Malware Problem - HJT Log attached

Unknown · April 2008

Hi there.

I got a serious trouble.
Some exe files were injected continuously to C:\Documents and Settings\Owner\Local Data\Temp folder. (Owner is the profile used).
I went into safe mode and remove them, and thought it's cleaned. But it came back again.
I was scanning via MicroTrend Online Scanner, and my browser was killed when the new EXE is generated and run.
I went to check the System32 folder, I found one Korean software by Hanbiton. I deleted the file unfortunately.

NDG2yE6Q.exe and 25fqf1rh.exe are the two files currently running. I can't stop them for some reason.

Please help. What should I do?

Thanks.

WoodyRoundUp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:46 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\25fqf1rh.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NDG2yE6Q.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5497 bytes

Thomas · April 2008

Welcome to Icrontic WoodyRoundUp,

Vundo type infeciton activity show there. Let's get a more current and detailed view of things then start repairs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.

WoodyRoundUp · May 2008

Hi Thomas,

Sorry for taking so long to send the log to you.
But here they are.

Main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-04 11:09:56
Computer is in Normal Mode.

Backed up registry hives.

-- HijackThis (run as Owner.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:52 AM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5175 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080421-012814-519 O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
backup-20080421-012814-602 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 XDva098 - c:\windows\system32\xdva098.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>

-- Device Manager: Disabled

No disabled devices found.

