Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Problem with heltaya_hernya


  • This topic is locked This topic is locked
12 replies to this topic

#1 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 11:46 AM

I got a virus or spyware or something from clicking an active x control the other day. It keeps popping up spyware warnings and redirecting my homepage. It also keeps laying a page over my wallpaper with a big tojan virus graphic, and my machine is running at a snails pace. I have tried to hunt things down with spybot and a few other programs to no avail, so here is my hijackthis log. PLEASE HELP!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:02 AM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SXG Advisor - {32A3489E-5C5A-42CA-8DBB-0EE46C55F013} - C:\WINDOWS\dpvtporsot.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: The elfwgps - {3728161D-8A68-4F3F-A8E1-96A4F9C93DB8} - C:\WINDOWS\elfwgps.dll (file missing)
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.3/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O21 - SSODL: bqxomdo - {6F5F66A6-D5EA-4EE9-BBB3-EC395ADFC80C} - C:\WINDOWS\bqxomdo.dll (file missing)
O21 - SSODL: aswmklt - {05E77FEE-B889-46E8-8724-9BD208BF6F23} - C:\WINDOWS\aswmklt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 8653 bytes

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 12:15 PM

Hello ziachuck and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 03:54 PM

I appreciate your help with this.

Here are the two log files

SDFix: Version 1.131

Run by Charlie Mitchell on Sun 01/27/2008 at 03:39 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\CHARLI~1\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\aswmklt.dll - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\dpvtporsot.dll - Deleted
C:\WINDOWS\fvqkfsp.exe - Deleted
C:\WINDOWS\search_res.txt - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 15:47:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Charlie Mitchell\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Charlie Mitchell\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\CHARLI~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 10 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 15 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 15 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:40 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32A3489E-5C5A-42CA-8DBB-0EE46C55F013} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.3/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8283 bytes

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 07:07 PM

Please download Deckard's System Scanner (DSS) to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  • Please go to that FOLDER and also copy the contents of Extra.txt to your post as well.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What DSS will do:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.

Post Logs:
  • DSS Scan Results: contents of 1) Main.txt and 2) Extra.txt

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 08:37 PM

Thanks again Trevuren

Things seem to be running better already.

Here are the logs

Deckard's System Scanner v20071014.68
Run by Charlie Mitchell on 2008-01-27 20:32:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-01-28 02:32:12 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-01-27 06:48:56 UTC - RP3 - System Checkpoint
2: 2008-01-26 05:40:38 UTC - RP2 - ComboFix created restore point
1: 2008-01-26 05:39:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Charlie Mitchell.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:24 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Charlie Mitchell\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Charlie Mitchell.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32A3489E-5C5A-42CA-8DBB-0EE46C55F013} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.3/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7776 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ANVIOCTL - c:\windows\system32\drivers\anvioctl.sys <Not Verified; ASUSTeK; ASUS VGA Driver for Windows 2000/XP>
R1 asuskbnt - c:\windows\system32\drivers\asuskbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Hot-Key filter driver.>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 SISNIC (SiS PCI Fast Ethernet Adapter Driver) - c:\windows\system32\drivers\sisnic.sys <Not Verified; SiS Corporation; NDIS 5.1 NIC Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 61883 (61883 Unit Device) - c:\windows\system32\drivers\61883.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Avc (AVC Device) - c:\windows\system32\drivers\avc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 catchme - c:\docume~1\charli~1\locals~1\temp\catchme.sys (file missing)
S3 MSDV (Microsoft DV Camera and VCR) - c:\windows\system32\drivers\msdv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 psa64s - c:\windows\system32\drivers\psa64s.sys (file missing)
S3 psa64u (Nike psa[64 Player Control Driver) - c:\windows\system32\drivers\psa64u.sys (file missing)
S3 SiS7012 (Service for AC'97 Sample Driver (WDM)) - c:\windows\system32\drivers\sis7012.sys <Not Verified; Silicon Integrated Systems Corporation; SiS 7012 Audio Device WDM Driver>
S3 usbcm (USB Cable Modem 351000 NDIS Driver) - c:\windows\system32\drivers\usbcm.sys <Not Verified; Microsystems Corp; USBCM 351000>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 Automatic LiveUpdate Scheduler - "c:\program files\symantec\liveupdate\aluschedulersvc.exe" (file missing)
S3 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-23 08:20:01 284 --a----c- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-27 and 2008-01-27 -----------------------------

