Options
Something has taken over
Hi, and thanks so much for providing this service. I am a "for real dummies" kind of guy, and I don't know what to do about a problem my antivirus program - Bitdefender 10, has made me aware of. And so, I turn to you kind folks...
When I try to scan with Adaware or spybot, they freeze after awhile. When Adaware froze again just a moment ago, I got a bitdender popup saying it had discovered the Application.Grokster.A virus, but did not let it infect my computer. Adaware was stuck on the registry file that Bitdefender was pointing to. Bitdefender has also made me aware that it has blocked (but not removed) a virus called "Win32.Worm.VB.Ymeak.A"
Also, I am also constantly being warned by Bitdefender re: a suspected file which reads "BehavesLike:Win32.AV-Killer" and points to either a explorer.exe file, or an activeX.exe, or some other important looking file name in a system directory. And when I run the ATF Cleaner, the cpu freezes if the "all user temp" button is checked. My computer is slow as molasses, and when I cnt-alt-del to get moving, my cpu performance is running at 100%, even though I may only have a browser window open.
Please help. And thank you again for the trouble of doing so.
Here's my HijackThis report (which upon creating opened a "BehavesLike:Win32.AV-Killer popup from Bitdender)...
Logfile of HijackThis v1.99.1
Scan saved at 3:15:31 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ShirusuPad\ShirusuPad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
When I try to scan with Adaware or spybot, they freeze after awhile. When Adaware froze again just a moment ago, I got a bitdender popup saying it had discovered the Application.Grokster.A virus, but did not let it infect my computer. Adaware was stuck on the registry file that Bitdefender was pointing to. Bitdefender has also made me aware that it has blocked (but not removed) a virus called "Win32.Worm.VB.Ymeak.A"
Also, I am also constantly being warned by Bitdefender re: a suspected file which reads "BehavesLike:Win32.AV-Killer" and points to either a explorer.exe file, or an activeX.exe, or some other important looking file name in a system directory. And when I run the ATF Cleaner, the cpu freezes if the "all user temp" button is checked. My computer is slow as molasses, and when I cnt-alt-del to get moving, my cpu performance is running at 100%, even though I may only have a browser window open.
Please help. And thank you again for the trouble of doing so.
Here's my HijackThis report (which upon creating opened a "BehavesLike:Win32.AV-Killer popup from Bitdender)...
Logfile of HijackThis v1.99.1
Scan saved at 3:15:31 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ShirusuPad\ShirusuPad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
0
Comments
first of all, I have bad news
One or more of the identified infections is a backdoor trojan
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
My SDFix Report:
SDFix: Version 1.73
Run by Administrator - Fri 03/16/2007 - 19:29:31.97
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\system\Explorer.EXE - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\\Program Files\\Primedius\\PrimediusProxy.exe"="C:\\Program Files\\Primedius\\PrimediusProxy.exe:*:Disabled:PrimediusProxy"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Mark Goulding\\Local Settings\\Temp\\WebGrab.exe"="C:\\Documents and Settings\\Mark Goulding\\Local Settings\\Temp\\WebGrab.exe:*:Disabled:WebGrab"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\system\\explorer.exe"="C:\\WINDOWS\\system\\explorer.exe:*:Enabled:Explorer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealOne Player"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system\\explorer.exe"="C:\\WINDOWS\\system\\explorer.exe:*:Enabled:Explorer"
Remaining Files:
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Support.com\bin\IBMAccessSupport\common\graphics\images\Thumbs.db
C:\Program Files\Support.com\help\security.GID
C:\Program Files\Support.com\help\tgcmd.GID
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\redir.sys
C:\WINDOWS\page files\maxmeg.sys
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL0001.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL0002.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3350.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3485.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3597.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL1317.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL1515.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL2518.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL3140.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL3529.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL2504.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL2737.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL3345.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL3502.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL0283.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL2279.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL2983.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\Work Words\Grey stuff\~WRL3317.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\Work Words\ZP\mgstr\Newbizdocs\~WRL1820.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\Screenwriting\Ideas\Ideas sources from 'writing' folder\Scripts - snl-standup comics\~WRL3441.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Ideas\Scripts - snl-standup comics\~WRL3441.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\~WRL2187.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\~WRL2248.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL0875.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1608.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1621.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1957.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL2406.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL3303.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Stories\2005\~WRL1446.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Stories\2005\~WRL1484.tmp
C:\Program Files\InterActual\InterActual Player\iti13.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT9.tmp
Finished
And a new HJT report:
Logfile of HijackThis v1.99.1
Scan saved at 8:03:55 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CACHE
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
My fingers are crossed...
