Options

Malware Problem - HJT Log attached

Hi there.

I got a serious trouble.
Some exe files were injected continuously to C:\Documents and Settings\Owner\Local Data\Temp folder. (Owner is the profile used).
I went into safe mode and remove them, and thought it's cleaned. But it came back again.
I was scanning via MicroTrend Online Scanner, and my browser was killed when the new EXE is generated and run.
I went to check the System32 folder, I found one Korean software by Hanbiton. I deleted the file unfortunately.

NDG2yE6Q.exe and 25fqf1rh.exe are the two files currently running. I can't stop them for some reason.

Please help. What should I do?

Thanks.

WoodyRoundUp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:46 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\25fqf1rh.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5497 bytes

Comments

  • edited April 2008
    Welcome to Icrontic WoodyRoundUp,

    Vundo type infeciton activity show there. Let's get a more current and detailed view of things then start repairs.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


    Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

    Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Options, place a check next to the following:

    Backup Registry Hives

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

    You can use extra posts here if needed for that.
  • edited May 2008
    Hi Thomas,

    Sorry for taking so long to send the log to you.
    But here they are.

    Main.txt
    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-05-04 11:09:56
    Computer is in Normal Mode.

    Backed up registry hives.



    -- HijackThis (run as Owner.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:10:52 AM, on 5/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Documents and Settings\Owner\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 5175 bytes

    -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

    backup-20080421-012814-519 O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
    backup-20080421-012814-602 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>

    S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
    S3 XDva098 - c:\windows\system32\xdva098.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


    -- Device Manager: Disabled

    No disabled devices found.


    -- Scheduled Tasks

    2008-05-04 11:00:00 350 --a
    C:\WINDOWS\Tasks\At12.job
    2008-05-04 10:00:00 350 --a
    C:\WINDOWS\Tasks\At11.job
    2008-05-04 03:00:00 350 --a
    C:\WINDOWS\Tasks\At4.job
    2008-05-04 02:00:00 350 --a
    C:\WINDOWS\Tasks\At3.job
    2008-05-04 01:00:00 350 --a
    C:\WINDOWS\Tasks\At2.job
    2008-05-04 00:34:00 350 --a
    C:\WINDOWS\Tasks\At1.job
    2008-05-03 23:00:00 350 --a
    C:\WINDOWS\Tasks\At24.job
    2008-05-03 22:00:00 350 --a
    C:\WINDOWS\Tasks\At23.job
    2008-05-03 21:00:00 350 --a
    C:\WINDOWS\Tasks\At22.job
    2008-05-03 20:00:00 350 --a
    C:\WINDOWS\Tasks\At21.job
    2008-05-03 19:00:00 350 --a
    C:\WINDOWS\Tasks\At20.job
    2008-05-03 18:00:00 350 --a
    C:\WINDOWS\Tasks\At19.job
    2008-05-03 17:00:00 350 --a
    C:\WINDOWS\Tasks\At18.job
    2008-05-03 16:00:00 350 --a
    C:\WINDOWS\Tasks\At17.job
    2008-05-03 15:00:00 350 --a
    C:\WINDOWS\Tasks\At16.job
    2008-05-03 14:00:00 350 --a
    C:\WINDOWS\Tasks\At15.job
    2008-05-03 13:00:00 350 --a
    C:\WINDOWS\Tasks\At14.job
    2008-05-03 12:00:00 350 --a
    C:\WINDOWS\Tasks\At13.job
    2008-05-03 09:00:00 350 --a
    C:\WINDOWS\Tasks\At10.job
    2008-05-03 08:00:00 350 --a
    C:\WINDOWS\Tasks\At9.job
    2008-05-03 07:00:00 350 --a
    C:\WINDOWS\Tasks\At8.job
    2008-05-03 06:00:00 350 --a
    C:\WINDOWS\Tasks\At7.job
    2008-05-03 05:00:00 350 --a
    C:\WINDOWS\Tasks\At6.job
    2008-05-03 04:00:00 350 --a
    C:\WINDOWS\Tasks\At5.job
    2008-04-22 11:44:05 390 --a
    C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1206146631.job


