Infection is showing there, so let's start repairs.
First follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Be sure to do all the steps, including the required reboot. If you have any difficulties accomplishing those then please go ahead and uninstall SpyBot - TeaTimer has been causing too many problems in repairs to make it worth any extra effort while we do them. You can always reinstall it after if you choose to.
Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. This is especially true of Spyware Doctor, so be sure to shut that down and leave it that way until all repairs are finished here.
Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore Temp Cleanup Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
I got the malware downloaded and installed but, when I tried doing that last part you said to do: copy and paste "%userprofile%\desktop\dss.exe" /config it said that it couldn't find it?
Shoot. To do this work for many people we rely often on the same procedures, so we save and paste some of those we save. And sometimes post the wrong option from those. So stepping back in steps time, here is the first part where you actually have a dss.exe to still have on your desktop. Do the following procedures now instead please:
Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore Temp Cleanup Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
I did that. It tried to download hijack this and install. It could not so it said in 30 seconds it will use its own. I allowed that. Hope that is ok. Please advise.
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
CPU 1: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 3317.54 MiB / 2548.14 MiB
Pagefile Memory (total/avail): 5201.3 MiB / 4636.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.85 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 148.96 GiB total, 110.64 GiB free.
D: is CDROM (No Media)
[URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL] - SAMSUNG HD160JJ/P - 149.01 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 148.96 GiB - C:
-- User Profiles
Ted Carpenter (admin)
LogMeInRemoteUser (admin)
LogMeInRemoteUser.TEDSDELL (new local, admin)
Test (admin)
Administrator (admin)
-- Add/Remove Programs
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\Your Uninstaller 2008\unins000.exe"
--> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{2BE0C605-9BEC-434D-9FAE-931194E72414}
--> MsiExec.exe /I{48A669A9-76FA-4CA8-BFD5-00C125AC4166}
--> MsiExec.exe /I{726A362E-EBFD-4C3F-8664-6593C2B08386}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{943CB81D-11B9-401E-8305-752528D00AA1}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
--> MsiExec.exe /I{E75F019D-98A0-4B39-B1A8-3A01400D2A18}
--> MsiExec.exe /X{F664EDB9-59DF-452A-A3D7-085ED1B8D374}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced System Optimizer 2.10 --> "C:\Program Files\Advanced System Optimizer\unins000.exe"
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
anagram --> "C:\Program Files\Textual\anagram\Uninstall.exe"
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
Audit Support Center 1.0 --> C:\Program Files\Audit Support Center\uninst.exe
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCBS Illustration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0C05B535-EE3A-4A9A-891D-9D28EDC885C0}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /i{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /I{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
Broadcom ASF Management Applications --> MsiExec.exe /I{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{FC57FC53-104C-415C-98D7-B05E659461A9}
Broadcom Management Programs --> MsiExec.exe /X{177D1318-3E4B-4A7C-A300-AC4E21BE090B}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Debugging Tools for Windows --> MsiExec.exe /I{F3ECED46-91CC-4F44-9917-9A20085D5D26}
Dell ETS Factory Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}\setup.exe" -l0x9
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DriveHQ FileManager 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F8AD7E02-21AC-4057-95F9-7DB59FF57FC8}\Setup.exe"
DriveHQ Online Backup 4.0 --> C:\Program Files\InstallShield Installation Information\{8519BB8B-1A9D-4995-A73C-DA1B6316A6C5}\setup.exe -runfromtemp -l0x0009 -removeonly
DVDZip 3.1 --> "C:\Program Files\DVDZip 3.1\unins000.exe"
ePreserver --> MsiExec.exe /X{8403D1DE-5A9B-4769-A64F-C33C3F249900}
Golden Rule Individual Health 10.0 --> MsiExec.exe /I{8CF78C2E-B8D6-4DAA-A79C-28A9B157FB20}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GoToAssist 8.0.0.480 --> C:\Program Files\Citrix\GoToAssist\480\G2AUninstaller.exe /uninstall
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Individual Medical v2.0 --> MsiExec.exe /I{B6FC7F06-9EAA-4B73-8220-950DD43D99DD}
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (ACMIC) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
OneLife --> MsiExec.exe /X{63DBB89B-1A27-4913-93A0-4811111FC9D3}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
QuoteEz - CCP (AL) --> MsiExec.exe /I{A8CB24D0-C0C4-47E8-838E-93E71387B234}
QuoteEZ - PHP (AL) --> MsiExec.exe /I{367F3980-8FA0-4618-A8C2-2C2FB64D82BF}
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Roxio Media Manager --> MsiExec.exe /X{303379C9-8610-4CCF-AF37-C4BF8998C591}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spyware Detector --> "C:\Program Files\SpywareDetector\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Startup Faster! 2004 --> "C:\Program Files\Startup Faster 2004\unins000.exe"
SupportSpace Support Tools --> MsiExec.exe /I{1BBCEFD3-486C-480D-B536-52E5F4BF9E99}
The UniCare Agent Assistant --> MsiExec.exe /I{C7B4A635-DA18-47B1-99AD-14F600067AA7}
TurboTax Home & Business 2007 --> C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VistaPrint Electronic Business Card --> MsiExec.exe /X{253FCC55-E03D-40D4-A407-3470BE4101C0}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
-- Application Event Log
Event Record #/Type190 / Error
Event Submitted/Written: 04/26/2008 11:38:35 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]
Event Record #/Type185 / Error
Event Submitted/Written: 04/25/2008 11:10:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drivehqbackup.exe, version 4.0.0.252, faulting module drivehqbackup.exe, version 4.0.0.252, fault address 0x00038abe.
Processing media-specific event for [drivehqbackup.exe!ws!]
Event Record #/Type183 / Warning
Event Submitted/Written: 04/25/2008 10:52:43 PM
Event ID/Source: 19011 / MSSQL$ACMIC
Event Description:
(SpnRegister) : Error 1355
Event Record #/Type180 / Warning
Event Submitted/Written: 04/25/2008 10:51:24 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type178 / Warning
Event Submitted/Written: 04/25/2008 07:28:24 PM
Event ID/Source: 19011 / MSSQL$ACMIC
Event Description:
(SpnRegister) : Error 1355
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type24004 / Warning
Event Submitted/Written: 04/26/2008 02:52:08 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type23994 / Error
Event Submitted/Written: 04/26/2008 11:50:25 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Event Record #/Type23992 / Error
Event Submitted/Written: 04/26/2008 11:49:55 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Event Record #/Type23991 / Error
Event Submitted/Written: 04/26/2008 11:49:32 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The sdservice service terminated unexpectedly. It has done this 1 time(s).
Event Record #/Type23973 / Warning
Event Submitted/Written: 04/26/2008 00:48:31 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 004005DFA989. The IP address being used is 169.254.65.132.
-- End of Deckard's System Scanner: finished at 2008-04-26 15:26:37
MBAM seems to have targeted the more active of infection right off there. The logs suggest you may be a bit too involved in trying out softwares for tweaking the system, so just a word of caution when doing that. I hadn't seen that Startup Faster! 2004 software before, and am surprised it would be considered a good thing to use. Far as I can tell it misuses system functions to delay any software chosen from starting, without the user really knowing what effects that might have on things. Many software give access to sensitive system functions that do better without that.
You also have Max Secure's Spyware Detector installed. This is moving into the rogue software range now, and is considered undesirable to use or keep. It also often makes it's own uninstall difficult, so hopefully you won't run into that problem.
A last mention on tweaking is you have many services disabled through msconfig (maybe by one of those softwares). This is without doubt the wrong way to make software changes, and will cause conflicts and issues, especially security software like AVG and Spyware Doctor. Things will not work right and you will just not know why with it this way.
