:\Program Files\FunWebProducts\Shared\00173FE7.dat
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\00039A0E
C:\Program Files\MyWebSearch\bar\Cache\00079BD0
C:\Program Files\MyWebSearch\bar\Cache\0008DCDC.bin
C:\Program Files\MyWebSearch\bar\Cache\0008DFCA.bin
C:\Program Files\MyWebSearch\bar\Cache\0008E1CD.bin
C:\Program Files\MyWebSearch\bar\Cache\0008EE50.bin
C:\Program Files\MyWebSearch\bar\Cache\0008FB31.bin
C:\Program Files\MyWebSearch\bar\Cache\0008FCD7.bin
C:\Program Files\MyWebSearch\bar\Cache\0009092B.bin
C:\Program Files\MyWebSearch\bar\Cache\00090A06.bin
C:\Program Files\MyWebSearch\bar\Cache\001D3F1F.bin
C:\Program Files\MyWebSearch\bar\Cache\001D4048.bin
C:\Program Files\MyWebSearch\bar\Cache\001D4113.bin
C:\Program Files\MyWebSearch\bar\Cache\00206AB4
C:\Program Files\MyWebSearch\bar\Cache\00CEF802
C:\Program Files\MyWebSearch\bar\Cache\00EED22F
C:\Program Files\MyWebSearch\bar\Cache\00EED78E
C:\Program Files\MyWebSearch\bar\Cache\00EED953.bin
C:\Program Files\MyWebSearch\bar\Cache\00EEDA7C.bin
C:\Program Files\MyWebSearch\bar\Cache\00EEDB66.bin
C:\Program Files\MyWebSearch\bar\Cache\00EEDC41.bin
C:\Program Files\MyWebSearch\bar\Cache\00EEDD5A.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Ultimate Defender
C:\WINDOWS\Help\agt037b.hlp
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\mscore.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\system32\xlibgfl254.dll
C:\WINDOWS\wsystmp_owo.exe
C:\WINDOWS\wsystmp_ugd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_RUNTIME
-------\LEGACY_SMTPDRV
-------\LEGACY_ZZZDRV_LICH


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 14:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 13:55 . 2008-01-13 13:55 3,982 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 13:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 13:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 13:54 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-13 13:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-13 13:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 13:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 13:16 . 2008-01-13 13:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 12:34 . 2008-01-13 12:34 <DIR> d-------- C:\Deckard
2008-01-06 14:30 . 2008-01-06 14:30 142,848 --a------ C:\WINDOWS\system32\drivers\Kpmw71.sys
2008-01-06 14:19 . 2008-01-07 16:09 502,784 --a------ C:\WINDOWS\system32\dllcache\winlogon.exe
2008-01-06 14:17 . 2008-01-06 14:17 69,632 --a------ C:\WINDOWS\system32\csrssw.dll
2008-01-06 14:17 . 2008-01-06 14:05 61,440 --a------ C:\WINDOWS\system32\drivers\OLD19.tmp
2008-01-06 14:17 . 2008-01-06 14:17 35,840 --a------ C:\WINDOWS\vmmreg32.exe
2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2008-01-06 14:06 . 2008-01-06 14:12 16,384 --a------ C:\WINDOWS\system32\userv32.dat
2008-01-06 12:07 . 2008-01-06 12:07 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-01-06 08:06 . 2008-01-06 08:06 34,049 --a------ C:\Documents and Settings\Todd Gieber\wn852.exe
2008-01-02 16:16 . 2008-01-02 16:16 <DIR> d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari
2008-01-02 16:15 . 2008-01-02 16:15 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 19:46 . 2008-01-01 19:46 <DIR> d-------- C:\Program Files\Edmark
2008-01-01 19:46 . 1999-07-20 18:37 519 --------- C:\WINDOWS\pipeline.ini
2008-01-01 19:46 . 2008-01-01 19:46 0 --a------ C:\WINDOWS\Edmark.ini
2008-01-01 19:44 . 2008-01-01 19:44 <DIR> d-------- C:\Program Files\Creative Wonders
2007-12-30 21:02 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Hooked on Phonics Learning
2007-12-30 09:32 . 2007-12-30 09:32 20 --ahs---- C:\ArcDeviceInfo
2007-12-27 14:15 . 2007-12-27 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-12-25 19:57 . 2007-04-16 09:28 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2007-12-25 19:53 . 2007-12-25 19:57 <DIR> d-------- C:\Program Files\U.B. Funkeys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 22:27 502,784 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-01-06 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 22:06 --------- d-----w C:\Program Files\iTunes
2008-01-06 20:04 --------- d-----w C:\Program Files\SlySoft
2008-01-03 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 00:07 --------- d-----w C:\Program Files\Atari
2008-01-02 22:14 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX
2008-01-02 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-02 03:48 --------- d-----w C:\Program Files\The Learning Company
2007-12-30 17:32 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft
2007-12-27 22:15 --------- d-----w C:\Program Files\MumboJumbo
2007-12-16 19:49 --------- d-----w C:\Program Files\Puppy Luv
2007-12-08 04:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-08 04:15 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-08 04:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-08 04:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-08 04:15 --------- d-----w C:\Program Files\Symantec
2007-12-03 23:47 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\SlySoft
2007-12-03 23:45 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\ArcSoft
2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-23 17:34 --------- d-----w C:\Program Files\QuickTime
2007-11-22 17:48 --------- d-----w C:\Program Files\Norton 360
2007-11-22 07:02 --------- d-----w C:\Program Files\iPod
2007-11-22 06:59 --------- d-----w C:\Program Files\Apple Software Update
2007-11-22 06:58 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-22 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 04:02 --------- d-----w C:\Documents and Settings\Sierra Gieber\Application Data\ArcSoft
2007-11-11 20:59 364,544 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 227,328 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2006-05-21 04:06 167 ---ha-w C:\Documents and Settings\Todd Gieber\hpothb07.dat
2005-10-10 06:11 251 ----a-w C:\Program Files\wt3d.ini
2007-06-08 21:55 1,808,519 --sha-w C:\WINDOWS\system32\kjkkj.bak1
2007-06-12 16:49 1,810,873 --sha-w C:\WINDOWS\system32\kjkkj.bak2
2007-06-13 04:02 1,811,495 --sh--w C:\WINDOWS\system32\kjkkj.ini2
.
Infected C:\WINDOWS\system32\svchost.exe hex repaired