2008-01-27 15:30:59 0 d------c- C:\WINDOWS\ERUNT
2008-01-25 23:19:09 0 d------c- C:\Program Files\Trend Micro
2008-01-25 21:53:25 0 d------c- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-25 21:29:32 0 d------c- C:\WINDOWS\pss
2008-01-25 01:31:05 0 d------c- C:\Documents and Settings\Charlie Mitchell\.housecall6.6
2008-01-24 23:58:18 0 d------c- C:\Program Files\Acceleration Software
2008-01-24 23:47:28 0 d------c- C:\Program Files\HighMAT CD Writing Wizard
2008-01-24 00:18:27 0 d------c- C:\Program Files\MediaEntertainmentCodec
2008-01-16 22:56:13 0 d------c- C:\Program Files\iPod
2008-01-16 22:56:00 0 d------c- C:\Program Files\iTunes
2008-01-16 22:55:44 0 d------c- C:\Program Files\Bonjour
2008-01-16 22:55:01 0 d------c- C:\Program Files\QuickTime
2008-01-16 22:53:27 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-01-16 22:53:13 0 d------c- C:\Program Files\Common Files\Apple
2008-01-16 22:53:12 0 d------c- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-01-24 23:57:52 0 d------c- C:\Program Files\Common Files
2008-01-18 00:53:24 0 d------c- C:\Documents and Settings\Charlie Mitchell\Application Data\LimeWire
2008-01-16 22:53:46 0 d------c- C:\Program Files\Apple Software Update
2007-12-20 17:51:51 0 d------c- C:\Program Files\PokerStars
2007-12-15 23:16:56 0 d------c- C:\Program Files\Windows Media Connect 2
2007-12-15 23:05:37 0 d------c- C:\Documents and Settings\Charlie Mitchell\Application Data\Sony Corporation
2007-12-15 23:02:17 0 d------c- C:\Program Files\Sony
2007-12-15 23:01:32 0 d------c- C:\Program Files\Common Files\InstallShield
2007-12-02 00:57:48 0 d------c- C:\Documents and Settings\Charlie Mitchell\Application Data\Google
2007-12-02 00:57:15 0 d------c- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32A3489E-5C5A-42CA-8DBB-0EE46C55F013}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/16/2004 11:07 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [11/26/2007 11:40 AM]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" []
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [04/25/2002 06:06 PM]
"SBI"="C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe" []
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"nwiz"="nwiz.exe" [05/02/2003 01:19 AM C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [05/02/2003 01:19 AM]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [07/09/2001 04:50 AM]
"LiveNote"="livenote.exe" [07/11/2002 07:31 AM C:\WINDOWS\livenote.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [06/26/2003 06:30 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/23/2005 11:08 PM]
"anvshell"="anvshell.exe" [05/29/2003 01:53 AM C:\WINDOWS\anvshell.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

C:\Documents and Settings\Charlie Mitchell\PrintHood\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [12/15/2007 11:02:28 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/12/2003 11:20:14 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/23/2005 11:28:44 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [11/4/2005 3:04:48 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [3/21/1999 7:00:00 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-01-27 20:33:53 ------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:59 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32A3489E-5C5A-42CA-8DBB-0EE46C55F013} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.3/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7817 bytes


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 511.53 MiB / 308.17 MiB
Pagefile Memory (total/avail): 1247.66 MiB / 1043.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.87 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 60.84 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JB-00ETA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: StopSign Antivirus FREE TRIAL diagnostic version v1.0.0.1 (eAcceleration Corp) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Charlie Mitchell\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Charlie Mitchell\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Charlie Mitchell\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PIGGETYPIG
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Charlie Mitchell
LOGONSERVER=\\PIGGETYPIG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp
USERDOMAIN=PIGGETYPIG
USERNAME=Charlie Mitchell
USERPROFILE=C:\Documents and Settings\Charlie Mitchell
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

customer (admin)
Charlie Mitchell (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\eAcceleration\Station\station.exe" /UnRegister
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Groove Playback Engine --> RunDll32 C:\WINDOWS\DOWNLO~1\GrooveAX.dll,_RemoveGroove@16
Ad-aware 6 Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Illustrator 10 --> "C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\setup.exe"
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Ahead InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASUS Display Drivers --> C:\WINDOWS\anvunis.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Disney's Toontown Online --> C:\PROGRA~1\Disney\DISNEY~1\Toontown\UNWISE.EXE /A C:\PROGRA~1\Disney\DISNEY~1\Toontown\INSTALL.LOG
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 6900 series --> C:\Program Files\HP\Digital Imaging\{7ADE9F27-A175-447F-A4B4-B05FA82735E1}\setup\hpzscr01.exe -datfile hpfscr09.dat
HP Imaging Device Functions 6.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0007_29eb7\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LimeWire 4.12.15 --> "C:\Program Files\LimeWire\uninstall.exe"
Media Entertainment Codec v1.6 --> C:\Program Files\MediaEntertainmentCodec\Uninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Charlie Mitchell\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Charlie Mitchell\Application Data\Move Networks\ie_bin\unins000.exe"
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SiS Audio Driver --> C:\Progra~1\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7191 / Error
Event Submitted/Written: 01/26/2008 05:40:29 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 632538889.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type7190 / Error
Event Submitted/Written: 01/26/2008 05:40:19 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16574, faulting module dpvtporsot.dll, version 0.0.0.0, fault address 0x000014a2.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type7189 / Error
Event Submitted/Written: 01/26/2008 05:26:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16574, faulting module dpvtporsot.dll, version 0.0.0.0, fault address 0x000014a2.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type7182 / Error
Event Submitted/Written: 01/26/2008 01:07:10 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16574, faulting module dpvtporsot.dll, version 0.0.0.0, fault address 0x00004587.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type7174 / Error
Event Submitted/Written: 01/25/2008 11:33:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.1.15, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37164 / Error
Event Submitted/Written: 01/27/2008 03:58:03 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type37142 / Error
Event Submitted/Written: 01/27/2008 03:47:15 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
%%3