    -- Files created between 2008-04-04 and 2008-05-04

    2008-05-01 15:42:58 186 --ah
    C:\Documents and Settings\Owner\Application Data\hpothb07.dat
    2008-04-21 22:12:24 0 d
    C:\Documents and Settings\Owner\.housecall6.6
    2008-04-21 21:25:13 0 d
    C:\Documents and Settings\Owner\Application Data\Lavasoft
    2008-04-21 21:24:54 0 d
    C:\Program Files\Lavasoft
    2008-04-21 01:38:31 0 d
    C:\WINDOWS\Sun
    2008-04-21 01:38:31 0 d
    C:\Documents and Settings\Owner\Application Data\Sun
    2008-04-21 01:37:15 0 d
    C:\Program Files\Java
    2008-04-21 01:36:47 0 d
    C:\Program Files\Common Files\Java
    2008-04-21 01:20:19 106 --a
    C:\delete.bat
    2008-04-21 01:15:02 0 d
    C:\Program Files\Trend Micro
    2008-04-20 23:39:02 0 d
    C:\WINDOWS\pss
    2008-04-10 17:56:29 1722880 --a
    C:\c
    2008-04-09 22:40:40 0 d
    C:\Program Files\Microsoft Visual Studio 8
    2008-04-09 22:40:40 0 d
    C:\Program Files\Common Files\Merge Modules
    2008-04-09 22:40:39 0 d
    C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-04-09 22:40:03 0 d
    C:\Program Files\SQLXML 4.0
    2008-04-09 20:20:18 0 d
    C:\Program Files\Microsoft Analysis Services
    2008-04-09 20:19:48 0 d
    C:\Program Files\Microsoft.NET
    2008-04-09 20:11:56 0 d
    C:\Program Files\Microsoft SQL Server
    2008-04-09 20:09:17 0 d
    C:\Program Files\DAEMON Tools Lite
    2008-04-09 20:05:47 717296 --a
    C:\WINDOWS\system32\drivers\sptd.sys
    2008-04-09 20:05:43 0 d
    C:\Documents and Settings\Owner\Application Data\DAEMON Tools
    2008-04-09 19:47:54 0 d
    C:\Documents and Settings\RemoteUser\Application Data\Identities
    2008-04-09 19:47:37 0 d--h
    C:\Documents and Settings\RemoteUser\Templates
    2008-04-09 19:47:37 0 dr
    C:\Documents and Settings\RemoteUser\Start Menu
    2008-04-09 19:47:37 0 dr-h
    C:\Documents and Settings\RemoteUser\SendTo
    2008-04-09 19:47:37 0 dr-h
    C:\Documents and Settings\RemoteUser\Recent
    2008-04-09 19:47:37 0 d--h
    C:\Documents and Settings\RemoteUser\PrintHood
    2008-04-09 19:47:37 0 d--h
    C:\Documents and Settings\RemoteUser\NetHood
    2008-04-09 19:47:37 0 dr
    C:\Documents and Settings\RemoteUser\My Documents
    2008-04-09 19:47:37 0 d--h
    C:\Documents and Settings\RemoteUser\Local Settings
    2008-04-09 19:47:37 0 dr
    C:\Documents and Settings\RemoteUser\Favorites
    2008-04-09 19:47:37 0 d
    C:\Documents and Settings\RemoteUser\Desktop
    2008-04-09 19:47:37 0 d---s---- C:\Documents and Settings\RemoteUser\Cookies
    2008-04-09 19:47:37 0 dr-h
    C:\Documents and Settings\RemoteUser\Application Data
    2008-04-09 19:47:37 0 d---s---- C:\Documents and Settings\RemoteUser\Application Data\Microsoft
    2008-04-09 19:47:36 786432 --ah
    C:\Documents and Settings\RemoteUser\NTUSER.DAT
    2008-04-09 17:20:59 54864 --a
    C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2008-04-09 17:00:06 0 d
    C:\Documents and Settings\All Users\Application Data\Avery
    2008-04-05 22:34:41 0 d
    C:\Program Files\Common Files\Macromedia
    2008-04-05 22:33:26 0 d
    C:\Program Files\Macromedia