Files Infected - Win32.Agent.zb
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoServer.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 368,706 2002-09-11 04:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 50,792 2006-04-20 17:10:13 C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe

----a-w 124,520 2006-02-17 16:59:46 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 48,752 2005-10-06 02:06:34 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 115,816 2008-01-06 22:04:36 C:\Program Files\Common Files\Symantec Shared\ccapp.exe

----a-w 45,056 2003-06-18 06:00:00 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE

----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe

----a-w 53,248 2005-02-23 21:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2003-12-05 22:41:44 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 49,152 2003-11-12 13:23:42 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe

----a-w 241,664 2003-12-22 15:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 200,747 2006-06-05 02:52:32 C:\Program Files\IncrediMail\bin\bak\IncMail.exe
----a-w 204,843 2008-01-06 22:04:35 C:\Program Files\IncrediMail\bin\incmail.exe

----a-w 139,264 2005-04-25 13:50:08 C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-06 22:04:36 C:\Program Files\iTunes\ituneshelper.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 100,056 2005-08-06 06:36:29 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 497,376 1998-12-01 02:04:28 C:\WINDOWS\bak\p_981116.exe

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE

----a-w 59,392 2004-08-10 09:04:42 C:\WINDOWS\ehome\bak\ehtray.exe

----a-w 495,616 2004-02-02 08:41:58 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

----a-w 176,128 2003-12-04 12:44:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-01-06 14:04 204843]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:04 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-01-06 14:04 1193472]
"TivoNotify"="C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoNotify.exe" [2007-05-02 13:13 373760]
"TivoServer"="C:\Documents and Settings\Todd Gieber\My Documents\tivodesktop\TiVoServer.exe" [2008-01-06 14:04 1463296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 20:10 4583424]
"CTHelper"="CTHELPER.EXE" [2004-03-11 12:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-01-06 14:04 1773568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [2008-01-06 14:04 546304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-06 14:04 115816]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-11 12:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:04 267048]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-01-06 14:04 462848]

C:\Documents and Settings\Deanna Gieber\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-11-07 11:17:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [2002-09-20 10:50:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]
Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [2002-09-20 10:50:46]
Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [2002-09-20 10:50:50]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-11-11 13:01:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" [2007-05-02 13:12]
R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 21:20]
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2007-04-16 09:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autoplay.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 01:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-06 19:47:01 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:53:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 15:14:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 23:14:38
.
2007-12-13 04:46:07 --- E O F ---

#22 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 06:22 PM

Ok, all steps have been successfully completed as instructed. Please let me know if there is anything else I need to do?
Can't tell you how much I truly appreciate your help and support!

By the way, what kind of issue did I have on my PC? First real issue I've had. I use Norton 360, cannot believe that it did not detect or block this issue, any ideas?

#23 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 06:26 PM

Hello

By the way, what kind of issue did I have on my PC?

It would take a long time to explain all your problems. Your PC is one of the most badly infected I've worked on :)



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\Kpmw71.sys
C:\WINDOWS\system32\csrssw.dll
C:\WINDOWS\system32\drivers\OLD19.tmp
C:\WINDOWS\vmmreg32.exe
C:\WINDOWS\system32\userv32.dat
C:\Documents and Settings\Todd Gieber\wn852.exe
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\jkkjk.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#24 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 06:33 PM

I had to run ComboFix from my memory stick before, how does this change your instructions?

#25 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 06:53 PM

Disregard previous post, I got it running. Awaiting results...Stand by.

#26 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 07:23 PM

Ok, here is the log file produced from your instructions:

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

ComboFix 08-01-14.1 - Todd Gieber 2008-01-14 15:53:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.646 [GMT -8:00]
Running from: C:\Documents and Settings\Todd Gieber\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Todd Gieber\wn852.exe
C:\WINDOWS\system32\csrssw.dll
C:\WINDOWS\system32\drivers\Kpmw71.sys
C:\WINDOWS\system32\drivers\OLD19.tmp
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\userv32.dat
C:\WINDOWS\vmmreg32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Todd Gieber\wn852.exe
C:\WINDOWS\system32\csrssw.dll
C:\WINDOWS\system32\drivers\Kpmw71.sys
C:\WINDOWS\system32\drivers\OLD19.tmp
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\userv32.dat
C:\WINDOWS\vmmreg32.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-13 14:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 13:55 . 2008-01-13 13:55 3,982 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 13:54 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 13:54 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 13:54 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-13 13:54 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-13 13:54 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 13:54 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 13:16 . 2008-01-13 13:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 12:34 . 2008-01-13 12:34 <DIR> d-------- C:\Deckard
2008-01-06 14:19 . 2008-01-07 16:09 502,784 --a------ C:\WINDOWS\system32\dllcache\winlogon.exe
2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2008-01-06 14:17 . 2008-01-14 14:48 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2008-01-06 12:07 . 2008-01-06 12:07 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-01-02 16:16 . 2008-01-02 16:16 <DIR> d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari
2008-01-02 16:15 . 2008-01-02 16:15 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 19:46 . 2008-01-01 19:46 <DIR> d-------- C:\Program Files\Edmark
2008-01-01 19:46 . 1999-07-20 18:37 519 --------- C:\WINDOWS\pipeline.ini
2008-01-01 19:46 . 2008-01-01 19:46 0 --a------ C:\WINDOWS\Edmark.ini
2008-01-01 19:44 . 2008-01-01 19:44 <DIR> d-------- C:\Program Files\Creative Wonders
2007-12-30 21:02 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\Program Files\Hooked on Phonics Learning
2007-12-30 09:32 . 2007-12-30 09:32 20 --ahs---- C:\ArcDeviceInfo
2007-12-27 14:15 . 2007-12-27 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-12-25 19:57 . 2007-04-16 09:28 194,362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys
2007-12-25 19:53 . 2007-12-25 19:57 <DIR> d-------- C:\Program Files\U.B. Funkeys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 23:39 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-01-06 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-06 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-06 22:06 --------- d-----w C:\Program Files\iTunes
2008-01-06 20:04 --------- d-----w C:\Program Files\SlySoft
2008-01-03 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 00:07 --------- d-----w C:\Program Files\Atari
2008-01-02 22:14 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX
2008-01-02 21:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-02 03:48 --------- d-----w C:\Program Files\The Learning Company
2007-12-30 17:32 --------- d-----w C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft
2007-12-27 22:15 --------- d-----w C:\Program Files\MumboJumbo
2007-12-16 19:49 --------- d-----w C:\Program Files\Puppy Luv
2007-12-08 04:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-08 04:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-08 04:15 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-08 04:15 --------- d-----w C:\Program Files\Symantec
2007-12-03 23:47 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\SlySoft
2007-12-03 23:45 --------- d-----w C:\Documents and Settings\Jordyn Gieber\Application Data\ArcSoft
2007-12-01 07:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-23 17:34 --------- d-----w C:\Program Files\QuickTime
2007-11-22 17:48 --------- d-----w C:\Program Files\Norton 360
2007-11-22 07:02 --------- d-----w C:\Program Files\iPod
2007-11-22 06:59 --------- d-----w C:\Program Files\Apple Software Update
2007-11-22 06:58 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-22 06:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 04:02 --------- d-----w C:\Documents and Settings\Sierra Gieber\Application Data\ArcSoft
2006-05-21 04:06 167 ---ha-w C:\Documents and Settings\Todd Gieber\hpothb07.dat
2005-10-10 06:11 251 ----a-w C:\Program Files\wt3d.ini
.
Files Infected - Win32.Agent.zb
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_15.12.27.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 22:42:07 5,025,792 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 23:53:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 22:42:07 135,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 23:53:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 23:53:04 237,568 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 23:53:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 23:53:05 5,033,984 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-14 23:53:05 135,168 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 368,706 2002-09-11 04:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 50,792 2006-04-20 17:10:13 C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe

----a-w 124,520 2006-02-17 16:59:46 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe

----a-w 81,920 2004-07-27 21:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 21:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 48,752 2005-10-06 02:06:34 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 115,816 2008-01-06 22:04:36 C:\Program Files\Common Files\Symantec Shared\ccapp.exe

----a-w 45,056 2003-06-18 06:00:00 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE

----a-w 57,344 2003-09-17 15:43:36 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe

----a-w 53,248 2005-02-23 21:19:56 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 332,800 2005-05-15 07:04:12 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2003-12-05 22:41:44 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

----a-w 49,152 2003-11-12 13:23:42 C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe

----a-w 241,664 2003-12-22 15:38:42 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 200,747 2006-06-05 02:52:32 C:\Program Files\IncrediMail\bin\bak\IncMail.exe
----a-w 204,843 2008-01-06 22:04:35 C:\Program Files\IncrediMail\bin\incmail.exe

----a-w 139,264 2005-04-25 13:50:08 C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

----a-w 229,952 2006-09-25 21:54:24 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-06 22:04:36 C:\Program Files\iTunes\ituneshelper.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w 282,624 2006-09-24 10:24:54 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 100,056 2005-08-06 06:36:29 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 497,376 1998-12-01 02:04:28 C:\WINDOWS\bak\p_981116.exe

----a-w 90,112 2000-05-11 06:00:00 C:\WINDOWS\bak\UpdReg.EXE

----a-w 59,392 2004-08-10 09:04:42 C:\WINDOWS\ehome\bak\ehtray.exe

----a-w 495,616 2004-02-02 08:41:58 C:\WINDOWS\system32\bak\hphmon05.exe

----a-w 155,648 2001-07-09 18:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

----a-w 127,035 2004-12-06 06:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