Assuming not all of those Trusted Zone items are your choices, Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.
Uninstall whatever you choose to now, but also for needed uninstalling Go here and download the latest version of Sun Java Java Runtime Environment (JRE) 6 Update 6. The current file name for that is jre-6u6-windows-i586-p.exe. I recommend you choose to download the "Windows Offline Installation" by clicking on that file to download it.
When you have done that, Go to Add/Remove Programs in Control Panel and uninstall all versions Java/JRE (Sun Java Runtime Environment/J2SE Runtime Environment) and reboot. Then click that downloaded jre-6u6-windows-i586-p.exe to install the latest Java version there, being sure to reboot after.
Then we still need to get an additional scan for malware there. Be sure to keep any security software disabled during this scan to allow it to complete.
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
For now just post that log, as well as any feedback on my earlier comments please.
Would you recommend using that mambam instead of AVG? Let me clarify that you think spyware detector is bad? How do you recommend I get rid of so many services not running? Uninstall?
Spyware Detector is only a scam software to get people to pay for it, so yes, you will want to uninstall that one. The services show as disabled through msconfig - go to Start - Run, type msconfig (and OK). Under the Services tab, there are quite a few that have no checks next to them? Don't make any changes yet please - just check.
MBAM is newer than AVG, and may not have sufficient trial history to make suggestions on, though I do not really do those. One may be a more comprehensive software than the other, so what works for you will be the deciding factor, as always.
No infection is showing, but we do need to still do a follow up scan to be sure while you consider any changes you need to make there.
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 8:28:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731917
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 73584
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:56:46
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Adobe\ALM\alm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\FLEXnet\adobe_00080000_tsf.data Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\organizer70\files.MYD Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\organizer70\files.MYI Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\TedsDell.err Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\Ted.NK2 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\Ted.srs Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Textual\anagram\anagrampersonal.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\AOL OCP\AIM\Storage\data\carp999\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\archive2.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\TedTed AOL-00000004.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Acr616A.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Acr62F0.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo10 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo11 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo12 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo13 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo14 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo15 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo16 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo17 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo18 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo19 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo2 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo20 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo21 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo22 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo23 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo24 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo25 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo26 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo27 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo28 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo29 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo3 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo30 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo31 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo32 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo33 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo4 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo5 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo6 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo7 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo8 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo9 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OLKRPCLOG_04_29_2008_14_42_08_1.etl Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OLKRPCLOG_04_29_2008_15_36_57_1.etl Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OPMLog.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Outlook Logging\TedAol\imap3.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF2825.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF7DE.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF908B.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF9098.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~WRD0004.doc Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.Word\~WRF0005.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Test\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Test\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Citrix\GoToMyPC\g2host.log Object is locked skipped
C:\Program Files\Citrix\GoToMyPC\g2svc.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447\A0048069.exe/file01 Infected: not-a-virus:FraudTool.Win32.SpywareDetector.e skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447\A0048069.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP481\A0053954.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.e skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP481\A0053961.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.b skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0056481.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\WINDOWS\system32\gotomon.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_704.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
The Kaspersky log looks good enough, with mostly either normally locked system functions found or infection for now held harmless in System Restore. But the system does have an essential system file that has been altered by infection we will need to address. I think my attentions were on the rogue type softwares more than active malware, so let's correct for that now.
Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore Temp Cleanup Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the SDFix report.txt log please.
Sorry was on vacation for abit: here goes the sd fix report that you wanted:
SDFix: Version 1.181
Run by Ted Carpenter on Fri 05/09/2008 at 10:20 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix Checking Services : Name :
ydhqzop Path :
\??\C:\WINDOWS\ydhqzop.sys
ydhqzop - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
-- Files created between 2008-04-09 and 2008-05-09
2008-05-09 00:37:52 0 d
C:\Program Files\Common Files\Macrovision Shared
2008-05-07 14:03:30 0 d
C:\Program Files\QuoteEZ - PHP (AL)
2008-05-07 14:03:30 0 d
C:\Program Files\Common
2008-04-29 17:02:03 0 d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 17:02:01 0 d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-26 11:54:00 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Malwarebytes
2008-04-26 11:53:55 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:44:05 0 d
C:\symbols
2008-04-25 09:41:44 0 d
C:\Program Files\Debugging Tools for Windows
2008-04-24 20:59:39 0 d
C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-24 10:14:48 0 d--h
C:\$AVG8.VAULT$
2008-04-24 09:28:14 0 d
C:\WINDOWS\system32\drivers\Avg
2008-04-24 09:28:14 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\AVGTOOLBAR
2008-04-24 09:28:07 0 d
C:\Program Files\AVG
2008-04-24 09:28:05 0 d
C:\Documents and Settings\All Users\Application Data\avg8
2008-04-23 21:40:13 0 d
C:\WINDOWS\ERUNT
2008-04-23 21:29:18 0 d
C:\Program Files\Trend Micro
2008-04-23 20:59:36 0 d
C:\Program Files\Panda Security
2008-04-23 20:12:36 0 d
C:\WINDOWS\BDOSCAN8
2008-04-23 14:05:54 0 d
C:\Documents and Settings\All Users\Application Data\xqhmzeje
2008-04-19 01:01:19 0 d
C:\WINDOWS\system32\Lang
2008-04-19 01:00:53 0 d
C:\Intel
2008-04-19 00:42:31 49152 --a
C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-04-19 00:42:31 45056
n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-04-18 07:00:03 0 d
C:\Documents and Settings\LocalService\Application Data\EmailCache
2008-04-18 01:43:32 0 d
C:\Documents and Settings\LocalService\Application Data\DriveHQ
2008-04-15 12:07:33 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-15 12:07:29 0 d
C:\Program Files\Audit Support Center
-- Find3M Report
2008-05-09 18:47:47 256 --a
C:\WINDOWS\system32\pool.bin
2008-05-09 00:38:10 0 d
C:\Program Files\Common Files\Adobe
2008-05-09 00:37:52 0 d
C:\Program Files\Common Files
2008-05-09 00:09:32 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\AdobeUM
2008-05-08 13:39:29 0 d
C:\Program Files\SpywareDetector
2008-04-24 01:19:19 0 d--h
C:\Program Files\InstallShield Installation Information
2008-04-24 00:40:48 0 d
C:\Program Files\Skype
2008-04-24 00:37:28 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 00:37:24 0 d
C:\Program Files\Lavasoft
2008-04-23 20:01:10 0 d
C:\Program Files\Spyware Doctor
2008-04-23 14:05:44 577536 --a
C:\WINDOWS\system32\user32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-19 00:42:31 0 d
C:\Program Files\Analog Devices
2008-04-18 14:46:47 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\skypePM
2008-04-18 01:43:16 0 d
C:\Program Files\DriveHQ
2008-04-17 07:42:31 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\EmailCache
2008-04-16 17:23:24 835584 --a
C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2008-04-15 07:54:32 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Intuit
2008-04-15 07:48:50 0 d
C:\Program Files\TurboTax
2008-04-08 12:55:35 0 d
C:\Program Files\Textual
2008-04-08 10:58:20 0 d
C:\Program Files\SupportSpace
2008-04-07 00:50:24 0 d
C:\Program Files\Broadcom
2008-04-06 14:13:55 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Textual
2008-04-06 14:13:50 5816 --a
C:\WINDOWS\system32\casigmgr32s.dll
2008-04-02 15:46:09 0 d
C:\Program Files\Common Files\Skype
2008-03-26 14:50:06 0 d
C:\Program Files\Microsoft Money Plus
2008-03-17 01:38:23 0 d
C:\Program Files\QuoteEz - CCP-AL
2008-03-17 01:30:53 0 d
C:\Program Files\Common Files\aol
2008-03-17 01:06:36 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\PC Tools
2008-03-15 11:01:21 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Roxio
2008-03-13 16:41:51 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Research In Motion
2008-03-13 12:19:45 0 d
C:\Program Files\Roxio
2008-03-13 12:11:32 0 d
C:\Program Files\Common Files\Sonic Shared
2008-03-13 12:10:09 0 d
C:\Program Files\Common Files\Roxio Shared
2008-03-13 12:05:59 0 d
C:\Program Files\Common Files\Research In Motion
2008-03-13 12:05:34 0 d
C:\Program Files\Research In Motion
2008-03-09 19:27:42 0 d
C:\Program Files\Samsung
2008-03-09 19:27:35 0 d
C:\Program Files\DivX
2008-03-07 21:38:50 7005 --a
C:\Program Files\Eula.txt
2008-03-07 21:38:49 72138 --a
C:\Program Files\procexp.chm
2008-02-25 18:16:21 32125 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Comma Separated Values (Windows).ADR
2008-02-21 10:35:00 311296 --a
C:\WINDOWS\system32\BCCIndvRateEngine.dll <Not Verified; Blue Cross Company; BCCIndvRate>
2008-02-20 19:41:54 38465 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft Excel.ADR
2008-02-12 20:00:08 65 --a
C:\WINDOWS\system32\BD7820N.dat
2008-02-12 15:56:44 1040384 --a
C:\WINDOWS\system32\UNISGProposalFlex.dll <Not Verified; Blue Cross of California; UNISGProposalFlex>
2008-02-12 01:20:19 0 --a
C:\WINDOWS\brdfxspd.dat
-- Registry Dump
*Note* empty entries & legit default entries are not shown
No, though SDFix tool out some bad stuff it did not provide the file repair I was shooting for. Do you have the XP CD, or can borrow one if needed for some system file corrections there? Also let's check for other copies.