    -- Find3M Report

    2008-05-01 15:42:58 263 --ah
    C:\Documents and Settings\Owner\Application Data\hpothb07.tif
    2008-04-26 23:50:31 0 d
    C:\Documents and Settings\Owner\Application Data\Adobe
    2008-04-23 20:08:44 0 d
    C:\Documents and Settings\Owner\Application Data\AdobeUM
    2008-04-21 01:36:47 0 d
    C:\Program Files\Common Files
    2008-04-09 17:11:28 0 d--h
    C:\Program Files\InstallShield Installation Information
    2008-04-05 18:42:01 0 d
    C:\Documents and Settings\Owner\Application Data\MSN6
    2008-04-02 21:03:29 22720 --a
    C:\WINDOWS\system32\emptyregdb.dat
    2008-04-02 12:56:59 0 d
    C:\Program Files\Microsoft ActiveSync
    2008-04-01 09:37:24 0 d
    C:\Program Files\Common Files\Adobe
    2008-03-31 12:12:20 0 d
    C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
    2008-03-31 12:12:09 0 d
    C:\Program Files\GlobalSCAPE
    2008-03-29 09:48:18 0 d
    C:\Program Files\K-Lite Codec Pack
    2008-03-29 09:48:12 0 d
    C:\Documents and Settings\Owner\Application Data\Real
    2008-03-23 12:10:31 2935 --a
    C:\WINDOWS\mozver.dat
    2008-03-22 10:50:50 0 d
    C:\Program Files\Common Files\Adobe Systems Shared
    2008-03-22 10:44:50 0 d
    C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
    2008-03-22 10:43:50 20454 --a
    C:\WINDOWS\hpoins01.dat
    2008-03-22 10:43:37 0 d
    C:\Program Files\Hewlett-Packard
    2008-03-22 10:40:31 0 d
    C:\Program Files\Common Files\Hewlett-Packard
    2008-03-22 10:18:11 0 d
    C:\Program Files\Microsoft CRM 4.0 - CTP3 - VPC
    2008-03-21 16:19:47 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-21 16:18:38 0 d
    C:\Documents and Settings\Owner\Application Data\Mozilla
    2008-03-19 08:25:09 0 d
    C:\Program Files\Symantec
    2008-03-19 08:25:00 0 d
    C:\Program Files\NavNT
    2008-03-19 08:24:47 0 d
    C:\Program Files\Common Files\Symantec Shared
    2008-03-18 21:23:10 0 d
    C:\Documents and Settings\Owner\Application Data\Macromedia
    2008-03-18 11:22:53 0 d
    C:\Program Files\Windows Live
    2008-03-18 11:22:23 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
    2008-03-18 11:19:27 0 d
    C:\Documents and Settings\Owner\Application Data\WinRAR
    2008-03-18 10:19:06 21504 --a
    C:\WINDOWS\jestertb.dll
    2008-03-17 21:13:24 0 d
    C:\Program Files\NETGEAR
    2008-03-09 20:40:58 0 d
    C:\Program Files\Common Files\ODBC
    2008-03-09 20:40:55 0 d
    C:\Program Files\Common Files\SpeechEngines
    2008-03-09 20:40:35 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
    2008-03-09 11:02:30 0 d
    C:\Program Files\Messenger
    2008-03-09 10:00:10 0 d
    C:\Documents and Settings\Owner\Application Data\Identities
    2008-03-09 09:57:06 0 d
    C:\Program Files\microsoft frontpage
    2008-03-09 09:56:58 0 -rahs---- C:\MSDOS.SYS
    2008-03-09 09:56:58 0 -rahs---- C:\IO.SYS
    2008-03-09 09:56:58 0 --a
    C:\CONFIG.SYS
    2008-03-09 09:55:09 0 d
    C:\Program Files\Common Files\MSSoap
    2008-03-09 09:54:13 0 d--h
    C:\Program Files\WindowsUpdate
    2008-03-09 09:54:13 0 d
    C:\Program Files\Online Services
    2008-03-09 09:54:05 0 d
    C:\Program Files\MSN Gaming Zone
    2008-03-09 08:50:22 0 d
    C:\Program Files\IDETOOL
    2008-03-09 08:50:22 0 --a
    C:\AUTOEXEC.BAT
    2008-03-09 08:47:27 0 d
    C:\Program Files\Realtek
    2008-03-09 08:47:21 0 d
    C:\Documents and Settings\Owner\Application Data\InstallShield
    2008-03-09 08:30:11 0 d
    C:\Program Files\Movie Maker
    2008-03-09 08:28:46 0 d
    C:\Program Files\Windows NT
    2008-03-09 07:25:16 0 d
    C:\Program Files\VIA
    2008-03-09 07:24:56 0 d
    C:\Program Files\Common Files\InstallShield
    2008-03-09 07:24:10 0 d
    C:\Program Files\Realtek Sound Manager
    2008-03-09 07:24:09 0 d
    C:\Program Files\AvRack
    2008-03-09 07:24:04 0 d
    C:\Program Files\Realtek AC97
    2008-03-04 11:33:18 7680 --a
    C:\WINDOWS\system32\ff_vfw.dll