----a-w 176,128 2003-12-04 12:44:34 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B3F7190-5AA7-4481-8993-B3D69F9F37AF}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B181EFF-FA73-4B69-A8BA-80BC78B16532}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-01-06 14:04 204843]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 14:04 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-11 20:10 4583424]
"CTHelper"="CTHELPER.EXE" [2004-03-11 12:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2008-01-06 14:04 1773568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [2008-01-06 14:04 546304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-06 14:04 115816]
"WD Button Manager"="WDBtnMgr.exe" [2007-11-11 12:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-06 14:04 267048]

C:\Documents and Settings\Deanna Gieber\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-11-07 11:17:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [2002-09-20 10:50:32]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]
Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [2002-09-20 10:50:46]
Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [2002-09-20 10:50:50]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-11-11 13:01:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-24 21:20]
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys [2007-04-16 09:28]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 01:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 23:47:20 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 16:04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 16:18:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 00:17:59
ComboFix2.txt 2008-01-14 23:14:41
.
2007-12-13 04:46:07 --- E O F ---

#27 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 07:24 PM

Hello

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#28 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 07:28 PM

Here is the log file produce from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:17 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Todd Gieber\My Documents\HighJackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035MFUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.38/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesvill...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8966 bytes

#29 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 07:53 PM

Ok here is the awf log as requested: Please reply with next instructions.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 01/14/2008
The current time is: 16:48:47.87


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

11/30/1998 06:04 PM 497,376 p_981116.exe
05/10/2000 10:00 PM 90,112 UpdReg.EXE
2 File(s) 587,488 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

05/14/2005 11:04 PM 332,800 DSAgnt.exe
1 File(s) 332,800 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/05/2005 10:36 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 01:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/02/2004 12:41 AM 495,616 hphmon05.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 651,264 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 08:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

10/05/2005 06:06 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 01:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 02:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{D9466~1\BAK

11/12/2003 05:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\INCRED~1\BIN\BAK

06/04/2006 06:52 PM 200,747 IncMail.exe
1 File(s) 200,747 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

04/25/2005 05:50 AM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

12/05/2004 10:05 PM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 08:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 01:50 PM 81,920 issch.exe
07/27/2004 01:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/17/2003 10:00 PM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 07:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 02:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK

04/20/2006 09:10 AM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

12/04/2003 04:44 AM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

497376 Nov 30 1998 "C:\WINDOWS\bak\p_981116.exe"
90112 May 10 2000 "C:\WINDOWS\bak\UpdReg.EXE"
332800 May 14 2005 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
267048 Jan 6 2008 "C:\Program Files\iTunes\ituneshelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 21 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
495616 Feb 2 2004 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
115816 Jan 6 2008 "C:\Program Files\Common Files\Symantec Shared\ccapp.exe"
48752 Oct 5 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
204843 Jan 6 2008 "C:\Program Files\IncrediMail\bin\incmail.exe"
200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\bak\IncMail.exe"
139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
127035 Dec 5 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Dec 5 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe"
176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"


end of report

#30 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 13 January 2008 - 08:32 PM

Hello
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\WINDOWS\BAK\p_981116.exe"
    "C:\WINDOWS\BAK\UpdReg.EXE"
    "C:\PROGRA~1\DELLSU~1\BAK\DSAgnt.exe"
    "C:\PROGRA~1\ITUNES\BAK\iTunesHelper.exe"
    "C:\PROGRA~1\QUICKT~1\BAK\qttask.exe"
    "C:\PROGRA~1\SYMNET~1\BAK\SNDMon.exe"
    "C:\WINDOWS\EHOME\BAK\ehtray.exe"
    "C:\WINDOWS\SYSTEM32\BAK\hphmon05.exe"
    "C:\WINDOWS\SYSTEM32\BAK\NeroCheck.exe"
    "C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK\CFD.exe"
    "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccApp.exe"
    "C:\PROGRA~1\CYBERL~1\POWERDVD\BAK\DVDLauncher.exe"
    "C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK\HPWuSchd2.exe"
    "C:\PROGRA~1\HEWLET~1\{D9466~1\BAK\hphupd05.exe"
    "C:\PROGRA~1\HP\HPCORE~1\BAK\hpcmpmgr.exe"
    "C:\PROGRA~1\INCRED~1\BIN\BAK\IncMail.exe"
    "C:\PROGRA~1\INTEL\INTELM~1\BAK\iaanotif.exe"
    "C:\WINDOWS\SYSTEM32\DLA\BAK\tfswctrl.exe"
    "C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK\IPHSend.exe"
    "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK\issch.exe"
    "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK\ISUSPM.exe"
    "C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK\CTDVDDET.EXE"
    "C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK\CTSysVol.exe"
    "C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK\jusched.exe"
    "C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK\AOLSoftware.exe"
    "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK\hpztsb09.exe"



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#31 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 January 2008 - 09:08 PM

Here are the contents of the log file:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 01/14/2008
The current time is: 18:00:54.23


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

11/30/1998 06:04 PM 497,376 p_981116.exe
05/10/2000 10:00 PM 90,112 UpdReg.EXE
2 File(s) 587,488 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

05/14/2005 11:04 PM 332,800 DSAgnt.exe
1 File(s) 332,800 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/05/2005 10:36 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 01:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/02/2004 12:41 AM 495,616 hphmon05.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 651,264 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 08:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

10/05/2005 06:06 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 01:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/05/2003 02:41 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{D9466~1\BAK

11/12/2003 05:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\INCRED~1\BIN\BAK

06/04/2006 06:52 PM 200,747 IncMail.exe
1 File(s) 200,747 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