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\user32*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Correct sizes. I suspect this is the patch infector that does a very slight code modification, which could be left as is as long as the malware associated with it has been removed. Since it is only on file though let's not do that.
To be sure of the patch job go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.
c:\WINDOWS\system32\user32.dll
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
Then PM me an email address where I can send you a clean copy of that file. Note - this isn't an open invitation to PM for files, so others reviewing these steps please know I will likely just not read such requests.
Since SDFix located activities associated with Rustock let's do a bit more in depth checking here.
Click here and download RegDelNull.zip. Unzip the file and when you have done this, read the Eula and then copy and paste RegDelNull.exe to your C folder (so it will then be C:\RegDelNull.exe).
Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).
cd\
regdelnull hkcu -s
(be sure to place a space after hkcu)
Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.
Repeat those steps using the following entry at the prompt:
regdelnull hklm -s
(be sure to place a space after hklm)
Again your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.
When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here please.
Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder.
When you have done this, doubleclick on Gmer.exe to run it.
Under the Rootkit/Malware tab look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).
When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
I am not quite sure why that Eventlog service's Security subkey is hidden - all the settings appear to be normal for it. Right now I assess this info as not indicating any hidden malware activities, but I am willing to change that should we get other details here.
The file upload was received, thanks. You posted your email address in the open upload thread. Spambots harvest these, so not good to post them in open forums. Just PM me an email address (click my user name in this post).
The User32.dll file has been patched with a small but significant string change:
(User32.dll no modifications)
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
Good idea to take a look for that altered string info as well.
Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) typInit in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please.
Comments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:31 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\xqhmzeje\nufslqnw.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\DriveHQRepository4.00.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQClient.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\DrivehqBackup.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQRepository2.32.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\AIM6\aim6.exe
c:\program files\advanced system optimizer\memtuneup.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Startup Faster 2004\sfAgent.exe
C:\Program Files\Brother\Brmfl04g\FAXRX.exe
C:\Program Files\Textual\anagram\anagram.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKLM\..\Policies\Explorer\Run: [YomnjnFyD9] C:\Documents and Settings\All Users\Application Data\xqhmzeje\nufslqnw.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.iacusa.com
O15 - Trusted Zone: http://*.scanhelp.com
O15 - Trusted Zone: http://www.scentiments.com
O15 - Trusted Zone: *.t-mobile.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://www.unitedsecuritylandh.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {08653405-44A9-4E99-9C09-DD00770AAA08} (Support Platform Strapper) - http://www.supportspace.com/rcp/6.0.633.5/SupportSpace_tools.dll
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173982080017
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201048724890
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rimsupport.webex.com/client/T23L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O21 - SSODL: vadokmxt - {16240820-97CB-41CC-8458-9A63884ECC6C} - (no file)
O21 - SSODL: wdpoefan - {6B838D3F-6BD8-4251-93D8-D7851670143E} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DriveHQ Backup Service - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
O23 - Service: DriveHQ FileManagerFun - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SDService (sdservice) - Unknown owner - C:\Program Files\SpywareDetector\SDService.exe (file missing)
O23 - Service: SupportSpace platform helper service (SupportSpaceHelperService) - SupportSpace, Inc. - C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
--
End of file - 14187 bytes
Infection is showing there, so let's start repairs.
First follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Be sure to do all the steps, including the required reboot. If you have any difficulties accomplishing those then please go ahead and uninstall SpyBot - TeaTimer has been causing too many problems in repairs to make it worth any extra effort while we do them. You can always reinstall it after if you choose to.
Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. This is especially true of Spyware Doctor, so be sure to shut that down and leave it that way until all repairs are finished here.
Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the MBAM log please.
Malwarebytes' Anti-Malware 1.11
Database version: 685
Scan type: Quick Scan
Objects scanned: 40043
Time elapsed: 4 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ccb7fb40-99ec-4678-9202-52798da78aba} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d12fb216-99da-4eb3-9cc0-c0f760b174a0} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d56c1af1-3fde-471c-9bc2-c52515f260c1} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e656b867-992c-4462-a27d-ebe604ec3a48} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a78bc6b0-af68-47c0-a2de-daadeff87df9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ee7c45b3-8f9b-4a78-be6e-aa3267d541be} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e95305fa-0407-4401-9240-793f8a6197c3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\nvrsma.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ydhqzop.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ted Carpenter\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
You can use extra posts here if needed for that.
Deckard's System Scanner v20071014.68
Run by Ted Carpenter on 2008-04-26 15:23:42
Computer is in Normal Mode.
Backed up registry hives.