-- Scheduled Tasks

2008-05-04 11:00:00 350 --a

C:\WINDOWS\Tasks\At12.job
2008-05-04 10:00:00 350 --a

C:\WINDOWS\Tasks\At11.job
2008-05-04 03:00:00 350 --a

C:\WINDOWS\Tasks\At4.job
2008-05-04 02:00:00 350 --a

C:\WINDOWS\Tasks\At3.job
2008-05-04 01:00:00 350 --a

C:\WINDOWS\Tasks\At2.job
2008-05-04 00:34:00 350 --a

C:\WINDOWS\Tasks\At1.job
2008-05-03 23:00:00 350 --a

C:\WINDOWS\Tasks\At24.job
2008-05-03 22:00:00 350 --a

C:\WINDOWS\Tasks\At23.job
2008-05-03 21:00:00 350 --a

C:\WINDOWS\Tasks\At22.job
2008-05-03 20:00:00 350 --a

C:\WINDOWS\Tasks\At21.job
2008-05-03 19:00:00 350 --a

C:\WINDOWS\Tasks\At20.job
2008-05-03 18:00:00 350 --a

C:\WINDOWS\Tasks\At19.job
2008-05-03 17:00:00 350 --a

C:\WINDOWS\Tasks\At18.job
2008-05-03 16:00:00 350 --a

C:\WINDOWS\Tasks\At17.job
2008-05-03 15:00:00 350 --a

C:\WINDOWS\Tasks\At16.job
2008-05-03 14:00:00 350 --a

C:\WINDOWS\Tasks\At15.job
2008-05-03 13:00:00 350 --a

C:\WINDOWS\Tasks\At14.job
2008-05-03 12:00:00 350 --a

C:\WINDOWS\Tasks\At13.job
2008-05-03 09:00:00 350 --a

C:\WINDOWS\Tasks\At10.job
2008-05-03 08:00:00 350 --a

C:\WINDOWS\Tasks\At9.job
2008-05-03 07:00:00 350 --a

C:\WINDOWS\Tasks\At8.job
2008-05-03 06:00:00 350 --a

C:\WINDOWS\Tasks\At7.job
2008-05-03 05:00:00 350 --a

C:\WINDOWS\Tasks\At6.job
2008-05-03 04:00:00 350 --a

C:\WINDOWS\Tasks\At5.job
2008-04-22 11:44:05 390 --a

C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1206146631.job

-- Files created between 2008-04-04 and 2008-05-04

2008-05-01 15:42:58 186 --ah

C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2008-04-21 22:12:24 0 d

C:\Documents and Settings\Owner\.housecall6.6
2008-04-21 21:25:13 0 d

C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-04-21 21:24:54 0 d

C:\Program Files\Lavasoft
2008-04-21 01:38:31 0 d

C:\WINDOWS\Sun
2008-04-21 01:38:31 0 d

C:\Documents and Settings\Owner\Application Data\Sun
2008-04-21 01:37:15 0 d

C:\Program Files\Java
2008-04-21 01:36:47 0 d

C:\Program Files\Common Files\Java
2008-04-21 01:20:19 106 --a

C:\delete.bat
2008-04-21 01:15:02 0 d

C:\Program Files\Trend Micro
2008-04-20 23:39:02 0 d

C:\WINDOWS\pss
2008-04-10 17:56:29 1722880 --a

C:\c
2008-04-09 22:40:40 0 d

C:\Program Files\Microsoft Visual Studio 8
2008-04-09 22:40:40 0 d

C:\Program Files\Common Files\Merge Modules
2008-04-09 22:40:39 0 d

C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-09 22:40:03 0 d

C:\Program Files\SQLXML 4.0
2008-04-09 20:20:18 0 d

C:\Program Files\Microsoft Analysis Services
2008-04-09 20:19:48 0 d

C:\Program Files\Microsoft.NET
2008-04-09 20:11:56 0 d

C:\Program Files\Microsoft SQL Server
2008-04-09 20:09:17 0 d

C:\Program Files\DAEMON Tools Lite
2008-04-09 20:05:47 717296 --a

C:\WINDOWS\system32\drivers\sptd.sys
2008-04-09 20:05:43 0 d

C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-04-09 19:47:54 0 d

C:\Documents and Settings\RemoteUser\Application Data\Identities
2008-04-09 19:47:37 0 d--h

C:\Documents and Settings\RemoteUser\Templates
2008-04-09 19:47:37 0 dr

C:\Documents and Settings\RemoteUser\Start Menu
2008-04-09 19:47:37 0 dr-h

C:\Documents and Settings\RemoteUser\SendTo
2008-04-09 19:47:37 0 dr-h

C:\Documents and Settings\RemoteUser\Recent
2008-04-09 19:47:37 0 d--h

C:\Documents and Settings\RemoteUser\PrintHood
2008-04-09 19:47:37 0 d--h

C:\Documents and Settings\RemoteUser\NetHood
2008-04-09 19:47:37 0 dr

C:\Documents and Settings\RemoteUser\My Documents
2008-04-09 19:47:37 0 d--h

C:\Documents and Settings\RemoteUser\Local Settings
2008-04-09 19:47:37 0 dr

C:\Documents and Settings\RemoteUser\Favorites
2008-04-09 19:47:37 0 d

C:\Documents and Settings\RemoteUser\Desktop
2008-04-09 19:47:37 0 d---s---- C:\Documents and Settings\RemoteUser\Cookies
2008-04-09 19:47:37 0 dr-h

C:\Documents and Settings\RemoteUser\Application Data
2008-04-09 19:47:37 0 d---s---- C:\Documents and Settings\RemoteUser\Application Data\Microsoft
2008-04-09 19:47:36 786432 --ah

C:\Documents and Settings\RemoteUser\NTUSER.DAT
2008-04-09 17:20:59 54864 --a

C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-09 17:00:06 0 d

C:\Documents and Settings\All Users\Application Data\Avery
2008-04-05 22:34:41 0 d

C:\Program Files\Common Files\Macromedia
2008-04-05 22:33:26 0 d

C:\Program Files\Macromedia

-- Find3M Report

2008-05-01 15:42:58 263 --ah

C:\Documents and Settings\Owner\Application Data\hpothb07.tif
2008-04-26 23:50:31 0 d

C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-23 20:08:44 0 d

C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-21 01:36:47 0 d

C:\Program Files\Common Files
2008-04-09 17:11:28 0 d--h

C:\Program Files\InstallShield Installation Information
2008-04-05 18:42:01 0 d

C:\Documents and Settings\Owner\Application Data\MSN6
2008-04-02 21:03:29 22720 --a

C:\WINDOWS\system32\emptyregdb.dat
2008-04-02 12:56:59 0 d

C:\Program Files\Microsoft ActiveSync
2008-04-01 09:37:24 0 d

C:\Program Files\Common Files\Adobe
2008-03-31 12:12:20 0 d

C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-03-31 12:12:09 0 d

C:\Program Files\GlobalSCAPE
2008-03-29 09:48:18 0 d

C:\Program Files\K-Lite Codec Pack
2008-03-29 09:48:12 0 d

C:\Documents and Settings\Owner\Application Data\Real
2008-03-23 12:10:31 2935 --a