SDFix Report -
SDFix: Version 1.73
Run by Mark Goulding - Fri 03/16/2007 - 22:49:09.18
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
Checking For Files with Hidden Attributes :
C:\Program Files\Support.com\bin\IBMAccessSupport\common\graphics\images\Thumbs.db
C:\Program Files\Support.com\help\security.GID
C:\Program Files\Support.com\help\tgcmd.GID
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\redir.sys
C:\WINDOWS\page files\maxmeg.sys
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL0001.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL0002.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3350.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3485.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Templates\~WRL3597.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL1317.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL1515.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL2518.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL3140.tmp
C:\Documents and Settings\Mark Goulding\Application Data\Microsoft\Word\~WRL3529.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL2504.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL2737.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL3345.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\prsnl\~WRL3502.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL0283.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL2279.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\~WRL2983.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\Work Words\Grey stuff\~WRL3317.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\other\work\Work Words\ZP\mgstr\Newbizdocs\~WRL1820.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\Screenwriting\Ideas\Ideas sources from 'writing' folder\Scripts - snl-standup comics\~WRL3441.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Ideas\Scripts - snl-standup comics\~WRL3441.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\~WRL2187.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\~WRL2248.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL0875.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1608.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1621.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL1957.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL2406.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\journals\2006\~WRL3303.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Stories\2005\~WRL1446.tmp
C:\Documents and Settings\Mark Goulding\My Documents\My Words\MSG\writing\Stories\2005\~WRL1484.tmp
C:\Program Files\InterActual\InterActual Player\iti13.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT9.tmp
Finished
and a new HJT file, made after the above tool was run a second time...
Logfile of HijackThis v1.99.1
Scan saved at 11:11:47 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
I did note that both times I ran HJT (in regards to the above post and this, that when I clicked on "do a system scan and save a logfile", I immediately received a Bitdefender popup window along side the HJT log report saying "Virus Alert - File: c\WINDOWS\system32\directx.exe Suspect of: BehavesLike:Win32.AV-Killer
BitDefender Action - blocked this virus - your computer has NOT been infected."
Thanks for your patience with me in all this.
______
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.
Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
Notepad content:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is A4B6-0111
Directory of C:\WINDOWS\system32
Directory of C:\Documents and Settings\Mark Goulding\Desktop
New HJT (which came with the same Bitdefender popup as described above):
Logfile of HijackThis v1.99.1
Scan saved at 8:09:30 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Please go Here to see how to show hidden files in windows.
Now use The Windows Search And Search For netd32.exe
I Would like to know for sure where it is located.
Thanks.
I'm a little confused - you sent me the above message in a PM, and asked for a PM in return. I replied via PM. Did you receive? What would you like me to do next?
thanks -
Logfile of HijackThis v1.99.1
Scan saved at 10:58:30 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
i Really Suggest you uninstall Sygate Personal Firewall Because Bitdefender should already have a Firewall.
Please go to Start > Control Panel > Add/Remove Programs and remove:
Sygate Personal Firewall
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.
_________
Restart your computer to the safe mode:
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9...p/RdxIE601.cab
O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis
_________
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop
double click on fixthis.bat.
A window will open and close this is normal.
_________
Go to Start => Run and type services.msc
Press enter.
Scroll down to find this entry and double click on it:
DirectX Service
When its property page comes up, stop the service.
Set its startup type to disabled and apply.
Close the services console.
Go to Start => Run and type
sc delete "DirectX Service"
Remember the quotes " "
_________
Run ATF Cleaner
Under
Main choose: Select AllClick the Empty Selected button.
If you use Firefox browser
Click
Firefox at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click
Opera at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
__________
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
__________
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
I have completed your assigned tasks. One small potential problem was, however, that I could not see the entire program window for avg-av in safe mode. I had to assume that:
Under How to scan?
- All checkboxes should be ticked.
Under Possibly unwanted software:- All checkboxes should be ticked.
These were not visible, as they were off screen to the left on my laptop's monitor. The rest of the directions I believe I got to.Also, I logged in in safe mode with my usual user account, and not as administrator. Is that a problem?