Event Record #/Type37139 / Error
Event Submitted/Written: 01/27/2008 03:31:19 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
ANVIOCTL
asuskbnt
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type37138 / Error
Event Submitted/Written: 01/27/2008 03:31:19 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type37137 / Error
Event Submitted/Written: 01/27/2008 03:31:19 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-01-27 20:33:53 ------------

You're a lifesaver

Gracias amigo

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 January 2008 - 09:15 PM

It appears as if you may also have been victim of a trojan file infector which either partially disables startup programs or renders them totally inoperable. We will have to run another tool to ascertain the damage and see if some of these programs may be repaired without having to reinstall them.

Delete any existing version of ComboFix you have sitting on your desktop

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
--------------------------------------------------------------------
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****


Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 January 2008 - 10:35 PM

I wish I had your knowledge.

Here are the two logs

ComboFix 08-01-23.1C - Charlie Mitchell 2008-01-27 22:30:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.285 [GMT -6:00]
Running from: C:\Documents and Settings\Charlie Mitchell\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 20:31 . 2008-01-27 20:31 <DIR> d----c--- C:\Deckard
2008-01-27 15:30 . 2008-01-27 15:31 <DIR> d----c--- C:\WINDOWS\ERUNT
2008-01-25 23:37 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\Nircmd.exe
2008-01-25 23:28 . 2008-01-26 00:57 229 --a--c--- C:\WINDOWS\wininit.ini
2008-01-25 23:19 . 2008-01-25 23:19 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-25 01:33 . 2008-01-25 01:31 102,664 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-24 23:58 . 2008-01-26 00:57 <DIR> d----c--- C:\Program Files\Acceleration Software
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d----c--- C:\Program Files\HighMAT CD Writing Wizard
2008-01-24 00:32 . 2001-03-08 18:30 24,064 --a--c--- C:\WINDOWS\system32\msxml3a.dll
2008-01-24 00:18 . 2008-01-24 00:18 <DIR> d----c--- C:\Program Files\MediaEntertainmentCodec
2008-01-16 22:57 . 2008-01-27 15:59 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-16 22:57 . 2008-01-16 22:57 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-01-16 22:56 . 2008-01-16 22:56 <DIR> d----c--- C:\Program Files\iTunes
2008-01-16 22:56 . 2008-01-16 22:56 <DIR> d----c--- C:\Program Files\iPod
2008-01-16 22:55 . 2008-01-16 22:55 <DIR> d----c--- C:\Program Files\QuickTime
2008-01-16 22:55 . 2008-01-16 22:55 <DIR> d----c--- C:\Program Files\Bonjour
2008-01-16 22:53 . 2008-01-16 22:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 22:53 . 2008-01-16 22:53 <DIR> d----c--- C:\Program Files\Common Files\Apple
2008-01-16 22:53 . 2008-01-15 02:39 30,464 --a--c--- C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a--c--- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a--c--- C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 04:53 --------- dc----w C:\Program Files\Apple Software Update
2007-12-20 23:51 --------- dc----w C:\Program Files\PokerStars
2007-12-16 05:16 --------- dc----w C:\Program Files\Windows Media Connect 2
2007-12-16 05:02 --------- dc----w C:\Program Files\Sony
2007-12-16 05:01 --------- dc----w C:\Program Files\Common Files\InstallShield
2007-12-02 06:57 --------- dc----w C:\Program Files\Google
2007-11-07 09:26 721,920 -c--a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_23.48.08.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-24 15:01:35 163,328 -c--a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-27 21:31:30 5,345,280 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:31:30 163,840 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-24 15:01:35 163,328 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-27 21:31:15 5,345,280 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:31:15 163,840 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32A3489E-5C5A-42CA-8DBB-0EE46C55F013}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-16 11:07 176173]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-11-26 11:40 149152]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [ ]
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [ ]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 18:06 32768]
"SBI"="C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe" [ ]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"nwiz"="nwiz.exe" [2003-05-02 01:19 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 01:19 4640768]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 04:50 155648]
"LiveNote"="livenote.exe" [2002-07-11 07:31 40960 C:\WINDOWS\livenote.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-06-26 18:30 1101874]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-23 23:08 49152]
"anvshell"="anvshell.exe" [2003-05-29 01:53 348160 C:\WINDOWS\anvshell.exe]

C:\Documents and Settings\Charlie Mitchell\PrintHood\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-15 23:02:28 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-12 11:20:14 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-23 23:28:44 282624]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 19:00:00 65588]