-- HijackThis Clone
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-26 15:25:46
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Startup Faster 2004\SFAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\DriveHQRepository4.00.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ted Carpenter\Desktop\dss.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://amersel.com (HKCU)
O15 - Trusted Zone: https://bestbuy.com (HKCU)
O15 - Trusted Zone: https://box.net (HKCU)
O15 - Trusted Zone: https://buildmyagency.com (HKCU)
O15 - Trusted Zone: https://capitalone.com (HKCU)
O15 - Trusted Zone: https://*.all-access.cstv.com (HKCU)
O15 - Trusted Zone: https://*.plantronics.custhelp.com (HKCU)
O15 - Trusted Zone: https://*.music.download.com (HKCU)
O15 - Trusted Zone: https://ebay.com (HKCU)
O15 - Trusted Zone: https://fedex.com (HKCU)
O15 - Trusted Zone: https://gacquote.com (HKCU)
O15 - Trusted Zone: https://goldenrulehealth.com (HKCU)
O15 - Trusted Zone: https://www.hrsaccount.com (HKCU)
O15 - Trusted Zone: https://*.services.hscil.com (HKCU)
O15 - Trusted Zone: https://services.hscil.com (HKCU)
O15 - Trusted Zone: https://iacusa.com (HKCU)
O15 - Trusted Zone: https://www*.iacusa.com (HKCU)
O15 - Trusted Zone: https://*.members.infocusgirls.com (HKCU)
O15 - Trusted Zone: https://leadsclearance.com (HKCU)
O15 - Trusted Zone: https://*.secure.logmein.com (HKCU)
O15 - Trusted Zone: https://pittsburghlive.com (HKCU)
O15 - Trusted Zone: https://plantronics.com (HKCU)
O15 - Trusted Zone: https://privacymatters.com (HKCU)
O15 - Trusted Zone: https://*.shop.rcn.com (HKCU)
O15 - Trusted Zone: https://rivals.com (HKCU)
O15 - Trusted Zone: http://scanhelp.com (HKCU)
O15 - Trusted Zone: http://www.scentiments.com (HKCU)
O15 - Trusted Zone: https://skinvideo.com (HKCU)
O15 - Trusted Zone: *.t-mobile.com (HKCU)
O15 - Trusted Zone: https://turbotax.com (HKCU)
O15 - Trusted Zone: http://turbotax.com (HKCU)
O15 - Trusted Zone: https://unitedsecuritylandh.com (HKCU)
O15 - Trusted Zone: https://www*.vistaprint.com (HKCU)
O15 - Trusted Zone: https://wildhairygirls.com (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {08653405-44A9-4E99-9C09-DD00770AAA08} (Support Platform Strapper) - http://www.supportspace.com/rcp/6.0.633.5/SupportSpace_tools.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173982080017
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201048724890
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rimsupport.webex.com/client/T23L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: drivehq backup service - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
O23 - Service: drivehq filemanagerfun - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: sdservice - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SupportSpace platform helper service (SupportSpaceHelperService) - SupportSpace, Inc. - C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 15692 bytes
-- File Associations
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 catchme - c:\docume~1\tedcar~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 usbfvneta (D-LINK DWL-120 WIRELESS USB ADAPTER) - c:\windows\system32\drivers\vnetusba.sys <Not Verified; ATMEL; USB Wireless Network Adapter>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 drivehq filemanagerfun - "c:\program files\drivehq\drivehq filemanager\dhqfmsvc.exe" <Not Verified; Drive Headquarter; Base Service>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
-- Device Manager: Disabled
No disabled devices found.
-- Scheduled Tasks
2008-04-26 13:37:14 440 --ah
C:\WINDOWS\Tasks\User_Feed_Synchronization-{196E15B1-B491-4CE7-94A6-3DED57A04D9A}.job
2008-04-20 05:28:00 274 --a
C:\WINDOWS\Tasks\defrag.job
2008-04-18 13:35:00 284 --a
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-14 13:35:13 402 --a
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
-- Files created between 2008-03-26 and 2008-04-26
2008-04-26 11:54:00 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Malwarebytes
2008-04-26 11:53:55 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 11:53:55 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:44:05 0 d
C:\symbols
2008-04-25 09:41:44 0 d
C:\Program Files\Debugging Tools for Windows
2008-04-24 20:59:39 0 d
C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-24 10:14:48 0 d--h
C:\$AVG8.VAULT$
2008-04-24 09:28:14 0 d
C:\WINDOWS\system32\drivers\Avg
2008-04-24 09:28:14 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\AVGTOOLBAR
2008-04-24 09:28:07 0 d
C:\Program Files\AVG
2008-04-24 09:28:05 0 d
C:\Documents and Settings\All Users\Application Data\avg8
2008-04-23 21:40:13 0 d
C:\WINDOWS\ERUNT
2008-04-23 21:29:18 0 d
C:\Program Files\Trend Micro
2008-04-23 20:59:36 0 d
C:\Program Files\Panda Security
2008-04-23 20:12:36 0 d
C:\WINDOWS\BDOSCAN8
2008-04-23 14:05:54 0 d
C:\Documents and Settings\All Users\Application Data\xqhmzeje
2008-04-19 01:01:19 0 d
C:\WINDOWS\system32\Lang
2008-04-19 01:00:53 0 d
C:\Intel
2008-04-19 00:42:31 49152 --a
C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-04-19 00:42:31 45056
n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-04-18 07:00:03 0 d
C:\Documents and Settings\LocalService\Application Data\EmailCache
2008-04-18 01:43:32 0 d
C:\Documents and Settings\LocalService\Application Data\DriveHQ
2008-04-15 12:07:33 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-15 12:07:29 0 d
C:\Program Files\Audit Support Center
2008-04-08 10:58:20 0 d
C:\Program Files\SupportSpace
2008-04-06 14:13:55 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Textual
2008-04-06 14:13:50 5816 --a
C:\WINDOWS\system32\casigmgr32s.dll
2008-04-06 14:12:34 0 d
C:\Program Files\Textual
2008-04-02 15:48:00 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\skypePM
2008-04-02 15:48:00 32 --a
C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-02 15:46:09 0 d
C:\Program Files\Skype
2008-04-02 15:46:09 0 d
C:\Program Files\Common Files\Skype
2008-04-02 15:46:03 0 d
C:\Documents and Settings\All Users\Application Data\Skype
-- Find3M Report
2008-04-25 10:47:38 0 d
C:\Program Files\SpywareDetector
2008-04-24 20:59:37 0 d
C:\Program Files\Common Files
2008-04-24 17:34:57 0 d
C:\Program Files\Common
2008-04-24 01:19:19 0 d--h
C:\Program Files\InstallShield Installation Information
2008-04-24 00:37:28 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 00:37:24 0 d
C:\Program Files\Lavasoft
2008-04-23 20:01:10 0 d
C:\Program Files\Spyware Doctor
2008-04-23 14:05:44 577536 --a
C:\WINDOWS\system32\user32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-19 00:42:31 0 d
C:\Program Files\Analog Devices
2008-04-18 01:43:16 0 d
C:\Program Files\DriveHQ
2008-04-17 07:42:31 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\EmailCache
2008-04-16 17:23:24 835584 --a
C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2008-04-15 07:54:32 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Intuit
2008-04-15 07:48:50 0 d
C:\Program Files\TurboTax
2008-04-09 19:11:48 256 --a
C:\WINDOWS\system32\pool.bin
2008-04-07 00:50:24 0 d
C:\Program Files\Broadcom
2008-03-26 14:50:06 0 d
C:\Program Files\Microsoft Money Plus
2008-03-17 01:38:23 0 d
C:\Program Files\QuoteEz - CCP-AL
2008-03-17 01:37:41 0 d
C:\Program Files\QuoteEZ - PHP (AL)
2008-03-17 01:30:53 0 d
C:\Program Files\Common Files\aol
2008-03-17 01:06:36 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\PC Tools
2008-03-15 11:01:21 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Roxio
2008-03-13 16:41:51 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Research In Motion
2008-03-13 12:19:45 0 d
C:\Program Files\Roxio
2008-03-13 12:11:32 0 d
C:\Program Files\Common Files\Sonic Shared
2008-03-13 12:10:09 0 d
C:\Program Files\Common Files\Roxio Shared
2008-03-13 12:05:59 0 d
C:\Program Files\Common Files\Research In Motion
2008-03-13 12:05:34 0 d
C:\Program Files\Research In Motion
2008-03-09 19:27:42 0 d
C:\Program Files\Samsung
2008-03-09 19:27:35 0 d
C:\Program Files\DivX
2008-03-08 00:16:05 0 d
C:\Program Files\Java
2008-03-07 22:30:58 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Real
2008-03-07 21:38:50 7005 --a
C:\Program Files\Eula.txt
2008-03-07 21:38:49 72138 --a
C:\Program Files\procexp.chm
2008-03-06 18:12:29 0 d
C:\Program Files\UNICARE Agent Assistant
2008-03-03 02:37:28 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Blackberry Desktop
2008-03-03 01:09:52 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\LimeWire
2008-02-28 03:52:06 0 d
C:\Program Files\MSXML 6.0
2008-02-25 18:16:21 32125 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Comma Separated Values (Windows).ADR
2008-02-21 10:35:00 311296 --a
C:\WINDOWS\system32\BCCIndvRateEngine.dll <Not Verified; Blue Cross Company; BCCIndvRate>
2008-02-20 19:41:54 38465 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft Excel.ADR
2008-02-12 20:00:08 65 --a
C:\WINDOWS\system32\BD7820N.dat
2008-02-12 15:56:44 1040384 --a
C:\WINDOWS\system32\UNISGProposalFlex.dll <Not Verified; Blue Cross of California; UNISGProposalFlex>
2008-02-12 01:20:19 0 --a
C:\WINDOWS\brdfxspd.dat
2008-02-03 16:40:53 186443 --a
C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2008-01-30 11:30:12 602176 --a
C:\WINDOWS\system32\UNISGRate.dll <Not Verified; Blue Cross of California; UNISGRate>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
04/24/2008 09:28 AM 2050816 --a
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/24/2008 09:28 AM 2050816]
[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster 2004\startuploader.exe" [01/29/2007 11:45 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 04/24/2008 08:56 AM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 05:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sdnotify]
C:\Program Files\SpywareDetector\SDNotify.dll 04/16/2008 05:04 PM 446464 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\moneybackgoundbanking]
"C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"GoToAssist"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"bepprldr"=3 (0x3)
"ASFIPmon"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)
"SupportSpaceHelperService"=2 (0x2)
"Avg7Alrt"=2 (0x2)
-- Hosts
127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com
-- End of Deckard's System Scanner: finished at 2008-04-26 15:26:37
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
CPU 1: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 3317.54 MiB / 2548.14 MiB
Pagefile Memory (total/avail): 5201.3 MiB / 4636.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.85 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 148.96 GiB total, 110.64 GiB free.