C:\WINDOWS\mozver.dat
2008-03-22 10:50:50 0 d

C:\Program Files\Common Files\Adobe Systems Shared
2008-03-22 10:44:50 0 d

C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-03-22 10:43:50 20454 --a

C:\WINDOWS\hpoins01.dat
2008-03-22 10:43:37 0 d

C:\Program Files\Hewlett-Packard
2008-03-22 10:40:31 0 d

C:\Program Files\Common Files\Hewlett-Packard
2008-03-22 10:18:11 0 d

C:\Program Files\Microsoft CRM 4.0 - CTP3 - VPC
2008-03-21 16:19:47 0 --a

C:\WINDOWS\nsreg.dat
2008-03-21 16:18:38 0 d

C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-19 08:25:09 0 d

C:\Program Files\Symantec
2008-03-19 08:25:00 0 d

C:\Program Files\NavNT
2008-03-19 08:24:47 0 d

C:\Program Files\Common Files\Symantec Shared
2008-03-18 21:23:10 0 d

C:\Documents and Settings\Owner\Application Data\Macromedia
2008-03-18 11:22:53 0 d

C:\Program Files\Windows Live
2008-03-18 11:22:23 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-18 11:19:27 0 d

C:\Documents and Settings\Owner\Application Data\WinRAR
2008-03-18 10:19:06 21504 --a

C:\WINDOWS\jestertb.dll
2008-03-17 21:13:24 0 d

C:\Program Files\NETGEAR
2008-03-09 20:40:58 0 d

C:\Program Files\Common Files\ODBC
2008-03-09 20:40:55 0 d

C:\Program Files\Common Files\SpeechEngines
2008-03-09 20:40:35 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2008-03-09 11:02:30 0 d

C:\Program Files\Messenger
2008-03-09 10:00:10 0 d

C:\Documents and Settings\Owner\Application Data\Identities
2008-03-09 09:57:06 0 d

C:\Program Files\microsoft frontpage
2008-03-09 09:56:58 0 -rahs---- C:\MSDOS.SYS
2008-03-09 09:56:58 0 -rahs---- C:\IO.SYS
2008-03-09 09:56:58 0 --a

C:\CONFIG.SYS
2008-03-09 09:55:09 0 d

C:\Program Files\Common Files\MSSoap
2008-03-09 09:54:13 0 d--h

C:\Program Files\WindowsUpdate
2008-03-09 09:54:13 0 d

C:\Program Files\Online Services
2008-03-09 09:54:05 0 d

C:\Program Files\MSN Gaming Zone
2008-03-09 08:50:22 0 d

C:\Program Files\IDETOOL
2008-03-09 08:50:22 0 --a

C:\AUTOEXEC.BAT
2008-03-09 08:47:27 0 d

C:\Program Files\Realtek
2008-03-09 08:47:21 0 d

C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-09 08:30:11 0 d

C:\Program Files\Movie Maker
2008-03-09 08:28:46 0 d

C:\Program Files\Windows NT
2008-03-09 07:25:16 0 d

C:\Program Files\VIA
2008-03-09 07:24:56 0 d

C:\Program Files\Common Files\InstallShield
2008-03-09 07:24:10 0 d

C:\Program Files\Realtek Sound Manager
2008-03-09 07:24:09 0 d

C:\Program Files\AvRack
2008-03-09 07:24:04 0 d

C:\Program Files\Realtek AC97
2008-03-04 11:33:18 7680 --a

C:\WINDOWS\system32\ff_vfw.dll

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 09:32 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 10:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 10:00 PM]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [04/26/2005 10:22 AM]
"nwiz"="nwiz.exe" [12/05/2007 12:41 AM C:\WINDOWS\system32\nwiz.exe]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/2001 06:59 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 10:00 PM]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 03:22 PM C:\WINDOWS\soundman.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/05/2007 12:41 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 12:41 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 07:39 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 12:19:50 AM]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [4/9/2003 5:21:38 PM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 5:11:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
NETGEAR WG111v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v3\WG111v3.exe [9/12/2007 2:14:42 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0857b8de-ed65-11dc-821f-806d6172696f}]
AutoRun\command- E:\setup.exe