So anyway, here's the reports -
AVG-AV:
AVG Anti-Spyware - Scan Report
+ Created at: 12:35:14 PM 3/18/2007
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D26F2967-6931-4F65-A0BE-968380F4E6A7}\RP519\A0246778.exe -> Adware.Lop : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D26F2967-6931-4F65-A0BE-968380F4E6A7}\RP519\A0247757.exe -> Downloader.Agent.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D26F2967-6931-4F65-A0BE-968380F4E6A7}\RP519\A0247758.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.79:C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.81:C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.157:C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.184:C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Writers Blocks\Writers blocks 2 temp\Writers Blocks 2\Writers Blocks 2.rar/Writers Blocks 2\fcn_wb20patch.exe -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
C:\Program Files\Writers Blocks\Writers blocks 2 temp\Writers Blocks 2\fcn_wb20patch.exe -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
C:\Program Files\Writers Blocks\fcn_wb20patch.exe -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
::Report end
And here's a new HJT log
(FYI - I still get Bitdefender's "BehavesLike:Win32.AV-Killer" popup when I click HJT's 'scan and save report button' - as mentioned higher up the thread)
Logfile of HijackThis v1.99.1
Scan saved at 12:54:44 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShirusuPad] C:\Program Files\ShirusuPad\ShirusuPad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1DF194A-25C4-4C09-B9BB-6362C95EA7ED}: NameServer = 64.136.173.8 64.136.164.66
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
I look forward to your learned observations.
Best,
Few more things to do :smiles:
__________
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
__________
Click here to download AVG Anti Rootkit and save it to your desktop.
AVG Anti-Rootkit returned this:
"Scan finished. No rootkits found."
I assume that's good news, no?
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
o If it wants to install an ActiveX component allow ito It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report
Incident Status Location
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\launcher.exe
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Spyware:Spyware/Support Not disinfected C:\Documents and Settings\All Users\Application Data\Support.com\profiles\backup\tg\tgcmd.exe\1519616_5dbb20689_[tgcmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\All Users\Documents\smitRem\Process.exe
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Georgiana Goulding\Application Data\Mozilla\Firefox\Profiles\udiumfco.default\cookies.txt[.target.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mark Goulding\Cookies\mark_goulding@go[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mark Goulding\Desktop\Security\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
- During the scan, Bitdefender popped up again (twice) with the "BehavesLike" warning - pointing to explorer.exe in an sdfix folder, an
activeX.exe file the in windows\system32 directory.
I look forward to your reply.
And the exe Located here: C:\Documents and Settings\Mark Goulding\Desktop\Security\SDFix.exe
Also Delete Smitrem Folder Located Here C:\Documents and Settings\All Users\Documents\smitRem
_________
Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.
Instructions for using CCleaner:
_________
Please download the OTMoveIt.
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.C:\WINDOWS\SYSTEM32\SBUtils
C:\WINDOWS\launcher.exe
__________
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Another quick question... while I was starting to follow your latest directives, I had a problem when I tried to delete part of the "Sdfix and it's Backups folder located here: C:\SDFix\backups" - I was unable to delete it.
First, I tried to delete the entire folder, and received an error message saying
"Cannot delete explorer.exe Cannot read from the source file or disk."
So, I went in the SDFix folder and deleted "backups", but when I then tried to delete a folder called "backups_old1" I got the same error message. So, at this point, I have only deleted "SDFix\backups"
It looks like the explorer.exe in backup_old1 won't let me discard it.
I deleted the other two items, and am currently downloading CCCleaner.
How should I proceed?
The OTMove it report:
OT movit clipboard
C:\WINDOWS\SYSTEM32\SBUtils moved successfully.
C:\WINDOWS\launcher.exe moved successfully.
File/Folder not found.
Created on 03/19/2007 11:14:44
And my Kaspersky report:
KASPERSKY ONLINE SCANNER REPORT
Monday, March 19, 2007 5:48:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/03/2007
Kaspersky Anti-Virus database records: 283126
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 70817
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:25:36
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Goulding\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\History\History.IE5\MSHist012007031920070320\index.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mark Goulding\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mark Goulding\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D26F2967-6931-4F65-A0BE-968380F4E6A7}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I await your commands...
Let's try another scanner to make sure you are clean.
_____________
Please run Deckard's System Scanner (DSS) You will need to use Internet Explorer to run it.
Download to your Desktop. Note: You must be logged onto an account with administrator privileges.
1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <- this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread.
5. Please attach extra.txt to your post.
Now for a dummie question - How do I log on to my laptop with administrator privileges? - in safe mode the account login is there, but in regular mode it doesn't appear on the windows introduction screen. I believe I (Mark) am set up as Administrator, but I'm not sure.
In the meantime - here's a Bitdefender scan report I did late yesterday while I awaited your reply...