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 09:32 PM]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 10:00 PM]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 10:00 PM]
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [04/26/2005 10:22 AM]
    "nwiz"="nwiz.exe" [12/05/2007 12:41 AM C:\WINDOWS\system32\nwiz.exe]
    "vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 06:59 AM]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 10:00 PM]
    "SoundMan"="SOUNDMAN.EXE" [03/01/2006 03:22 PM C:\WINDOWS\soundman.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 12:41 AM]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 12:41 AM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 07:39 PM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 12:19:50 AM]
    hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [4/9/2003 5:21:38 PM]
    hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 5:11:12 PM]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
    NETGEAR WG111v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v3\WG111v3.exe [9/12/2007 2:14:42 PM]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @=&quot;Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0857b8de-ed65-11dc-821f-806d6172696f}]
    AutoRun\command- E:\setup.exe




    -- Hosts

    192.168.0.100 dev.onlinegamez.com.au


    -- End of Deckard's System Scanner: finished at 2008-05-04 11:11:46

    Extra.txt
    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.

    -- System Information

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Celeron(R) CPU 3.06GHz
    Percentage of Memory in Use: 29%
    Physical Memory (total/avail): 1023.48 MiB / 718.2 MiB
    Pagefile Memory (total/avail): 2460.24 MiB / 2043.7 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1938.71 MiB

    A: is Removable (No Media)
    C: is Fixed (NTFS) - 19.53 GiB total, 11.29 GiB free.
    D: is Fixed (NTFS) - 54.99 GiB total, 14.88 GiB free.
    E: is CDROM (No Media)
    F: is Fixed (NTFS) - 37.27 GiB total, 33.05 GiB free.
    G: is Fixed (NTFS) - 189.92 GiB total, 15.36 GiB free.
    H: is CDROM (No Media)

    \\.\PHYSICALDRIVE1 - - 37.27 GiB - 1 partition
    \PARTITION0 (bootable) - Installable File System - 37.27 GiB - F:

    \\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 2 partitions
    \PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
    \PARTITION1 - Extended w/Extended Int 13 - 54.99 GiB - D:

    \\.\PHYSICALDRIVE2 - Maxtor OneTouch III USB Device - 189.92 GiB - 1 partition
    \PARTITION0 - Installable File System - 189.92 GiB - G:



    -- Security Center

    AUOptions is disabled.
    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.
    AntivirusOverride is set.


    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"


    -- Environment Variables

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Owner\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=CYGLYNXSERVER
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Owner
    lib=C:\Program Files\SQLXML 4.0\bin\
    LOGONSERVER=\\CYGLYNXSERVER
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0409
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    USERDOMAIN=CYGLYNXSERVER
    USERNAME=Owner
    USERPROFILE=C:\Documents and Settings\Owner
    windir=C:\WINDOWS