D: is CDROM (No Media)
[URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL] - SAMSUNG HD160JJ/P - 149.01 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 148.96 GiB - C:
-- Security Center
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
FirewallOverride is set.
AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ted Carpenter\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TEDSDELL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ted Carpenter
LOGONSERVER=\\TEDSDELL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\TEDCAR~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\TEDCAR~1\LOCALS~1\Temp
USERDOMAIN=TEDSDELL
USERNAME=Ted Carpenter
USERPROFILE=C:\Documents and Settings\Ted Carpenter
windir=C:\WINDOWS
-- User Profiles
Ted Carpenter (admin)
LogMeInRemoteUser (admin)
LogMeInRemoteUser.TEDSDELL (new local, admin)
Test (admin)
Administrator (admin)
-- Add/Remove Programs
-->
-->
-->
-->
-->
-->
--> "C:\Program Files\Your Uninstaller 2008\unins000.exe"
--> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
--> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{2BE0C605-9BEC-434D-9FAE-931194E72414}
--> MsiExec.exe /I{48A669A9-76FA-4CA8-BFD5-00C125AC4166}
--> MsiExec.exe /I{726A362E-EBFD-4C3F-8664-6593C2B08386}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{943CB81D-11B9-401E-8305-752528D00AA1}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
--> MsiExec.exe /I{E75F019D-98A0-4B39-B1A8-3A01400D2A18}
--> MsiExec.exe /X{F664EDB9-59DF-452A-A3D7-085ED1B8D374}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 5.0 Limited Edition --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0 LE\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0 LE\Uninst.dll"
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced System Optimizer 2.10 --> "C:\Program Files\Advanced System Optimizer\unins000.exe"
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
anagram --> "C:\Program Files\Textual\anagram\Uninstall.exe"
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
Audit Support Center 1.0 --> C:\Program Files\Audit Support Center\uninst.exe
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BCBS Illustration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0C05B535-EE3A-4A9A-891D-9D28EDC885C0}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /i{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
BlackBerry Desktop Software 4.3 --> MsiExec.exe /I{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}
Broadcom ASF Management Applications --> MsiExec.exe /I{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{FC57FC53-104C-415C-98D7-B05E659461A9}
Broadcom Management Programs --> MsiExec.exe /X{177D1318-3E4B-4A7C-A300-AC4E21BE090B}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D83BD5E2-5AF4-49F6-B5C1-484A9760E73D}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Debugging Tools for Windows --> MsiExec.exe /I{F3ECED46-91CC-4F44-9917-9A20085D5D26}
Dell ETS Factory Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}\setup.exe" -l0x9
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DriveHQ FileManager 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F8AD7E02-21AC-4057-95F9-7DB59FF57FC8}\Setup.exe"
DriveHQ Online Backup 4.0 --> C:\Program Files\InstallShield Installation Information\{8519BB8B-1A9D-4995-A73C-DA1B6316A6C5}\setup.exe -runfromtemp -l0x0009 -removeonly
DVDZip 3.1 --> "C:\Program Files\DVDZip 3.1\unins000.exe"
ePreserver --> MsiExec.exe /X{8403D1DE-5A9B-4769-A64F-C33C3F249900}
Golden Rule Individual Health 10.0 --> MsiExec.exe /I{8CF78C2E-B8D6-4DAA-A79C-28A9B157FB20}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GoToAssist 8.0.0.480 --> C:\Program Files\Citrix\GoToAssist\480\G2AUninstaller.exe /uninstall
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Individual Medical v2.0 --> MsiExec.exe /I{B6FC7F06-9EAA-4B73-8220-950DD43D99DD}
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money Plus --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (ACMIC) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
OneLife --> MsiExec.exe /X{63DBB89B-1A27-4913-93A0-4811111FC9D3}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
QuoteEz - CCP (AL) --> MsiExec.exe /I{A8CB24D0-C0C4-47E8-838E-93E71387B234}
QuoteEZ - PHP (AL) --> MsiExec.exe /I{367F3980-8FA0-4618-A8C2-2C2FB64D82BF}
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Roxio Media Manager --> MsiExec.exe /X{303379C9-8610-4CCF-AF37-C4BF8998C591}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spyware Detector --> "C:\Program Files\SpywareDetector\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Startup Faster! 2004 --> "C:\Program Files\Startup Faster 2004\unins000.exe"
SupportSpace Support Tools --> MsiExec.exe /I{1BBCEFD3-486C-480D-B536-52E5F4BF9E99}
The UniCare Agent Assistant --> MsiExec.exe /I{C7B4A635-DA18-47B1-99AD-14F600067AA7}
TurboTax Home & Business 2007 --> C:\Program Files\TurboTax\Home & Business 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2007\Uninstall.log" -NoGui
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VistaPrint Electronic Business Card --> MsiExec.exe /X{253FCC55-E03D-40D4-A407-3470BE4101C0}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
-- Application Event Log
Event Record #/Type190 / Error
Event Submitted/Written: 04/26/2008 11:38:35 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]
Event Record #/Type185 / Error
Event Submitted/Written: 04/25/2008 11:10:11 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drivehqbackup.exe, version 4.0.0.252, faulting module drivehqbackup.exe, version 4.0.0.252, fault address 0x00038abe.
Processing media-specific event for [drivehqbackup.exe!ws!]