//
//
// ProductBitDefender Antivirus v10
// Product10.0
//
// Created on: 19/03/2007 19:48:57
//
//
Virus Statistics
Scan path : C:\
Folders : 6772
Files : 484436
Memory processes scanned : 18
Archives : 9075
Runtime packers : 36927
Identified viruses : 0
Infected files : 0
Memory processes infected : 0
Suspect files : 1
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 0
I/O errors : 29
Scan time : 03:14:41
Scan speed (files/sec) : 41
Spyware Statistics
Registry keys scanned : 1795
Registry keys infected : 0
Cookies scanned : 26
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 442132
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1174348137.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
Summary:
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\HYKYM\ImagePath=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\HYKYM\DisplayName=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\HYKYM\ImagePath=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\HYKYM\DisplayName=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\HYKYM\ImagePath=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\HYKYM\DisplayName=>C:\WINDOWS\SYSTEM32\DIRECTX.EXE Suspect: BehavesLike:Win32.AV-Killer
C:\WINDOWS\system32\directx.exe Suspect: BehavesLike:Win32.AV-Killer
In the meantime, I'll download DSS.
Main.txt
Deckard's System Scanner v20070318.32
Run by Mark Goulding on 2007-03-20 at 12:19:47
Computer is in Normal Mode.
-- System Restore
Successfully created a Deckard's System Scanner Restore Point.
-- Last 3 Restore Point(s) --
3: 2007-03-20 16:20:02 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-03-20 03:25:12 UTC - RP2 - System Checkpoint
1: 2007-03-19 02:31:10 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Mark Goulding.exe)
Logfile of HijackThis v1.99.1
Scan saved at 12:22:08 PM, on 3/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mark Goulding\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Mark Goulding.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rawstory.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar4.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68EA624F-619A-11D6-99CF-006094235084} (IbmEgathDetectCtl Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgathDetect.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.writewaypro.com/download/msxml4.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [URL]file://C:\Program[/URL] Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\)
backup-20060210-112116-275 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060210-112116-559 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20060210-112116-591 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20060210-112116-674 O8 - Extra context menu item: TypePad QuickPost - https://www.typepad.com/t/app?__mode=reg_qp_js&qp_show=ca,cb,ew&qp_height=540
backup-20060210-112116-797 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20060801-011911-169 O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll
backup-20060801-011911-310 O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
backup-20060801-011911-657 O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
backup-20060801-011911-851 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20060801-124715-755 O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll (file missing)
backup-20060801-124715-892 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20060913-175516-838 O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
backup-20070131-122138-322 O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
backup-20070131-122138-508 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
backup-20070131-122138-551 O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
backup-20070131-122138-847 O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
backup-20070310-165933-232 O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
backup-20070310-165933-738 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070318-101313-167 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/02b063a105a9af9bf505/netzip/RdxIE601.cab
backup-20070318-101313-221 O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
backup-20070318-101313-482 O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