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2003-05-19 02:12]
S3 psa64s;psa64s;C:\WINDOWS\system32\DRIVERS\psa64s.sys []
S3 psa64u;Nike psa[64 Player Control Driver;C:\WINDOWS\system32\Drivers\psa64u.sys []
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-06-17 04:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 14:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 22:32:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 22:32:56
ComboFix-quarantined-files.txt 2008-01-28 04:32:41
ComboFix2.txt 2008-01-26 06:12:30
ComboFix3.txt 2008-01-26 05:48:34
.
2008-01-10 05:24:21 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:56 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32A3489E-5C5A-42CA-8DBB-0EE46C55F013} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Charlie Mitchell\Local Settings\Temporary Internet Files\Content.IE5\6FHXU80X\install_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.3/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7770 bytes


Thanks again

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 09:27 AM

Unfortunately, some of your startup programs have either been damaged or rendered inoperable by what I presume to be a file infector. We still need to cleanup your logs, then replace some programs.


A. I see that you have a program called PokerStars on your machine. It is recommended that you UNINSTALL this program through the ADD/Remove program module in your Control Panel. I have included the removal of its folder in my script. If further justification is required for this removal, please see the following:

http://www.bleepingc...tall/Cat-P.html


B.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\msxml3a.dll

Folder::
C:\Program Files\PokerStars

Driver::
psa64s
psa64u

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32A3489E-5C5A-42CA-8DBB-0EE46C55F013}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StopSignSsSsMon"=-
"SoftwareStation"=-
"SBI"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by Trevuren, 28 January 2008 - 09:28 AM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 28 January 2008 - 08:09 PM

I have been at work all day, so I am just now getting to this.

Here are the logs: :woot:

ComboFix 08-01-23.1C - Charlie Mitchell 2008-01-28 19:54:38.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.309 [GMT -6:00]
Running from: C:\Documents and Settings\Charlie Mitchell\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charlie Mitchell\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\msxml3a.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PokerStars
C:\Program Files\PokerStars\_update2def.dat
C:\Program Files\PokerStars\_update2g.dat
C:\Program Files\PokerStars\_update2gcd.dat
C:\Program Files\PokerStars\_update2gf.dat
C:\Program Files\PokerStars\_update2ni.dat
C:\Program Files\PokerStars\_update2rare.dat
C:\Program Files\PokerStars\_update2s.dat
C:\Program Files\PokerStars\_updcache.dat
C:\Program Files\PokerStars\backup\Gx\fonts\ar08.pff
C:\Program Files\PokerStars\backup\Gx\fonts\ar09.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb08.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb09.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb10.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb11.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb12.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arb14.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arbu09.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arbu10.pff
C:\Program Files\PokerStars\backup\Gx\fonts\arbu12.pff
C:\Program Files\PokerStars\backup\Gx\fonts\aru08.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb075.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb08.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb09.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb10.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb11.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb12.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb14.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb16.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb18.pff
C:\Program Files\PokerStars\backup\Gx\fonts\gmb20.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb08.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb09.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb10.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb11.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb12.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb14.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sb16.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sbr10.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sf05.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sf06.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sf07.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sfu06.pff
C:\Program Files\PokerStars\backup\Gx\fonts\sfu07.pff
C:\Program Files\PokerStars\backup\Gx\templates\browser.css
C:\Program Files\PokerStars\backup\Gx\templates\dialog.css
C:\Program Files\PokerStars\backup\Gx\templates\dialog.html
C:\Program Files\PokerStars\backup\Gx\templates\help.html
C:\Program Files\PokerStars\backup\Gx\templates\menu.xml
C:\Program Files\PokerStars\backup\i18n.msg_cli.txt
C:\Program Files\PokerStars\backup\PokerStars.exe
C:\Program Files\PokerStars\backup\PokerStars.ini
C:\Program Files\PokerStars\backup\Themes\default\gx.ini
C:\Program Files\PokerStars\Gx\blt.a.bmp
C:\Program Files\PokerStars\Gx\blt.bmp
C:\Program Files\PokerStars\Gx\cashierdepositbtn.jpg
C:\Program Files\PokerStars\Gx\cashierpaysystem.a.bmp
C:\Program Files\PokerStars\Gx\cashierpaysystem.bmp
C:\Program Files\PokerStars\Gx\cashierpaysystem.jpg
C:\Program Files\PokerStars\Gx\close.a.bmp
C:\Program Files\PokerStars\Gx\close.bmp
C:\Program Files\PokerStars\Gx\ctep.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashierb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashierb.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashiergb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashiergb.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashierrb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\cashierrb.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbyb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbyb.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbybar.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbybar.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbydd.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbydd.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbylb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\lobbylb.bmp
C:\Program Files\PokerStars\Gx\ctrls\mtgb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\mtgb.bmp