Event Record #/Type183 / Warning
Event Submitted/Written: 04/25/2008 10:52:43 PM
Event ID/Source: 19011 / MSSQL$ACMIC
Event Description:
(SpnRegister) : Error 1355
Event Record #/Type180 / Warning
Event Submitted/Written: 04/25/2008 10:51:24 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type178 / Warning
Event Submitted/Written: 04/25/2008 07:28:24 PM
Event ID/Source: 19011 / MSSQL$ACMIC
Event Description:
(SpnRegister) : Error 1355
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type24004 / Warning
Event Submitted/Written: 04/26/2008 02:52:08 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type23994 / Error
Event Submitted/Written: 04/26/2008 11:50:25 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Event Record #/Type23992 / Error
Event Submitted/Written: 04/26/2008 11:49:55 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Event Record #/Type23991 / Error
Event Submitted/Written: 04/26/2008 11:49:32 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The sdservice service terminated unexpectedly. It has done this 1 time(s).
Event Record #/Type23973 / Warning
Event Submitted/Written: 04/26/2008 00:48:31 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 004005DFA989. The IP address being used is 169.254.65.132.
-- End of Deckard's System Scanner: finished at 2008-04-26 15:26:37
You also have Max Secure's Spyware Detector installed. This is moving into the rogue software range now, and is considered undesirable to use or keep. It also often makes it's own uninstall difficult, so hopefully you won't run into that problem.
A last mention on tweaking is you have many services disabled through msconfig (maybe by one of those softwares). This is without doubt the wrong way to make software changes, and will cause conflicts and issues, especially security software like AVG and Spyware Doctor. Things will not work right and you will just not know why with it this way.
Assuming not all of those Trusted Zone items are your choices, Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.
Uninstall whatever you choose to now, but also for needed uninstalling Go here and download the latest version of Sun Java Java Runtime Environment (JRE) 6 Update 6. The current file name for that is jre-6u6-windows-i586-p.exe. I recommend you choose to download the "Windows Offline Installation" by clicking on that file to download it.
When you have done that, Go to Add/Remove Programs in Control Panel and uninstall all versions Java/JRE (Sun Java Runtime Environment/J2SE Runtime Environment) and reboot. Then click that downloaded jre-6u6-windows-i586-p.exe to install the latest Java version there, being sure to reboot after.
Then we still need to get an additional scan for malware there. Be sure to keep any security software disabled during this scan to allow it to complete.
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
For now just post that log, as well as any feedback on my earlier comments please.
MBAM is newer than AVG, and may not have sufficient trial history to make suggestions on, though I do not really do those. One may be a more comprehensive software than the other, so what works for you will be the deciding factor, as always.
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Post back that log please.
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 8:28:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731917
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 73584
Number of viruses found: 4
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:56:46
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Adobe\ALM\alm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\FLEXnet\adobe_00080000_tsf.data Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\organizer70\files.MYD Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\organizer70\files.MYI Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Adobe\Acrobat\8.0\TedsDell.err Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\Ted.NK2 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Outlook\Ted.srs Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Application Data\Textual\anagram\anagrampersonal.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\AOL OCP\AIM\Storage\data\carp999\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\archive2.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Outlook\TedTed AOL-00000004.pst Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Acr616A.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Acr62F0.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo10 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo11 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo12 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo13 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo14 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo15 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo16 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo17 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo18 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo19 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo2 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo20 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo21 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo22 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo23 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo24 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo25 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo26 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo27 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo28 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo29 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo3 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo30 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo31 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo32 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo33 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo4 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo5 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo6 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo7 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo8 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\lilo9 Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OLKRPCLOG_04_29_2008_14_42_08_1.etl Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OLKRPCLOG_04_29_2008_15_36_57_1.etl Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\OPMLog.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\Outlook Logging\TedAol\imap3.log Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF2825.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF7DE.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF908B.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~DF9098.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temp\~WRD0004.doc Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.Word\~WRF0005.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\Ted Carpenter\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ted Carpenter\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Test\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Test\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Citrix\GoToMyPC\g2host.log Object is locked skipped
C:\Program Files\Citrix\GoToMyPC\g2svc.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447\A0048069.exe/file01 Infected: not-a-virus:FraudTool.Win32.SpywareDetector.e skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447\A0048069.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP481\A0053954.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.e skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP481\A0053961.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.b skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP490\A0056481.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\WINDOWS\system32\gotomon.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_704.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.
Download SDFix.exe and save it to your desktop.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the SDFix report.txt log please.
SDFix: Version 1.181
Run by Ted Carpenter on Fri 05/09/2008 at 10:20 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
ydhqzop
Path :
\??\C:\WINDOWS\ydhqzop.sys
ydhqzop - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\smp.bat - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\wxvgsdbq.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 22:25:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames]
"Directory Service Object"=dword:00001e00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames]
"PolicyObject"=dword:00001600
"SecretObject"=dword:00001610
"TrustedDomainObject"=dword:00001620
"UserAccountObject"=dword:00001630
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames]
"DDE Share"=dword:00001d00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames]
"SC_MANAGER Object"=dword:00001c00
"SERVICE Object"=dword:00001c10
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security]
"CategoryCount"=dword:00000009
"CategoryMessageFile"=str(2):"%SystemRoot%\System32\MsAuditE.dll"
"GuidMessageFile"=str(2):"%SystemRoot%\System32\NtMarta.dll"
"EventMessageFile"=str(2):"%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll"
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
"TypesSupported"=dword:0000001c
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames]
"Channel"=dword:00001400
"Desktop"=dword:00001a10
"Device"=dword:00001100
"Directory"=dword:00001110
"Event"=dword:00001120
"EventPair"=dword:00001130
"File"=dword:00001140
"IoCompletion"=dword:00001300
"Job"=dword:00001410
"Key"=dword:00001150
"MailSlot"=dword:00001140
"Mutant"=dword:00001160
"NamedPipe"=dword:00001140
"Port"=dword:00001170
"Process"=dword:00001180
"Profile"=dword:00001190
"Section"=dword:000011a0
"Semaphore"=dword:000011b0
"SymbolicLink"=dword:000011c0
"Thread"=dword:000011d0
"Timer"=dword:000011e0
"Token"=dword:000011f0
"Type"=dword:00001200
"WaitablePort"=dword:00001170
"WindowStation"=dword:00001a00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames]
"SAM_ALIAS"=dword:00001530
"SAM_DOMAIN"=dword:00001510
"SAM_GROUP"=dword:00001520
"SAM_SERVER"=dword:00001500
"SAM_USER"=dword:00001540
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames]
"Document"=dword:00001b20
"Printer"=dword:00001b10
"Server"=dword:00001b00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\DS]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames]
"Directory Service Object"=dword:00001e00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames]
"PolicyObject"=dword:00001600
"SecretObject"=dword:00001610
"TrustedDomainObject"=dword:00001620
"UserAccountObject"=dword:00001630
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames]
"DDE Share"=dword:00001d00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames]
"SC_MANAGER Object"=dword:00001c00
"SERVICE Object"=dword:00001c10
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Security]
"CategoryCount"=dword:00000009
"CategoryMessageFile"=str(2):"%SystemRoot%\System32\MsAuditE.dll"
"GuidMessageFile"=str(2):"%SystemRoot%\System32\NtMarta.dll"
"EventMessageFile"=str(2):"%SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll"
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
"TypesSupported"=dword:0000001c
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames]
"Channel"=dword:00001400
"Desktop"=dword:00001a10
"Device"=dword:00001100
"Directory"=dword:00001110
"Event"=dword:00001120
"EventPair"=dword:00001130
"File"=dword:00001140
"IoCompletion"=dword:00001300
"Job"=dword:00001410
"Key"=dword:00001150
"MailSlot"=dword:00001140
"Mutant"=dword:00001160
"NamedPipe"=dword:00001140
"Port"=dword:00001170
"Process"=dword:00001180
"Profile"=dword:00001190
"Section"=dword:000011a0
"Semaphore"=dword:000011b0
"SymbolicLink"=dword:000011c0
"Thread"=dword:000011d0
"Timer"=dword:000011e0
"Token"=dword:000011f0
"Type"=dword:00001200
"WaitablePort"=dword:00001170
"WindowStation"=dword:00001a00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames]
"SAM_ALIAS"=dword:00001530
"SAM_DOMAIN"=dword:00001510
"SAM_GROUP"=dword:00001520
"SAM_SERVER"=dword:00001500
"SAM_USER"=dword:00001540
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler]
"ParameterMessageFile"=str(2):"%SystemRoot%\System32\MsObjs.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames]
"Document"=dword:00001b20
"Printer"=dword:00001b10
"Server"=dword:00001b00
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 26 Apr 1997 220 A..H. --- "C:\Program Files\Artcopy83\prt2.reg"
Wed 15 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 11 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
Fri 4 Apr 2008 154,112 ...H. --- "C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 9 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch10\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch11\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch12\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch13\lock.tmp"
Wed 9 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 9 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 29 Mar 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch8\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch9\lock.tmp"
Sun 6 May 2007 2,070,513 A..H. --- "C:\Documents and Settings\Ted Carpenter\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\02ED3935(2)\BIT27F.tmp"
Finished!