backup-20070318-101313-510 O23 - Service: DirectX Service (Hykym) - Unknown owner - C:\WINDOWS\system32\directx.exe
-- File Associations
.scr - swwin.Document - "C:\Program Files\Scriptware for Windows\swwin32.exe" "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 AVG Anti-Rootkit - c:\windows\system32\drivers\anti_rkt.sys
R0 AVG Clean Driver - c:\windows\system32\drivers\cleandrv.sys
R0 EFlashAssist - c:\windows\system32\drivers\eflashas.sys
R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys
R0 ppa (Iomega Parallel Port Filter Driver) - c:\windows\system32\drivers\ppa.sys
R0 TPkd - c:\windows\system32\drivers\tpkd.sys
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys
R2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys
R3 IBMPMDRV - c:\windows\system32\drivers\ibmpmdrv.sys
R3 IMWEB51 (High Rate Wireless LAN Mini-PCI LAN Driver) - c:\windows\system32\drivers\imwebn51.sys
R3 NSCIRDA (NSC Infrared Device Driver) - c:\windows\system32\drivers\nscirda.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
R3 smwdm - c:\windows\system32\drivers\smwdm.sys
S3 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys
S3 el575nd5 (3Com Megahertz 10/100 LAN CardBus PC Card Driver) - c:\windows\system32\drivers\el575nd5.sys
S3 l8042pr2 (Logitech PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042pr2.sys
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe"
R2 IBMPMSVC (IBM PM Service) - c:\windows\system32\ibmpmsvc.exe
R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe"
R2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs
R2 QCONSVC - system32\qconsvc.exe
S4 Hykym (DirectX Service) - c:\windows\system32\directx.exe
S4 Iomega Activity Disk2 - ""
-- Scheduled Tasks
2007-03-20 11:42:39 650 --a
C:\WINDOWS\Tasks\BMMTask.job
-- Files created between 2007-02-20 and 2007-03-20
2007-03-19 11:21:09 0 d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-03-19 11:21:06 0 d
C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-19 08:07:42 0 d
C:\Program Files\CCleaner
2007-03-18 09:12:23 3968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-17 10:08:52 0 d
C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-15 13:40:14 1056768 --a
C:\WINDOWS\system32\roboex32.dll
2007-03-15 13:40:14 49152 --a
C:\WINDOWS\system32\Inetwh32.dll
2007-03-15 13:40:14 0 d
C:\Program Files\LaxPlan
2007-03-15 10:40:54 0 d
C:\Program Files\Inspiration<INSPIR~1>
2007-03-14 07:52:18 0 d
C:\Documents and Settings\Georgiana Goulding\Application Data\Babylon
2007-03-14 07:51:46 0 d
C:\Documents and Settings\Georgiana Goulding\Application Data\Bitdefender<BITDEF~1>
2007-03-13 22:57:27 0 d
C:\Program Files\preview temp<PREVIE~1>
2007-03-11 11:20:29 0 d
C:\Documents and Settings\Mark Goulding\Application Data\FileMaker<FILEMA~1>
2007-03-11 11:19:19 40960 --a
C:\WINDOWS\system32\RBShell400.dll<RBSHEL~1.DLL>
2007-03-11 11:19:19 73728 --a
C:\WINDOWS\system32\RBRegEx350.dll<RBREGE~1.DLL>
2007-03-11 11:19:19 61952 --a
C:\WINDOWS\system32\rbap350.dll
2007-03-11 11:19:19 28160 --a
C:\WINDOWS\system32\MBSRegPlugin.DLL<MBSREG~1.DLL>
2007-03-11 11:19:19 37888 --a
C:\WINDOWS\system32\MBSRegistryPlugin.DLL<MBSREG~2.DLL>
2007-03-11 11:19:19 41472 --a
C:\WINDOWS\system32\MBSPlugin.DLL<MBSPLU~1.DLL>
2007-03-11 11:19:19 31744 --a
C:\WINDOWS\system32\MBSMacTTPlugin.DLL<MBSMAC~1.DLL>
2007-03-11 11:19:19 35328 --a
C:\WINDOWS\system32\MBSFolderPlugin.DLL<MBSFOL~1.DLL>
2007-03-11 11:19:19 67072 --a
C:\WINDOWS\system32\LP0310.dll
2007-03-11 11:19:19 27648 --a
C:\WINDOWS\system32\LP0301LinkFile.dll<LP0301~2.DLL>
2007-03-11 11:19:19 29184 --a
C:\WINDOWS\system32\LP0301Gestalt.dll<LP0301~3.DLL>
2007-03-11 11:19:18 28160 --a
C:\WINDOWS\system32\LP0301ResFork.dll<LP0301~1.DLL>
2007-03-10 19:17:32 0 d
C:\Program Files\Great Dialogue (Registered Version)<GREATD~1>
2007-03-09 17:02:35 503808 --a
C:\WINDOWS\system32\xreglib.dll
2007-03-09 16:20:30 0 d
C:\Documents and Settings\Mark Goulding\Application Data\Bitdefender<BITDEF~1>
2007-03-09 15:20:29 0 d
C:\Documents and Settings\All Users\Application Data\BitDefender<BITDEF~1>
2007-03-09 11:22:57 0 d
C:\Program Files\Babylon
2007-03-08 22:57:46 0 d
C:\Program Files\NoteTab Light<NOTETA~1>
2007-03-08 10:03:36 0 d
C:\Program Files\Visual Thesaurus 3<VISUAL~2>
2007-03-08 10:00:33 0 d--h
C:\Documents and Settings\Mark Goulding\InstallAnywhere<INSTAL~1>
2007-03-07 22:07:23 0 d
C:\Program Files\Sygate