C:\Program Files\PokerStars\Gx\ctrls\mtrb.a.bmp
C:\Program Files\PokerStars\Gx\ctrls\mtrb.bmp
C:\Program Files\PokerStars\Gx\cvn.jpg
C:\Program Files\PokerStars\Gx\dialog.a.bmp
C:\Program Files\PokerStars\Gx\dialog.bmp
C:\Program Files\PokerStars\Gx\epasslogo.bmp
C:\Program Files\PokerStars\Gx\filter.a.bmp
C:\Program Files\PokerStars\Gx\filter.bmp
C:\Program Files\PokerStars\Gx\filter\ot00.bmp
C:\Program Files\PokerStars\Gx\filter\ot00a.bmp
C:\Program Files\PokerStars\Gx\filter\ot01.bmp
C:\Program Files\PokerStars\Gx\filter\ot01a.bmp
C:\Program Files\PokerStars\Gx\filter\ot02.bmp
C:\Program Files\PokerStars\Gx\filter\ot02a.bmp
C:\Program Files\PokerStars\Gx\filter\ot03.bmp
C:\Program Files\PokerStars\Gx\filter\ot03a.bmp
C:\Program Files\PokerStars\Gx\filterb.bmp
C:\Program Files\PokerStars\Gx\fonts\gmb11.bmp
C:\Program Files\PokerStars\Gx\fonts\gmb11.pff
C:\Program Files\PokerStars\Gx\fonts\sb08.bmp
C:\Program Files\PokerStars\Gx\fonts\sb08.pff
C:\Program Files\PokerStars\Gx\fonts\sb08x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb09.bmp
C:\Program Files\PokerStars\Gx\fonts\sb09.pff
C:\Program Files\PokerStars\Gx\fonts\sb09x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb10.bmp
C:\Program Files\PokerStars\Gx\fonts\sb10.pff
C:\Program Files\PokerStars\Gx\fonts\sb10x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb11.bmp
C:\Program Files\PokerStars\Gx\fonts\sb11.pff
C:\Program Files\PokerStars\Gx\fonts\sb11x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb12.bmp
C:\Program Files\PokerStars\Gx\fonts\sb12.pff
C:\Program Files\PokerStars\Gx\fonts\sb12x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb14.bmp
C:\Program Files\PokerStars\Gx\fonts\sb14.pff
C:\Program Files\PokerStars\Gx\fonts\sb14x.bmp
C:\Program Files\PokerStars\Gx\fonts\sb16.bmp
C:\Program Files\PokerStars\Gx\fonts\sb16.pff
C:\Program Files\PokerStars\Gx\fonts\sb16x.bmp
C:\Program Files\PokerStars\Gx\fonts\sbf10.bmp
C:\Program Files\PokerStars\Gx\fonts\sbf10.pff
C:\Program Files\PokerStars\Gx\fonts\sbf10x.bmp
C:\Program Files\PokerStars\Gx\fonts\sbf11.bmp
C:\Program Files\PokerStars\Gx\fonts\sbf11.pff
C:\Program Files\PokerStars\Gx\fonts\sbf11x.bmp
C:\Program Files\PokerStars\Gx\fonts\sbr10.bmp
C:\Program Files\PokerStars\Gx\fonts\sbr10.pff
C:\Program Files\PokerStars\Gx\fonts\sbr11.bmp
C:\Program Files\PokerStars\Gx\fonts\sbr11.pff
C:\Program Files\PokerStars\Gx\fonts\sbr11x.bmp
C:\Program Files\PokerStars\Gx\ico.bmp
C:\Program Files\PokerStars\Gx\ipb.a.bmp
C:\Program Files\PokerStars\Gx\ipb.bmp
C:\Program Files\PokerStars\Gx\ipkt1.a.bmp
C:\Program Files\PokerStars\Gx\ipkt1.bmp
C:\Program Files\PokerStars\Gx\ipkt2.a.bmp
C:\Program Files\PokerStars\Gx\ipkt2.bmp
C:\Program Files\PokerStars\Gx\ipkt3.a.bmp
C:\Program Files\PokerStars\Gx\ipkt3.bmp
C:\Program Files\PokerStars\Gx\ltb1.a.bmp
C:\Program Files\PokerStars\Gx\ltb1.bmp
C:\Program Files\PokerStars\Gx\ltb2.bmp
C:\Program Files\PokerStars\Gx\ltb3.bmp
C:\Program Files\PokerStars\Gx\moneygram_c.bmp
C:\Program Files\PokerStars\Gx\moneygram_r.bmp
C:\Program Files\PokerStars\Gx\moneygramform.jpg
C:\Program Files\PokerStars\Gx\moneygramlogo.jpg
C:\Program Files\PokerStars\Gx\PaySafeLogo.bmp
C:\Program Files\PokerStars\Gx\pb.a.bmp
C:\Program Files\PokerStars\Gx\pb.bmp
C:\Program Files\PokerStars\Gx\pbb.a.bmp
C:\Program Files\PokerStars\Gx\pbb.bmp
C:\Program Files\PokerStars\Gx\pbc.bmp
C:\Program Files\PokerStars\Gx\pblt.a.bmp
C:\Program Files\PokerStars\Gx\pblt.bmp
C:\Program Files\PokerStars\Gx\pci.a.bmp
C:\Program Files\PokerStars\Gx\pci.bmp
C:\Program Files\PokerStars\Gx\pib.bmp
C:\Program Files\PokerStars\Gx\pmsp.bmp
C:\Program Files\PokerStars\Gx\pmt.bmp
C:\Program Files\PokerStars\Gx\ps.a.bmp
C:\Program Files\PokerStars\Gx\ps.bmp
C:\Program Files\PokerStars\Gx\ptb.bmp
C:\Program Files\PokerStars\Gx\reserved.a.bmp
C:\Program Files\PokerStars\Gx\reserved.bmp
C:\Program Files\PokerStars\Gx\templates\browser.css
C:\Program Files\PokerStars\Gx\templates\dialog.css
C:\Program Files\PokerStars\Gx\templates\dialog.html
C:\Program Files\PokerStars\Gx\templates\help.html
C:\Program Files\PokerStars\Gx\templates\memo.css
C:\Program Files\PokerStars\Gx\templates\menu.xml
C:\Program Files\PokerStars\Gx\tmp.jpg
C:\Program Files\PokerStars\i18n.msg_cli.txt
C:\Program Files\PokerStars\ImgCache\0000345D.psi
C:\Program Files\PokerStars\ImgCache\000117AB.psi
C:\Program Files\PokerStars\ImgCache\00013C60.psi
C:\Program Files\PokerStars\ImgCache\000310CE.psi
C:\Program Files\PokerStars\ImgCache\0004045E.psi
C:\Program Files\PokerStars\ImgCache\00048DB0.psi