Deckard's System Scanner v20071014.68
Run by Ted Carpenter on 2008-05-09 22:41:52
Computer is in Normal Mode.
-- HijackThis (run as Ted Carpenter.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:39 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACMIC\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\DriveHQRepository4.00.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\DrivehqBackup.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQClient.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQRepository2.32.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\advanced system optimizer\memtuneup.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Startup Faster 2004\sfAgent.exe
C:\Program Files\Brother\Brmfl04g\FAXRX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Textual\anagram\anagram.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ted Carpenter\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ted Carpenter.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\startuploader.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://C:\Program[/URL] Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {08653405-44A9-4E99-9C09-DD00770AAA08} (Support Platform Strapper) - http://www.supportspace.com/rcp/6.0.633.5/SupportSpace_tools.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173982080017
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201048724890
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rimsupport.webex.com/client/T23L/support/ieatgpc.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DriveHQ Backup Service (drivehq backup service) - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ Online Backup 4.0\Backupservice.exe
O23 - Service: DriveHQ FileManagerFun (drivehq filemanagerfun) - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
--
End of file - 11647 bytes
-- File Associations
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R3 catchme - c:\docume~1\tedcar~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>
S3 usbfvneta (D-LINK DWL-120 WIRELESS USB ADAPTER) - c:\windows\system32\drivers\vnetusba.sys <Not Verified; ATMEL; USB Wireless Network Adapter>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 drivehq filemanagerfun - "c:\program files\drivehq\drivehq filemanager\dhqfmsvc.exe" <Not Verified; Drive Headquarter; Base Service>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" (file missing)
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
-- Device Manager: Disabled
No disabled devices found.
-- Scheduled Tasks
2008-05-09 21:40:10 440 --ah
C:\WINDOWS\Tasks\User_Feed_Synchronization-{196E15B1-B491-4CE7-94A6-3DED57A04D9A}.job
2008-05-08 13:35:00 284 --a
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-04 05:28:00 274 --a
C:\WINDOWS\Tasks\defrag.job
2007-05-14 13:35:13 402 --a
C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
-- Files created between 2008-04-09 and 2008-05-09
2008-05-09 00:37:52 0 d
C:\Program Files\Common Files\Macrovision Shared
2008-05-07 14:03:30 0 d
C:\Program Files\QuoteEZ - PHP (AL)
2008-05-07 14:03:30 0 d
C:\Program Files\Common
2008-04-29 17:02:03 0 d
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 17:02:01 0 d
C:\WINDOWS\system32\Kaspersky Lab
2008-04-26 11:54:00 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Malwarebytes
2008-04-26 11:53:55 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:44:05 0 d
C:\symbols
2008-04-25 09:41:44 0 d
C:\Program Files\Debugging Tools for Windows
2008-04-24 20:59:39 0 d
C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-24 10:14:48 0 d--h
C:\$AVG8.VAULT$
2008-04-24 09:28:14 0 d
C:\WINDOWS\system32\drivers\Avg
2008-04-24 09:28:14 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\AVGTOOLBAR
2008-04-24 09:28:07 0 d
C:\Program Files\AVG
2008-04-24 09:28:05 0 d
C:\Documents and Settings\All Users\Application Data\avg8
2008-04-23 21:40:13 0 d
C:\WINDOWS\ERUNT
2008-04-23 21:29:18 0 d
C:\Program Files\Trend Micro
2008-04-23 20:59:36 0 d
C:\Program Files\Panda Security
2008-04-23 20:12:36 0 d
C:\WINDOWS\BDOSCAN8
2008-04-23 14:05:54 0 d
C:\Documents and Settings\All Users\Application Data\xqhmzeje
2008-04-19 01:01:19 0 d
C:\WINDOWS\system32\Lang
2008-04-19 01:00:53 0 d
C:\Intel
2008-04-19 00:42:31 49152 --a
C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-04-19 00:42:31 45056
n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-04-18 07:00:03 0 d
C:\Documents and Settings\LocalService\Application Data\EmailCache
2008-04-18 01:43:32 0 d
C:\Documents and Settings\LocalService\Application Data\DriveHQ
2008-04-15 12:07:33 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-15 12:07:29 0 d
C:\Program Files\Audit Support Center
-- Find3M Report
2008-05-09 18:47:47 256 --a
C:\WINDOWS\system32\pool.bin
2008-05-09 00:38:10 0 d
C:\Program Files\Common Files\Adobe
2008-05-09 00:37:52 0 d
C:\Program Files\Common Files
2008-05-09 00:09:32 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\AdobeUM
2008-05-08 13:39:29 0 d
C:\Program Files\SpywareDetector
2008-04-24 01:19:19 0 d--h
C:\Program Files\InstallShield Installation Information
2008-04-24 00:40:48 0 d
C:\Program Files\Skype
2008-04-24 00:37:28 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 00:37:24 0 d
C:\Program Files\Lavasoft
2008-04-23 20:01:10 0 d
C:\Program Files\Spyware Doctor
2008-04-23 14:05:44 577536 --a
C:\WINDOWS\system32\user32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-19 00:42:31 0 d
C:\Program Files\Analog Devices
2008-04-18 14:46:47 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\skypePM
2008-04-18 01:43:16 0 d
C:\Program Files\DriveHQ
2008-04-17 07:42:31 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\EmailCache
2008-04-16 17:23:24 835584 --a
C:\WINDOWS\system32\CheckDll.dll <Not Verified; Max Secure Software; Spyware Detector>
2008-04-15 07:54:32 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Intuit
2008-04-15 07:48:50 0 d
C:\Program Files\TurboTax
2008-04-08 12:55:35 0 d
C:\Program Files\Textual
2008-04-08 10:58:20 0 d
C:\Program Files\SupportSpace
2008-04-07 00:50:24 0 d
C:\Program Files\Broadcom
2008-04-06 14:13:55 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Textual
2008-04-06 14:13:50 5816 --a
C:\WINDOWS\system32\casigmgr32s.dll
2008-04-02 15:46:09 0 d
C:\Program Files\Common Files\Skype
2008-03-26 14:50:06 0 d
C:\Program Files\Microsoft Money Plus
2008-03-17 01:38:23 0 d
C:\Program Files\QuoteEz - CCP-AL
2008-03-17 01:30:53 0 d
C:\Program Files\Common Files\aol
2008-03-17 01:06:36 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\PC Tools
2008-03-15 11:01:21 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Roxio
2008-03-13 16:41:51 0 d
C:\Documents and Settings\Ted Carpenter\Application Data\Research In Motion
2008-03-13 12:19:45 0 d
C:\Program Files\Roxio
2008-03-13 12:11:32 0 d
C:\Program Files\Common Files\Sonic Shared
2008-03-13 12:10:09 0 d
C:\Program Files\Common Files\Roxio Shared
2008-03-13 12:05:59 0 d
C:\Program Files\Common Files\Research In Motion
2008-03-13 12:05:34 0 d
C:\Program Files\Research In Motion
2008-03-09 19:27:42 0 d
C:\Program Files\Samsung
2008-03-09 19:27:35 0 d
C:\Program Files\DivX
2008-03-07 21:38:50 7005 --a
C:\Program Files\Eula.txt
2008-03-07 21:38:49 72138 --a
C:\Program Files\procexp.chm
2008-02-25 18:16:21 32125 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Comma Separated Values (Windows).ADR
2008-02-21 10:35:00 311296 --a
C:\WINDOWS\system32\BCCIndvRateEngine.dll <Not Verified; Blue Cross Company; BCCIndvRate>
2008-02-20 19:41:54 38465 --a
C:\Documents and Settings\Ted Carpenter\Application Data\Microsoft Excel.ADR
2008-02-12 20:00:08 65 --a
C:\WINDOWS\system32\BD7820N.dat
2008-02-12 15:56:44 1040384 --a
C:\WINDOWS\system32\UNISGProposalFlex.dll <Not Verified; Blue Cross of California; UNISGProposalFlex>
2008-02-12 01:20:19 0 --a
C:\WINDOWS\brdfxspd.dat
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
04/24/2008 09:28 AM 2050816 --a
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [04/24/2008 09:28 AM 2050816]
[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster 2004\startuploader.exe" [01/29/2007 11:45 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 04/24/2008 08:56 AM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 05:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sdnotify]
C:\Program Files\SpywareDetector\SDNotify.dll 04/16/2008 05:04 PM 446464 C:\Program Files\SpywareDetector\SDNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\moneybackgoundbanking]
"C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"GoToAssist"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"bepprldr"=3 (0x3)
"ASFIPmon"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"aawservice"=2 (0x2)
"SupportSpaceHelperService"=2 (0x2)
"Avg7Alrt"=2 (0x2)
-- End of Deckard's System Scanner: finished at 2008-05-09 22:43:35
Extra logfile - please post this as an attachment with your post.