2007-03-07 22:06:49 0 d
C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-07 18:28:31 56 --ahs---- C:\redir.sys
2007-03-07 18:28:30 0 d--h
C:\WINDOWS\page files<PAGEFI~1>
2007-03-07 18:28:29 0 d
C:\Program Files\Common Files\PACE Anti-Piracy<PACEAN~1>
2007-03-07 18:28:29 0 d
C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy<PACEAN~1>
2007-03-07 18:20:15 0 d
C:\Program Files\Word Menu 2.2<WORDME~1.2>
2007-03-07 08:43:24 1087 --a
C:\WINDOWS\PowerReg.dat
2007-03-06 13:40:11 118 --a
C:\WINDOWS\system32\Binder Functions.dll<BINDER~1.DLL>
2007-03-05 14:00:40 0 d
C:\Documents and Settings\Mark Goulding\Incomplete<INCOMP~1>
2007-03-05 13:36:57 0 d
C:\Program Files\Common Files\Java
2007-03-05 13:04:31 0 d
C:\Documents and Settings\Mark Goulding\Application Data\BitTorrent<BITTOR~1>
2007-03-05 10:26:56 174 --a
C:\WINDOWS\system\mspc.dll
2007-03-05 10:25:03 0 d
C:\Program Files\BB4
2007-03-05 02:38:54 0 d
C:\Program Files\Character Pro 5<CHARAC~2>
2007-03-05 01:49:38 8192 --a
C:\WINDOWS\system32\Vbprnt32.dll
2007-03-05 01:49:07 70656 --a
C:\WINDOWS\system32\Vspell32.dll
2007-03-05 01:49:02 8192 --a
C:\WINDOWS\system32\mctc8n32.dll
2007-03-05 01:48:58 133904 --a
C:\WINDOWS\system32\Mfcans32.dll
2007-03-05 01:48:37 640512 --a
C:\WINDOWS\system32\Oc30.dll
2007-03-05 01:47:01 0 d
C:\Program Files\Writers Blocks<WRITER~2>
2007-03-04 23:06:19 0 d
C:\Program Files\Ashleywilde<ASHLEY~1>
2007-03-04 17:48:02 0 d
C:\My Shared Folder<MYSHAR~1>
2007-03-04 17:24:06 0 d
C:\Program Files\eMule
2007-03-03 23:29:06 0 d
C:\Program Files\FreeMind
2007-02-26 20:26:25 0 d
C:\Program Files\Movie Magic Screenwriter<MOVIEM~3>
-- Find3M Report
2007-03-20 12:08:44 81984 --a
C:\WINDOWS\system32\bdod.bin
2007-03-18 20:57:31 0 d
C:\Program Files\WordWeb
2007-03-18 19:39:37 0 d
C:\Program Files\iTunes
2007-03-18 19:32:40 0 d
C:\Program Files\Eraser
2007-03-17 00:06:25 0 d
C:\Program Files\yWriter2
2007-03-17 00:01:42 0 d
C:\Program Files\Sonar2
2007-03-17 00:00:18 0 d
C:\Program Files\RoughDraft<ROUGHD~1>
2007-03-16 23:49:01 0 d
C:\Program Files\Scriptware for Windows********~1>
2007-03-16 23:43:56 0 d
C:\Program Files\WritePro
2007-03-16 23:40:25 0 d
C:\Program Files\KeyNote
2007-03-16 14:15:30 0 d
C:\Documents and Settings\Mark Goulding\Application Data\Lavasoft
2007-03-16 14:15:18 0 d
C:\Program Files\Lavasoft
2007-03-14 10:25:49 0 d
C:\Program Files\Individual Software<INDIVI~1>
2007-03-14 10:25:49 0 d
C:\Program Files\Common Files\Individual Software<INDIVI~1>
2007-03-10 13:30:53 0 d
C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-03-09 17:47:08 2508 --a
C:\Documents and Settings\Mark Goulding\Application Data\$_hpcst$.hpc
2007-03-09 13:43:51 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2007-03-08 23:17:52 32 --a
C:\Documents and Settings\Mark Goulding\Application Data\ntl.ini
2007-03-07 09:06:50 0 d
C:\Program Files\Screenplay Systems<SCREEN~1>
2007-03-07 09:06:50 0 d
C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-03-05 21:54:06 0 d
C:\Program Files\StoryCraft30<STORYC~1>
2007-03-05 14:53:40 0 d
C:\Documents and Settings\Mark Goulding\Application Data\XnView
2007-03-05 13:58:22 4010 --a----c- C:\WINDOWS\mozver.dat
2007-03-05 13:57:36 0 d
C:\Program Files\Java
2007-02-26 20:31:13 0 d--h
C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-22 04:02:08 0 d
C:\Documents and Settings\Mark Goulding\Application Data\AdobeUM
2007-02-14 17:44:59 0 d
C:\Documents and Settings\Mark Goulding\Application Data\Greyfirst<GREYFI~1>
2007-02-02 22:34:05 52272 --a
C:\WINDOWS\googletoolbar4user.exe<GOOGLE~1.EXE>
2007-01-31 14:45:23 0 d
C:\Program Files\iPod
2007-01-31 13:13:51 0 d
C:\Program Files\TalkingAlarm<TALKIN~1>
2007-01-31 03:50:07 0 d
C:\Program Files\ATnotes
2007-01-31 03:46:25 0 d
C:\Program Files\HistoryKill<HISTOR~1>
2007-01-31 03:29:51 0 d
C:\Program Files\PC-Doctor for Windows<PC-DOC~1>
2007-01-30 20:47:19 0 d
C:\Program Files\Windows Installer Clean Up<WI91E2~1>
2007-01-30 20:47:19 0 d---s---- C:\Documents and Settings\Mark Goulding\Application Data\Microsoft<MICROS~1>
2007-01-30 20:46:07 0 d
C:\Program Files\MSECACHE
2007-01-30 15:04:03 0 d
C:\Program Files\QuickTime<QUICKT~1>
2007-01-29 19:12:16 0 d
C:\Documents and Settings\Mark Goulding\Application Data\Apple Computer<APPLEC~1>
2007-01-29 17:32:38 0 d
C:\Program Files\SyncBackFREE<SYNCBA~1>