04/25/2005 05:50 AM 139,264 iaanotif.exe
1 File(s) 139,264 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

12/05/2004 10:05 PM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 08:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 01:50 PM 81,920 issch.exe
07/27/2004 01:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/17/2003 10:00 PM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 07:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 02:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\114859~1\EE\BAK

04/20/2006 09:10 AM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

12/04/2003 04:44 AM 176,128 hpztsb09.exe
1 File(s) 176,128 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

497376 Nov 30 1998 "C:\WINDOWS\p_981116.exe"
497376 Nov 30 1998 "C:\WINDOWS\bak\p_981116.exe"
90112 May 10 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 10 2000 "C:\WINDOWS\bak\UpdReg.EXE"
332800 May 14 2005 "C:\Program Files\Dell Support\DSAgnt.exe"
332800 May 14 2005 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 21 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
495616 Feb 2 2004 "C:\WINDOWS\system32\hphmon05.exe"
495616 Feb 2 2004 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
115816 Jan 6 2008 "C:\Program Files\Common Files\Symantec Shared\ccapp.exe"
48752 Oct 5 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 5 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe"
49152 Nov 12 2003 "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak\hphupd05.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\IncMail.exe"
200747 Jun 4 2006 "C:\Program Files\IncrediMail\bin\bak\IncMail.exe"
139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
139264 Apr 25 2005 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
127035 Dec 5 2004 "C:\WINDOWS\system32\dla\tfswctrl.exe"
127035 Dec 5 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Dec 5 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
45056 Jun 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\AOLSoftware.exe"
50792 Apr 20 2006 "C:\Program Files\Common Files\AOL\1148597462\ee\bak\AOLSoftware.exe"
176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe"
176128 Dec 4 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe"


end of report

#32 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 14 January 2008 - 11:05 AM

When you get a free moment, please advise on next steps.

PC is much improved at this point, able to run things prior to issues. I appreciate the amount of time you spent working on it yesterday.

#33 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 14 January 2008 - 11:38 AM

Hello

When you get a free moment, please advise on next steps.

I reply whenever I have the free time, you don't need to make extra posts like this as it just means I get more email notifications. Your logs require a lot of time to go over since your PC is so horribly infected

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\bak
    C:\Program Files\Dell Support\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\ehome\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\BroadJump\Client Foundation\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\CyberLink\PowerDVD\bak
    C:\Program Files\Hewlett-Packard\HP Software Update\bak
    C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\bak
    C:\Program Files\HP\hpcoretech\bak
    C:\Program Files\IncrediMail\bin\bak
    C:\Program Files\Intel\Intel Matrix Storage Manager\bak
    C:\WINDOWS\system32\dla\bak
    C:\Program Files\Common Files\AOL\IPHSend\bak
    C:\Program Files\Common Files\InstallShield\UpdateService\bak
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
    C:\Program Files\Java\j2re1.4.2_03\bin\bak
    C:\Program Files\Common Files\AOL\1148597462\ee\bak
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
    [*Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

By the power of truth, I, while living, have conquered the universe.

~Scratch~

#34 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 14 January 2008 - 11:42 PM

Here is the results from the log file:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 01/15/2008
The current time is: 20:24:16.45


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

08/05/2005 10:36 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

100056 Aug 5 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"


end of report

#35 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 15 January 2008 - 08:29 AM

Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also post a new HijackThis log
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#36 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 16 January 2008 - 12:40 AM

Here is the log from the online scan:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 9:36:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 512565


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 168577
Number of viruses found 61
Number of infected objects 142
Number of suspicious objects 2
Duration of the scan process 01:39:58

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped

C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\temp\254671.exe Infected: Trojan-Dropper.Win32.Small.bde skipped

C:\Deckard\System Scanner\20080113123931\backup\WINDOWS\temp\checkmemory.exe Infected: Trojan.Win32.Agent.drm skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/Medi35.sys Infected: Rootkit.Win32.Agent.sc skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/HTE00.sys Infected: Trojan-Downloader.Win32.Agent.ggt skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/lich.sys Infected: Trojan-PSW.Win32.LdPinch.edw skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/kernelw.sys Infected: Packed.Win32.Tibs.ap skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/taskmon.sys Infected: Rootkit.Win32.Agent.sw skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/xpdx.sys Infected: Trojan-Clicker.Win32.Costrat.db skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/asc3550p.sys Infected: Trojan.Win32.KillAV.lz skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/kcp.sys Infected: Trojan-Downloader.Win32.Agent.bnm skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/smtpdrv.sys Infected: Email-Worm.Win32.Agent.l skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip/symavc32.sys Infected: Rootkit.Win32.Agent.sc skipped

C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 10 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9fa911ff579600a20244055378148e95_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\acda40c4464575b4220dba625f016156_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Todd Gieber\triggers.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2073394E.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3975994838_11141120_59191 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3975994838_12976128_49727 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{DDAA8975-1BFF-42F6-A3BB-CA06183DB361}.TmpSBE Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E2DD3D6F-807C-4CF6-BC82-A75DB269A555}.TmpSBE Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Perflib_Perfdata_594.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\index[7].htm Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9EMWBXP\index[8].htm Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Todd Gieber\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-569f3328.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped

C:\Documents and Settings\Todd Gieber\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-569f3328.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Todd Gieber\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\History\History.IE5\MSHist012008011620080117\index.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\Perflib_Perfdata_9c4.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DF86F4.tmp Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DF870F.tmp Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DFBC6F.tmp Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temp\~DFBC8A.tmp Object is locked skipped