-- Hosts

192.168.0.100 dev.onlinegamez.com.au

-- End of Deckard's System Scanner: finished at 2008-05-04 11:11:46

Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 3.06GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1023.48 MiB / 718.2 MiB
Pagefile Memory (total/avail): 2460.24 MiB / 2043.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.71 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 11.29 GiB free.
D: is Fixed (NTFS) - 54.99 GiB total, 14.88 GiB free.
E: is CDROM (No Media)
F: is Fixed (NTFS) - 37.27 GiB total, 33.05 GiB free.
G: is Fixed (NTFS) - 189.92 GiB total, 15.36 GiB free.
H: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - F:

\\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 54.99 GiB - D:

\\.\PHYSICALDRIVE2 - Maxtor OneTouch III USB Device - 189.92 GiB - 1 partition
\PARTITION0 - Installable File System - 189.92 GiB - G:

-- Security Center

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CYGLYNXSERVER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
lib=C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\CYGLYNXSERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=CYGLYNXSERVER
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles

Owner (admin)
RemoteUser (new local, admin)
ASPNET

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
CuteFTP 6 Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA}
DesignPro Business Cards SE --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2797D1CC-B68F-4098-96EF-E45700A3335C} /l1033
Granado Espada --> "F:\Granado Espada\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Mega Codec Pack 3.8.5 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Dreamweaver 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall
Macromedia Fireworks 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8833100-1481-11D4-9731-00C04F8EEB39}\setup.exe" UNINSTALL
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 --> MsiExec.exe /I{2373A92B-1C1C-4E71-B494-5CA97F96AA19}
Microsoft SQL Server 2005 Analysis Services --> MsiExec.exe /I{982DB00A-9C4E-436B-8707-18E113BAA44C}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{90032DD0-ABEE-4424-AC1E-B076BDD4E350}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser --> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
NETGEAR WG111v3 wireless USB 2.0 adapter --> C:\Program Files\InstallShield Installation Information\{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}\setup.exe -runfromtemp -l0x0409
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
Realtek AC'97 Audio --> Alcrmv.exe -r -m
REALTEK GbE & FE Ethernet PCI NIC Driver --> C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\Setup.exe -runfromtemp -l0x0009 -removeonly
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
VIA Bus Master Ultra ATA Driver (Remove) --> RunDll32 VIAIDE2K.dll,UninstallIDE
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

-- Application Event Log

Event Record #/Type5732 / Error
Event Submitted/Written: 05/02/2008 03:46:51 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Photoshop.exe, version 9.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5349 / Success
Event Submitted/Written: 04/27/2008 00:15:35 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5257 / Success
Event Submitted/Written: 04/23/2008 01:27:03 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5173 / Warning
Event Submitted/Written: 04/23/2008 02:14:29 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5161 / Success
Event Submitted/Written: 04/22/2008 06:07:51 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type7726 / Error
Event Submitted/Written: 05/04/2008 11:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At12.job command failed to start due to the following error:
%%2147942402

Event Record #/Type7724 / Error
Event Submitted/Written: 05/04/2008 10:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At11.job command failed to start due to the following error:
%%2147942402

Event Record #/Type7686 / Error
Event Submitted/Written: 05/04/2008 03:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At4.job command failed to start due to the following error:
%%2147942402

Event Record #/Type7685 / Error
Event Submitted/Written: 05/04/2008 02:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At3.job command failed to start due to the following error:
%%2147942402

Event Record #/Type7684 / Error
Event Submitted/Written: 05/04/2008 01:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At2.job command failed to start due to the following error:
%%2147942402

-- End of Deckard's System Scanner: finished at 2008-05-04 11:11:46

Thomas · May 2008

Let's just do a thorough removal now and assess what we need to manually change after.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

One bit of manual change - go to Control Panel - Scheduled Tasks, and delete all those AT# malware created tasks there.

Download SDFix.exe and save it to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the MBAM log and the SDFix report.txt log please.

Veka · May 2008

This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead

Malware Problem - HJT Log attached

Comments