2007-01-27 23:31:04 0 d
C:\Program Files\Google
2007-01-27 23:26:38 0 d
C:\Program Files\XnView
2007-01-27 23:11:27 0 d
C:\Documents and Settings\Mark Goulding\Application Data\aignes
2007-01-20 00:55:32 2403392 -ra
C:\WINDOWS\GoogleToolbar4.dll<GOOGLE~4.DLL>
2007-01-08 20:01:14 17408 --a
C:\WINDOWS\system32\corpol.dll
-- Registry Dump
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"TP4EX"="tp4ex.exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoCDBurning"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
-- End of Deckard's System Scanner: finished at 2007-03-20 at 12:23:04
Extra.txt
Deckard's System Scanner v20070318.32
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 766.98 MiB / 491.74 MiB
Pagefile Memory (total/avail): 1875.39 MiB / 1622.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1992.79 MiB
C: is Fixed (NTFS) - 35.62 GiB total, 18.49 GiB free.
D: is CDROM (No Media)
-- Security Center
AUOptions is disabled.
Windows Internal Firewall is enabled.
AV: BitDefender Antivirus v10 v7.2 (Softwin)
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mark Goulding\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_07\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=T30-LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mark Goulding
LOGONSERVER=\\T30-LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MARKGO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MARKGO~1\LOCALS~1\Temp
USERDOMAIN=T30-LAPTOP
USERNAME=Mark Goulding
USERPROFILE=C:\Documents and Settings\Mark Goulding
windir=C:\WINDOWS
-- User Profiles
Mark Goulding (admin)
Georgiana Goulding (admin)
Administrator (admin)
-- Add/Remove Programs
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access ThinkPad --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Active Disk --> C:\WINDOWS\unvise32.exe C:\Program Files\Iomega\AutoDisk\uninstal.log
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Photoshop 5.5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems AC'97 Modem --> agrsmdel
All Stats Lacrosse Planner --> C:\PROGRA~1\LaxPlan\UNWISE.EXE C:\PROGRA~1\LaxPlan\INSTALL.LOG
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AtomTime98 v2.1b --> "C:\WINDOWS\UNISTB32.EXE" /U "C:\Program Files\AtomTime\UNINST0.000" "C:\Program Files\AtomTime\UNINST1.000"
AVG Anti-Rootkit Beta --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitDefender Antivirus v10 --> MsiExec.exe /I{99E8DC90-F010-4352-8337-F97ECA347200}
Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Program\..\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\..\PhotoRecord\Program\uninstdll.dll"
Canon RAW Image Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
Canon Utilities File Viewer Utility 1.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F11A403B-0DE9-4953-B790-7A2F014FBB2B}
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Character Pro 5 --> C:\Program Files\Character Pro 5\uninstal.exe
Cubemaster Gold v4.3 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Cubemaster Gold\irunin.ini"
Doc Scrubber v1.1 --> "C:\Program Files\Doc Scrubber\unins000.exe"
Dramatica Pro 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Screenplay Systems\Dramatica Pro\Uninst.isu"
Dramatica Story Wizard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{45F0BB1F-BF4D-4BBB-910D-80228D8D6652}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Eraser --> "C:\Program Files\Eraser\unins000.exe"
ffdshow (remove only) --> "C:\Program Files\codecs\ffdshow\uninstall.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\windows\googletoolbar4.dll"
Great Dialogue (Registered Version) --> MsiExec.exe /I{861601BF-B60A-4e17-9DC0-0E34FE2170F3}
GRiM Software --> C:\MusingsSetup\SXUNINST.EXE
High Rate Wireless LAN Mini-PCI Adapter with Modem II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D75BEE78-1859-4616-9376-05550126EA60}\Setup.exe" -l0x9 -uninst
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
IBM Access Support --> wscript "C:\Program Files\Support.com\bin\uninstall.vbs" -uninstall -release1
IBM Rapid Restore PC Setup --> MsiExec.exe /X{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}
IBM RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Unbmm.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE"
IBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