    -- User Profiles

    Owner (admin)
    RemoteUser (new local, admin)
    ASPNET


    -- Add/Remove Programs

    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
    Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
    CuteFTP 6 Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA}
    DesignPro Business Cards SE --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2797D1CC-B68F-4098-96EF-E45700A3335C} /l1033
    Granado Espada --> "F:\Granado Espada\unins000.exe"
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
    HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
    HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
    HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
    hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
    Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    K-Lite Mega Codec Pack 3.8.5 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
    LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
    Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall
    Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
    Macromedia Fireworks 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8833100-1481-11D4-9731-00C04F8EEB39}\setup.exe" UNINSTALL
    Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
    Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
    Microsoft SQL Server 2005 --> MsiExec.exe /I{2373A92B-1C1C-4E71-B494-5CA97F96AA19}
    Microsoft SQL Server 2005 Analysis Services --> MsiExec.exe /I{982DB00A-9C4E-436B-8707-18E113BAA44C}
    Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
    Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
    Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{90032DD0-ABEE-4424-AC1E-B076BDD4E350}
    Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
    Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
    Microsoft SQL Server VSS Writer --> MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
    Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
    Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MSXML 6.0 Parser --> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
    NETGEAR WG111v3 wireless USB 2.0 adapter --> C:\Program Files\InstallShield Installation Information\{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}\setup.exe -runfromtemp -l0x0409
    Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
    NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
    Realtek AC'97 Audio --> Alcrmv.exe -r -m
    REALTEK GbE & FE Ethernet PCI NIC Driver --> C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\Setup.exe -runfromtemp -l0x0009 -removeonly
    REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
    SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
    VIA Bus Master Ultra ATA Driver (Remove) --> RunDll32 VIAIDE2K.dll,UninstallIDE
    VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
    Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
    Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
    Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


    -- Application Event Log

    Event Record #/Type5732 / Error
    Event Submitted/Written: 05/02/2008 03:46:51 PM
    Event ID/Source: 1002 / Application Hang
    Event Description:
    Hanging application Photoshop.exe, version 9.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Event Record #/Type5349 / Success
    Event Submitted/Written: 04/27/2008 00:15:35 AM
    Event ID/Source: 12001 / usnjsvc
    Event Description:
    The Messenger Sharing USN Journal Reader service started successfully.

    Event Record #/Type5257 / Success
    Event Submitted/Written: 04/23/2008 01:27:03 PM
    Event ID/Source: 12001 / usnjsvc
    Event Description:
    The Messenger Sharing USN Journal Reader service started successfully.

    Event Record #/Type5173 / Warning
    Event Submitted/Written: 04/23/2008 02:14:29 AM
    Event ID/Source: 1524 / Userenv
    Event Description:
    Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

    Event Record #/Type5161 / Success
    Event Submitted/Written: 04/22/2008 06:07:51 PM
    Event ID/Source: 12001 / usnjsvc
    Event Description:
    The Messenger Sharing USN Journal Reader service started successfully.



    -- Security Event Log

    No Errors/Warnings found.


    -- System Event Log

    Event Record #/Type7726 / Error
    Event Submitted/Written: 05/04/2008 11:00:00 AM
    Event ID/Source: 7901 / Schedule
    Event Description:
    The At12.job command failed to start due to the following error:
    %%2147942402

    Event Record #/Type7724 / Error
    Event Submitted/Written: 05/04/2008 10:00:00 AM
    Event ID/Source: 7901 / Schedule
    Event Description:
    The At11.job command failed to start due to the following error:
    %%2147942402

    Event Record #/Type7686 / Error
    Event Submitted/Written: 05/04/2008 03:00:00 AM
    Event ID/Source: 7901 / Schedule
    Event Description:
    The At4.job command failed to start due to the following error:
    %%2147942402

    Event Record #/Type7685 / Error
    Event Submitted/Written: 05/04/2008 02:00:00 AM
    Event ID/Source: 7901 / Schedule
    Event Description:
    The At3.job command failed to start due to the following error:
    %%2147942402

    Event Record #/Type7684 / Error
    Event Submitted/Written: 05/04/2008 01:00:00 AM
    Event ID/Source: 7901 / Schedule
    Event Description:
    The At2.job command failed to start due to the following error:
    %%2147942402



    -- End of Deckard's System Scanner: finished at 2008-05-04 11:11:46
  • edited May 2008
    Let's just do a thorough removal now and assess what we need to manually change after.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


    One bit of manual change - go to Control Panel - Scheduled Tasks, and delete all those AT# malware created tasks there.


    Download SDFix.exe and save it to your desktop.

    Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

    ===================================================


    Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


    In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

    Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

    When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

    Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

    =============================

    After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

    ============================

    Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Extra Log, uncheck all the boxes except this one:

    Security Center

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

    Post that along with the MBAM log and the SDFix report.txt log please.
  • VekaVeka Finland
    edited May 2008
    This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

    If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

    If you are not the user who started this thread, you must start your own Thread instead :)
Sign In or Register to comment.