C:\Documents and Settings\Todd Gieber\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Todd Gieber\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Todd Gieber\ntuser.dat.LOG Object is locked skipped

C:\Downloads\zulu_gemsSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\Downloads\ZumaSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe/data0000.cab/nickarcade.dll Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe/data0000.cab/nickarcade.dll Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped

C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped

C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped

C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped

C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped

C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped

C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\Documents and Settings\Sierra Gieber\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\install_en[1].exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\printer.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Application Data\trant.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\Documents and Settings\Todd Gieber\wn852.exe.vir Infected: Trojan.Win32.Agent.drm skipped

C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\QooBox\Quarantine\C\WINDOWS\shell.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Kpmw71.sys.vir Infected: Rootkit.Win32.Agent.sc skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\OLD19.tmp.vir Infected: Rootkit.Win32.Agent.sv skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mscore.dll.vir Infected: Trojan.Win32.Zapchast.dz skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\printer.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir Infected: Trojan.Win32.Qhost.adl skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Infected: Trojan.Win32.Patched.bh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\userv32.dat.vir Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\xlibgfl254.dll.vir Infected: Trojan-Downloader.Win32.Agent.bfj skipped

C:\QooBox\Quarantine\C\WINDOWS\vmmreg32.exe.vir Infected: Trojan.Win32.Agent.dqx skipped

C:\QooBox\Quarantine\C\WINDOWS\wsystmp_owo.exe.vir Infected: Trojan-Dropper.Win32.Small.bdf skipped

C:\QooBox\Quarantine\C\WINDOWS\wsystmp_ugd.exe.vir Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\QooBox\Quarantine\catchme2008-01-14_145042.37.zip/wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped

C:\QooBox\Quarantine\catchme2008-01-14_145042.37.zip ZIP: infected - 1 skipped

C:\SDFix\backups\backups.zip/backups/1.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/2.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/5.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/6.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/7.dllb Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.adl skipped

C:\SDFix\backups\backups.zip/backups/bot.dll Infected: Trojan-Proxy.Win32.Xorpix.cq skipped

C:\SDFix\backups\backups.zip/backups/BraveSentry.exe Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\SDFix\backups\backups.zip/backups/BraveSentry0.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\SDFix\backups\backups.zip/backups/BraveSentry2.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\SDFix\backups\backups.zip/backups/BraveSentry3.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\SDFix\backups\backups.zip/backups/desktop.html Infected: not-virus:Hoax.Win32.Renos.cy skipped

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q1.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q2.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q5.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q6.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/dllgh8jkd1q7.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/findfast.exe Infected: Trojan.Win32.Qhost.adl skipped

C:\SDFix\backups\backups.zip/backups/ip6fw.sys Infected: Rootkit.Win32.Agent.pr skipped

C:\SDFix\backups\backups.zip/backups/kernelwind32.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/lich.exe Infected: Trojan-Downloader.Win32.Agent.fyj skipped

C:\SDFix\backups\backups.zip/backups/lrito398c-b96.sys Infected: Email-Worm.Win32.Zhelatin.qe skipped

C:\SDFix\backups\backups.zip/backups/lrito64ec-1ac8.sys Infected: Email-Worm.Win32.Zhelatin.qe skipped

C:\SDFix\backups\backups.zip/backups/m1ax1d1213216143v.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\SDFix\backups\backups.zip/backups/ma11x1dd12111v.game Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\SDFix\backups\backups.zip/backups/medichi.exe Infected: not-virus:Hoax.Win32.Renos.aom skipped

C:\SDFix\backups\backups.zip/backups/medichi2.exe Infected: Trojan.Win32.Agent.dqz skipped

C:\SDFix\backups\backups.zip/backups/mrofinu27.exe Infected: Trojan-Downloader.Win32.Agent.gwh skipped

C:\SDFix\backups\backups.zip/backups/mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped

C:\SDFix\backups\backups.zip/backups/murka.dat Infected: Backdoor.Win32.Small.cbo skipped

C:\SDFix\backups\backups.zip/backups/newmaxxsv234.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped

C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.adl skipped

C:\SDFix\backups\backups.zip/backups/shell.exe Infected: Trojan.Win32.Qhost.adl skipped

C:\SDFix\backups\backups.zip/backups/shift.exe.exe Infected: Email-Worm.Win32.Zhelatin.rm skipped

C:\SDFix\backups\backups.zip/backups/spoolvs.exe Infected: Trojan.Win32.Qhost.adl skipped

C:\SDFix\backups\backups.zip/backups/svchost.exe Infected: Trojan.Win32.Patched.bh skipped

C:\SDFix\backups\backups.zip/backups/taskmon.exe Infected: Trojan-Downloader.Win32.Tibs.to skipped

C:\SDFix\backups\backups.zip/backups/trayicon.exe Infected: Trojan.Win32.Agent.drm skipped

C:\SDFix\backups\backups.zip/backups/users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\SDFix\backups\backups.zip/backups/vedxg4am1et2.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/vedxg6ame4.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/vedxga1me4t1.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip/backups/vedxga4me1.exe Infected: Trojan-Proxy.Win32.Xorpix.cq skipped

C:\SDFix\backups\backups.zip/backups/windsk.dll Infected: not-a-virus:AdWare.Win32.Agent.yz skipped