C:\Program Files\PokerStars\ImgCache\0006420C.psi
C:\Program Files\PokerStars\ImgCache\0006D3DC.psi
C:\Program Files\PokerStars\ImgCache\000705D9.psi
C:\Program Files\PokerStars\ImgCache\0007D5BF.psi
C:\Program Files\PokerStars\ImgCache\00097309.psi
C:\Program Files\PokerStars\ImgCache\0009D69F.psi
C:\Program Files\PokerStars\ImgCache\000C1ECA.psi
C:\Program Files\PokerStars\ImgCache\000CBCCF.psi
C:\Program Files\PokerStars\ImgCache\000D3F97.psi
C:\Program Files\PokerStars\ImgCache\000D5E06.psi
C:\Program Files\PokerStars\ImgCache\000DFFFB.psi
C:\Program Files\PokerStars\ImgCache\000E89AE.psi
C:\Program Files\PokerStars\ImgCache\000EB23B.psi
C:\Program Files\PokerStars\ImgCache\000F13B3.psi
C:\Program Files\PokerStars\ImgCache\00106CF3.psi
C:\Program Files\PokerStars\ImgCache\0011379A.psi
C:\Program Files\PokerStars\ImgCache\00118F85.psi
C:\Program Files\PokerStars\ImgCache\0012405E.psi
C:\Program Files\PokerStars\ImgCache\00128F2D.psi
C:\Program Files\PokerStars\ImgCache\00135CA8.psi
C:\Program Files\PokerStars\ImgCache\0013993E.psi
C:\Program Files\PokerStars\ImgCache\00143008.psi
C:\Program Files\PokerStars\ImgCache\0014495D.psi
C:\Program Files\PokerStars\ImgCache\00144F8C.psi
C:\Program Files\PokerStars\ImgCache\0014E985.psi
C:\Program Files\PokerStars\ImgCache\0015211C.psi
C:\Program Files\PokerStars\ImgCache\00157049.psi
C:\Program Files\PokerStars\ImgCache\0015BC03.psi
C:\Program Files\PokerStars\ImgCache\0015F561.psi
C:\Program Files\PokerStars\ImgCache\00164E26.psi
C:\Program Files\PokerStars\ImgCache\00166819.psi
C:\Program Files\PokerStars\ImgCache\0016AE97.psi
C:\Program Files\PokerStars\ImgCache\0016D319.psi
C:\Program Files\PokerStars\ImgCache\00175367.psi
C:\Program Files\PokerStars\ImgCache\001769CF.psi
C:\Program Files\PokerStars\ImgCache\0017F49B.psi
C:\Program Files\PokerStars\ImgCache\00193D83.psi
C:\Program Files\PokerStars\ImgCache\00196395.psi
C:\Program Files\PokerStars\ImgCache\001989F5.psi
C:\Program Files\PokerStars\ImgCache\00199EC0.psi
C:\Program Files\PokerStars\ImgCache\0019FD88.psi
C:\Program Files\PokerStars\ImgCache\001A7CC0.psi
C:\Program Files\PokerStars\ImgCache\001AF6F8.psi
C:\Program Files\PokerStars\ImgCache\001B0DAB.psi
C:\Program Files\PokerStars\ImgCache\001B6F58.psi
C:\Program Files\PokerStars\ImgCache\001BBD5E.psi
C:\Program Files\PokerStars\ImgCache\001C338B.psi
C:\Program Files\PokerStars\ImgCache\001CC4FA.psi
C:\Program Files\PokerStars\ImgCache\001CEAF4.psi
C:\Program Files\PokerStars\ImgCache\001DE656.psi
C:\Program Files\PokerStars\ImgCache\001E1EE1.psi
C:\Program Files\PokerStars\ImgCache\001E7AFB.psi
C:\Program Files\PokerStars\ImgCache\001E8186.psi
C:\Program Files\PokerStars\ImgCache\001F4600.psi
C:\Program Files\PokerStars\ImgCache\001F4BE1.psi
C:\Program Files\PokerStars\ImgCache\001FF99C.psi
C:\Program Files\PokerStars\ImgCache\00202873.psi
C:\Program Files\PokerStars\ImgCache\002045DE.psi
C:\Program Files\PokerStars\ImgCache\00207B21.psi
C:\Program Files\PokerStars\ImgCache\0020BA2D.psi
C:\Program Files\PokerStars\ImgCache\0020DC25.psi
C:\Program Files\PokerStars\ImgCache\00210142.psi
C:\Program Files\PokerStars\ImgCache\00212EC6.psi
C:\Program Files\PokerStars\ImgCache\00215E2D.psi
C:\Program Files\PokerStars\ImgCache\0021B693.psi
C:\Program Files\PokerStars\ImgCache\0021D974.psi
C:\Program Files\PokerStars\ImgCache\002259BA.psi
C:\Program Files\PokerStars\ImgCache\002263F9.psi
C:\Program Files\PokerStars\ImgCache\002267F7.psi
C:\Program Files\PokerStars\ImgCache\00227942.psi
C:\Program Files\PokerStars\ImgCache\0022ADF2.psi
C:\Program Files\PokerStars\ImgCache\0022F394.psi
C:\Program Files\PokerStars\ImgCache\00237AE1.psi
C:\Program Files\PokerStars\ImgCache\0023D63E.psi
C:\Program Files\PokerStars\ImgCache\0024E339.psi
C:\Program Files\PokerStars\ImgCache\0025C8ED.psi
C:\Program Files\PokerStars\ImgCache\00264EC9.psi
C:\Program Files\PokerStars\ImgCache\0026FC43.psi
C:\Program Files\PokerStars\ImgCache\00271049.psi
C:\Program Files\PokerStars\ImgCache\00271CE8.psi
C:\Program Files\PokerStars\ImgCache\002749C4.psi
C:\Program Files\PokerStars\ImgCache\002765FC.psi
C:\Program Files\PokerStars\ImgCache\00279851.psi
C:\Program Files\PokerStars\ImgCache\0027CE8F.psi
C:\Program Files\PokerStars\ImgCache\0027D7FB.psi
C:\Program Files\PokerStars\ImgCache\0027FAFA.psi
C:\Program Files\PokerStars\ImgCache\00289830.psi
C:\Program Files\PokerStars\ImgCache\0028B88D.psi
C:\Program Files\PokerStars\ImgCache\0028FF4E.psi
C:\Program Files\PokerStars\ImgCache\00295ABB.psi
C:\Program Files\PokerStars\ImgCache\0029A117.psi