IBM Update Connector --> MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
Inspiration 8 Trial --> C:\WINDOWS\unvise32.exe C:\Program Files\Inspiration\uninstal.log
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
IomegaWare 4.0.2 --> C:\WINDOWS\unvise32.exe C:\Program Files\Iomega\uninstal.log
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod shuffle Reset Utility --> MsiExec.exe /X{4BA8EF5E-D46A-454A-93AE-087D4A44CB74}
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KeyNote 1.6.5 --> "C:\Program Files\KeyNote\unins000.exe"
L&H TTS3000 British English --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSENG.inf, Uninstall
Lacrosse Planner Update --> C:\PROGRA~1\LaxPlan\UNWISE.EXE C:\PROGRA~1\LaxPlan\INSTALL.LOG
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\Plugins\INSTALL.LOG
Logitech MouseWare 9.41 .1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\SETUP.EXE" -l0009 UNINSTALL
Logitech User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\SETUP.EXE" UNINSTALL
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSa22.inf, Uninstall
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Movie Magic Screenwriter --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D8A75A0-6097-41EC-AE41-AB5505DC3384}
Mozilla Firefox (2.0.0.2) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MRU-Blaster v1.5 (Database 3/28/2004) --> "C:\Program Files\MRU-Blaster\unins000.exe"
Musings 2.0 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Musings\ST6UNST.LOG"
NoteTab Light (Remove only) --> "C:\Program Files\NoteTab Light\unins000.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pardon 3.1 --> "C:\Program Files\Pardon 3\unins000.exe"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Random House Webster's Unabridged Dictionary --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Random House, Inc.\Random House Webster's Unabridged Dictionary\Uninst.isu"
ReadPlease 2003/ReadPlease PLUS 2003 --> "C:\Program Files\ReadPlease 2003\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RoughDraft 3.0 --> "C:\Program Files\RoughDraft\uninstall.exe"
Scriptware for Windows --> C:\PROGRA~1\SCRIPT~1\UNSW.EXE C:\PROGRA~1\SCRIPT~1\INSTALL.LOG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonar2 --> "C:\Program Files\Sonar2\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Storybase --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
StoryView 2.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Screenplay Systems\StoryView 2.0\Uninst.isu"
StuffIt Standard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{40ABF1E0-8B6F-4D32-B343-E19FA2F04B3C}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
SyncBack --> "C:\Program Files\SyncBackFREE\unins000.exe"
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
Uninstall PC-Doctor --> C:\PROGRA~1\PC-DOC~1\AdminCheck.exe
Visual Thesaurus 3 --> "C:\Program Files\Visual Thesaurus 3\Uninstall_Visual Thesaurus 3\Uninstall Visual Thesaurus 3.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Word Menu 2.2 --> MsiExec.exe /X{2A38D72E-1225-493D-AEE9-6BB2653EF19C}
WordWeb Pro --> C:\Program Files\WordWeb\uninst.exe
Writer's Blocks 2.0 --> C:\PROGRA~1\WRITER~2\UNWISE.EXE C:\PROGRA~1\WRITER~2\INSTALL.LOG
WriteWay 1.6 --> "C:\Program Files\WriteWay\SETUP\setup.exe" /u
XnView 1.82.4 --> "C:\Program Files\XnView\unins000.exe"
yWriter2 --> "C:\Program Files\yWriter2\unins000.exe"
-- End of Deckard's System Scanner: finished at 2007-03-20 at 12:23:04
Please download SmitfraudFix (by S!Ri) to your Desktop.
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
SmitFraudFix v2.150
Scan done at 13:51:50.12, Tue 03/20/2007
Run from C:\Documents and Settings\Mark Goulding\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark Goulding
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mark Goulding\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MARKGO~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.
_________
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
SmitFraudFix v2.150
Scan done at 18:29:06.06, Tue 03/20/2007
Run from C:\Documents and Settings\Mark Goulding\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
_____________
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.C:\WINDOWS\SYSTEM32\directx.exe
____________
Please run a BitDefender Online Scan