C:\SDFix\backups\backups.zip/backups/xpupdate.exe Infected: Email-Worm.Win32.Zhelatin.ro skipped

C:\SDFix\backups\backups.zip ZIP: infected - 46 skipped

C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.nl skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP744\A0218868.exe Suspicious: not-a-virus:Porn-Dialer.Win32.Generic skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0234336.exe Infected: not-virus:Hoax.Win32.Renos.aom skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0234337.exe Infected: Trojan.Win32.Agent.dqz skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0238337.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0240336.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0243337.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0244337.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0246337.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0248337.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0272338.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0273338.exe Infected: Trojan.Win32.Patched.q skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP800\A0277386.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277439.exe Infected: Trojan.Win32.Agent.drm skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277441.sys Infected: Rootkit.Win32.Agent.sc skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP803\A0277442.exe Infected: Trojan.Win32.Agent.dqx skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP805\change.log Object is locked skipped

C:\WINDOWS\BBSTORE\DSS\dssagent.exe Infected: not-a-virus:AdWare.Win32.Background skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{44260E4E-2484-456D-A51F-FA5CBD13D48C}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{87D2DF72-640A-4C9E-859A-98FAB96B5E85}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\dllcache\winlogon.exe Infected: Trojan.Win32.Patched.q skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\csrss.exe Infected: Trojan-Downloader.Win32.Agent.gbh skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.q skipped

C:\WINDOWS\Temp\JETDC91.tmp Object is locked skipped

C:\WINDOWS\Temp\JETE674.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000005-00000000-00000003-00001102-00000004-20061102}.CDF Object is locked skipped

F:\My Cool Stuff\mame\roms\hotchick.exe Suspicious: not-a-virus:Porn-Dialer.Win32.Generic skipped

Scan process completed.



Here is the latest log from HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:00 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\TODDGI~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035MFUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.38/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesvill...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9136 bytes

#37 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 18 January 2008 - 09:01 AM

Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Administrator\Desktop\catchme.zip
    C:\Downloads\zulu_gemsSetup-dm[1].exe
    C:\Downloads\ZumaSetup-dm[1].exe
    C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe
    C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe
    C:\WINDOWS\system32\wbem\csrss.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {7B3F7190-5AA7-4481-8993-B3D69F9F37AF} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {9B181EFF-FA73-4B69-A8BA-80BC78B16532} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZJxdm035MFUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new DSS log
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#38 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 January 2008 - 01:18 PM

Here are the results of OTMoveIt2:

C:\Documents and Settings\Administrator\Desktop\catchme.zip moved successfully.
C:\Downloads\zulu_gemsSetup-dm[1].exe moved successfully.
C:\Downloads\ZumaSetup-dm[1].exe moved successfully.
C:\Program Files\Backyardigans Mission to Mars\bfgt_silent_en.exe moved successfully.
C:\Program Files\Dora the Explorer 3D Pyramid Adventure\bfgt_silent_en.exe moved successfully.
C:\WINDOWS\system32\wbem\csrss.exe moved successfully.
[Custom Input]
< purity >

OTMoveIt2 v1.0.8 log created on 01202008_101102

#39 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 19 January 2008 - 01:27 PM

Can you post a new DSS log and tell me how your PC is running
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#40 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 January 2008 - 01:32 PM

Here is the new DSS log:

Deckard's System Scanner v20071014.68
Run by Todd Gieber on 2008-01-20 10:29:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2008-01-20 18:29:17 UTC - RP807 - Deckard's System Scanner Restore Point
81: 2008-01-18 02:00:19 UTC - RP806 - System Checkpoint
80: 2008-01-16 23:28:02 UTC - RP805 - System Checkpoint
79: 2008-01-15 07:03:13 UTC - RP804 - Software Distribution Service 3.0
78: 2008-01-14 23:52:58 UTC - RP803 - ComboFix created restore point


-- First Restore Point --
1: 2007-10-20 09:44:57 UTC - RP726 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Todd Gieber.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:00 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
H:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Todd Gieber.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Finances\Quicken\billmind.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Finances\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Finances\Quicken\QWDLLS.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.38/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://fun.gamesvill...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8598 bytes

-- File Associations -----------------------------------------------------------

.scr - scrfile - shell\open\command - "C:\WINDOWS\Temp\checkmemory.exe" exec "%1" /S


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>

S3 catchme - c:\docume~1\toddgi~1\locals~1\temp\catchme.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-17 19:47:01 354 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2008-01-17 17:59:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-20 and 2008-01-20 -----------------------------

2008-01-20 10:30:41 0 d-------- C:\Program Files\Trend Micro
2008-01-16 18:56:08 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 18:56:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-14 18:00:51 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-01-14 18:00:50 495616 --a------ C:\WINDOWS\system32\hphmon05.exe <Not Verified; Hewlett-Packard; HP Photosmart>
2008-01-14 18:00:49 497376 --a------ C:\WINDOWS\p_981116.exe <Not Verified; Microsoft Corporation; Microsoft® Windows NT® Operating System>
2008-01-13 13:55:52 3982 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 13:54:56 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 13:54:56 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-01-13 13:54:56 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-01-13 13:54:56 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-01-13 13:54:56 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-01-13 13:54:56 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 13:16:25 0 d-------- C:\WINDOWS\ERUNT
2008-01-06 15:15:44 0 d--hs---- C:\WINDOWS\CSC
2008-01-06 12:07:03 0 d-------- C:\Program Files\Elaborate Bytes
2008-01-02 16:16:28 0 d-------- C:\Documents and Settings\Sierra Gieber\Application Data\Atari
2008-01-02 16:15:56 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-01 19:46:18 0 d-------- C:\Program Files\Edmark
2008-01-01 19:44:18 0 d-------- C:\Program Files\Creative Wonders
2007-12-30 21:02:09 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-12-30 21:01:38 0 d-------- C:\Program Files\Hooked on Phonics Learning
2007-12-30 09:32:14 20 --ahs---- C:\ArcDeviceInfo
2007-12-27 14:15:42 0 d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-12-25 19:57:18 194362 --a------ C:\WINDOWS\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver (x86)>
2007-12-25 19:53:01 0 d-------- C:\Program Files\U.B. Funkeys