-- Security Center
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer"
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"="C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe:*:Enabled:AOL Connectivity Service"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1174013888\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\AOL 9.0b\\waol.exe"="C:\\Program Files\\AOL 9.0b\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Enabled:MUZ AOD APP player"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1199977869\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201119155\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe"="C:\\Program Files\\Common Files\\aol\\1201220244\\ee\\AOLDesktop.exe:*:Enabled:AOL Desktop"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\aol\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
-- End of Deckard's System Scanner: finished at 2008-05-09 22:43:35
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\user32*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Volume Serial Number is 24F0-CF53
Directory of c:\Program Files\Debugging Tools for Windows\winext\manifest
12/05/2006 08:32 AM 130,274 user32.h
1 File(s) 130,274 bytes
Directory of c:\WINDOWS\$hf_mig$\KB890859\SP2QFE
03/02/2005 01:19 PM 577,024 user32.dll
1 File(s) 577,024 bytes
Directory of c:\WINDOWS\$hf_mig$\KB925902\SP2QFE
03/08/2007 10:48 AM 578,048 user32.dll
1 File(s) 578,048 bytes
Directory of c:\WINDOWS\$NtUninstallKB890859$
08/04/2004 06:00 AM 577,024 user32.dll
1 File(s) 577,024 bytes
Directory of c:\WINDOWS\$NtUninstallKB925902$
03/02/2005 01:09 PM 577,024 user32.dll
1 File(s) 577,024 bytes
Directory of c:\WINDOWS\system32
04/23/2008 02:05 PM 577,536 user32.dll
1 File(s) 577,536 bytes
Directory of c:\WINDOWS\system32\dllcache
04/23/2008 02:05 PM 577,536 user32.dll
1 File(s) 577,536 bytes
Total Files Listed:
7 File(s) 3,594,466 bytes
0 Dir(s) 118,744,752,128 bytes free
To be sure of the patch job go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.
c:\WINDOWS\system32\user32.dll
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
Then PM me an email address where I can send you a clean copy of that file. Note - this isn't an open invitation to PM for files, so others reviewing these steps please know I will likely just not read such requests.
Since SDFix located activities associated with Rustock let's do a bit more in depth checking here.
Click here and download RegDelNull.zip. Unzip the file and when you have done this, read the Eula and then copy and paste RegDelNull.exe to your C folder (so it will then be C:\RegDelNull.exe).
Go again to Start - Run, type cmd (and OK). At the prompt copy and paste the below commands (hit Enter after each line).
cd\
regdelnull hkcu -s
(be sure to place a space after hkcu)
Your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.
Repeat those steps using the following entry at the prompt:
regdelnull hklm -s
(be sure to place a space after hklm)
Again your registry will be scanned, and if any Null entries are found, the scan will stop and you will be asked to confirm deletion. For now, type n and hit Enter let the scan continue until it has finished.
When it has finished, click on the Icon in the top left hand corner of the Command Prompt and choose Edit > Select All and then Edit > Copy. Rightclick on your Desktop and create a text file. Open it and position your mouse inside the file, rightclick again and choose Paste. Save the file and post the contents here please.
Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder.
When you have done this, doubleclick on Gmer.exe to run it.
Under the Rootkit/Malware tab look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).
When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Ted Carpenter>cd\
C:\>regdelnull hkcu -s
RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Scan complete.
C:\>regdelnull hklm -s
RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Scan complete.
C:\>
Rootkit scan 2008-05-10 20:53:01
Windows 5.1.2600 Service Pack 2
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SOFTWARE\Classes\.pspd@ ROXIOPS9.PSPD
---- Files - GMER 1.0.14 ----
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\l.yimg.com\cosmos.bcst.yahoo.com\ver\234\embed-2007-06-19-1259\swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\l.yimg.com\cosmos.bcst.yahoo.com\ver\234\embed-2007-06-19-1259\swf\yup_embed_module.swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\mskcc.org\mskcc\_assets\_tables\content\233970\mskcc_home_mx_roll_July.swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\podcast.usatoday.com\video\usatodayfront\homepage\Player.swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\www.usa.canon.com\html\cusa\app\flash\promo1\promo_nav.swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\us.i1.yimg.com\us.yimg.com\a\1-\java\promotions\gm 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\us.i1.yimg.com\us.yimg.com\a\1-\java\promotions\gm\071107 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Macromedia\Flash Player\#SharedObjects\LDRMTKBU\us.i1.yimg.com\us.yimg.com\a\1-\java\promotions\gm\071107\container.swf 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\chrome 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\contenthandling 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\custombuttons 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\preferences 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\lib 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\META-INF 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\chrome 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\defaults 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\defaults\preferences 0 bytes
File C:\Documents and Settings\LocalService\Application Data\DriveHQ\DriveHQ Online Backup\Temp\DriveHQData\DriveHQ WWWBackup\Data\Backup0\Ted Carpenter\Application Data\Mozilla\Firefox\Profiles\sgztsy3d.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\META-INF 0 bytes
---- EOF - GMER 1.0.14 ----
The file upload was received, thanks. You posted your email address in the open upload thread. Spambots harvest these, so not good to post them in open forums. Just PM me an email address (click my user name in this post).
The User32.dll file has been patched with a small but significant string change:
(User32.dll no modifications)
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
(User32.dll uploaded here)
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
typInit_DLLs <---malware change
So once we get the good copy to you we can swap it out for the bad copies there.
Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) typInit in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please.