-- Find3M Report ---------------------------------------------------------------

2008-01-20 10:25:59 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2008-01-20 10:25:59 384 --a------ C:\WINDOWS\system32\DVCState-{00000005-00000000-00000003-00001102-00000004-20061102}.dat
2008-01-20 10:07:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-15 20:24:14 0 d-------- C:\Program Files\QuickTime
2008-01-15 20:24:14 0 d-------- C:\Program Files\iTunes
2008-01-15 20:24:13 0 d-------- C:\Program Files\Dell Support
2008-01-14 15:39:28 0 d-------- C:\Program Files\Common Files
2008-01-14 15:39:27 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-01-06 14:27:29 502784 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-01-06 12:04:55 0 d-------- C:\Program Files\SlySoft
2008-01-02 16:07:29 0 d-------- C:\Program Files\Atari
2008-01-02 16:07:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-02 14:14:41 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ZoomBrowser EX
2008-01-01 19:48:22 0 d-------- C:\Program Files\The Learning Company
2008-01-01 19:45:09 1693 --a------ C:\WINDOWS\EReg077.dat
2007-12-30 09:32:12 0 d-------- C:\Documents and Settings\Todd Gieber\Application Data\ArcSoft
2007-12-27 14:15:31 0 d-------- C:\Program Files\MumboJumbo
2007-12-16 11:49:47 0 d-------- C:\Program Files\Puppy Luv
2007-12-14 15:22:07 1977747 --a------ C:\WINDOWS\PUZZLES.DAT
2007-12-07 20:15:28 0 d-------- C:\Program Files\Symantec
2007-11-23 21:25:44 85 ---hs---- C:\Documents and Settings\Todd Gieber\Application Data\.zreglib
2007-11-22 09:48:25 0 d-------- C:\Program Files\Norton 360
2007-11-21 23:02:01 0 d-------- C:\Program Files\iPod
2007-11-21 22:59:12 0 d-------- C:\Program Files\Apple Software Update
2007-11-21 22:58:45 0 d-------- C:\Program Files\Common Files\Apple
2007-11-11 12:59:56 364544 --a------ C:\WINDOWS\system32\WDBtnMgr.exe <Not Verified; Western Digital Technologies, Inc.; WD Button Manager>
2007-11-11 11:57:07 0 --a------ C:\WINDOWS\system32\AleUpdt.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/11/2004 08:10 PM]
"CTHelper"="CTHELPER.EXE" [03/11/2004 12:50 PM C:\WINDOWS\system32\CTHELPER.EXE]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01/06/2008 02:04 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"DSS"="C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE" [01/06/2008 02:04 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/06/2008 02:04 PM]
"WD Button Manager"="WDBtnMgr.exe" [11/11/2007 12:59 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/25/2006 01:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [06/04/2006 06:52 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/06/2008 02:04 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Finances\Quicken\billmind.exe [9/20/2002 10:50:32 AM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 8:59:36 AM]
Quicken Scheduled Updates.lnk - C:\Program Files\Finances\Quicken\bagent.exe [9/20/2002 10:50:46 AM]
Quicken Startup.lnk - C:\Program Files\Finances\Quicken\QWDLLS.EXE [9/20/2002 10:50:50 AM]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [11/11/2007 1:01:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-01-20 10:31:35 ------------

#41 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 19 January 2008 - 01:38 PM

How is your PC running

Any problems
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#42 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 January 2008 - 01:59 PM

I would say overall much more responsive. Many little items to fix such as no sound, e-mail issues sending, but these can be repaired.

Per the logs do you believe my PC is free from viruses at this point?

I have been running Norton 360 and prior Norton Internet Security. Any idea why it would have never caught all of these problems?

#43 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 19 January 2008 - 02:01 PM

Probably cause you had an insanely infected PC that targeted a lot of legitimate files

Few things to do

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#44 tgieber

tgieber

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 19 January 2008 - 02:41 PM

Hello.

My assumption from your last post is that the latest logs show my PC is free from viruses?

I want to sincerely thank you for your time, efforts, and patience in working with me to correct my problems, I can't believe what an incredible service this site offers! In any event, wanted to let you know that I appreciated your efforts and you've given me a new outlook on how to protect my PC going forward.

It looks as though our journey ends here...

Best Wishes!

#45 Rorschach112

Rorschach112

    Forum Deity

  • Retired Staff - Helper
  • PipPipPipPipPip
  • 884 posts

Posted 19 January 2008 - 03:05 PM

Yes it is indeed clean

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
By the power of truth, I, while living, have conquered the universe.

~Scratch~

#46 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 16 May 2008 - 11:35 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button