C:\Program Files\PokerStars\ImgCache\0029B4FB.psi
C:\Program Files\PokerStars\ImgCache\0029B510.psi
C:\Program Files\PokerStars\ImgCache\0029D5E7.psi
C:\Program Files\PokerStars\ImgCache\0029F7D8.psi
C:\Program Files\PokerStars\ImgCache\002A30DE.psi
C:\Program Files\PokerStars\ImgCache\002A621C.psi
C:\Program Files\PokerStars\ImgCache\002AFF4B.psi
C:\Program Files\PokerStars\ImgCache\002B8366.psi
C:\Program Files\PokerStars\ImgCache\002BB0CF.psi
C:\Program Files\PokerStars\ImgCache\002BD164.psi
C:\Program Files\PokerStars\ImgCache\002C057E.psi
C:\Program Files\PokerStars\ImgCache\002C0F11.psi
C:\Program Files\PokerStars\ImgCache\002C57B3.psi
C:\Program Files\PokerStars\ImgCache\002C9AE0.psi
C:\Program Files\PokerStars\ImgCache\002C9C7B.psi
C:\Program Files\PokerStars\ImgCache\002CBA89.psi
C:\Program Files\PokerStars\ImgCache\002D490A.psi
C:\Program Files\PokerStars\ImgCache\002D855B.psi
C:\Program Files\PokerStars\ImgCache\002DDCC2.psi
C:\Program Files\PokerStars\ImgCache\002DE04E.psi
C:\Program Files\PokerStars\ImgCache\002DE9A4.psi
C:\Program Files\PokerStars\ImgCache\002E4724.psi
C:\Program Files\PokerStars\ImgCache\002E4C5A.psi
C:\Program Files\PokerStars\ImgCache\002E88E4.psi
C:\Program Files\PokerStars\ImgCache\002E9A2C.psi
C:\Program Files\PokerStars\ImgCache\002EB258.psi
C:\Program Files\PokerStars\ImgCache\002EEB75.psi
C:\Program Files\PokerStars\ImgCache\002F4E7D.psi
C:\Program Files\PokerStars\ImgCache\002F66D3.psi
C:\Program Files\PokerStars\ImgCache\002F6BE7.psi
C:\Program Files\PokerStars\ImgCache\002F83C7.psi
C:\Program Files\PokerStars\ImgCache\002F9036.psi
C:\Program Files\PokerStars\ImgCache\002FBF19.psi
C:\Program Files\PokerStars\ImgCache\002FBFD7.psi
C:\Program Files\PokerStars\ImgCache\002FD8B0.psi
C:\Program Files\PokerStars\ImgCache\002FF4C2.psi
C:\Program Files\PokerStars\ImgCache\00301D38.psi
C:\Program Files\PokerStars\ImgCache\0030265D.psi
C:\Program Files\PokerStars\ImgCache\003036EF.psi
C:\Program Files\PokerStars\ImgCache\0030A17A.psi
C:\Program Files\PokerStars\ImgCache\0030CBF3.psi
C:\Program Files\PokerStars\ImgCache\00313F62.psi
C:\Program Files\PokerStars\ImgCache\003195FE.psi
C:\Program Files\PokerStars\ImgCache\0031B27B.psi
C:\Program Files\PokerStars\ImgCache\0031B65C.psi
C:\Program Files\PokerStars\ImgCache\0031D629.psi
C:\Program Files\PokerStars\ImgCache\00321E98.psi
C:\Program Files\PokerStars\ImgCache\00323517.psi
C:\Program Files\PokerStars\ImgCache\0032481A.psi
C:\Program Files\PokerStars\ImgCache\0032543C.psi
C:\Program Files\PokerStars\ImgCache\003258F2.psi
C:\Program Files\PokerStars\ImgCache\00327AE2.psi
C:\Program Files\PokerStars\ImgCache\00328466.psi
C:\Program Files\PokerStars\ImgCache\0032B8F9.psi
C:\Program Files\PokerStars\ImgCache\0032EFEB.psi
C:\Program Files\PokerStars\ImgCache\0032F1A4.psi
C:\Program Files\PokerStars\ImgCache\00342183.psi
C:\Program Files\PokerStars\ImgCache\003461DD.psi
C:\Program Files\PokerStars\ImgCache\00349706.psi
C:\Program Files\PokerStars\ImgCache\0034BFDB.psi
C:\Program Files\PokerStars\ImgCache\0034E9B2.psi
C:\Program Files\PokerStars\ImgCache\00355493.psi
C:\Program Files\PokerStars\ImgCache\0035CB5A.psi
C:\Program Files\PokerStars\ImgCache\0035D93E.psi
C:\Program Files\PokerStars\ImgCache\0035E7FB.psi
C:\Program Files\PokerStars\ImgCache\00360636.psi
C:\Program Files\PokerStars\ImgCache\0036213F.psi
C:\Program Files\PokerStars\ImgCache\00364570.psi
C:\Program Files\PokerStars\ImgCache\00367B7A.psi
C:\Program Files\PokerStars\ImgCache\0036B5E3.psi
C:\Program Files\PokerStars\ImgCache\0036CDB7.psi
C:\Program Files\PokerStars\ImgCache\0036D533.psi
C:\Program Files\PokerStars\ImgCache\0036FC27.psi
C:\Program Files\PokerStars\ImgCache\00374AEC.psi
C:\Program Files\PokerStars\ImgCache\003764E7.psi
C:\Program Files\PokerStars\ImgCache\00376CFE.psi
C:\Program Files\PokerStars\ImgCache\00378200.psi
C:\Program Files\PokerStars\ImgCache\0037ACF7.psi
C:\Program Files\PokerStars\ImgCache\0037B2E7.psi
C:\Program Files\PokerStars\ImgCache\0037ED45.psi
C:\Program Files\PokerStars\ImgCache\00380D7C.psi
C:\Program Files\PokerStars\ImgCache\00381979.psi
C:\Program Files\PokerStars\ImgCache\003848C6.psi
C:\Program Files\PokerStars\ImgCache\00385809.psi
C:\Program Files\PokerStars\ImgCache\00385B77.psi
C:\Program Files\PokerStars\ImgCache\00387C20.psi
C:\Program Files\PokerStars\ImgCache\00388C90.psi
C:\Program Files\PokerStars\ImgCache\0038A424.psi
C:\Program Files\PokerStars\ImgCache\0038EDD3.psi
C:\Program Files\PokerStars\ImgCache\00390BE2.psi
C:\Program Files\PokerStars\ImgCache\00391211.psi
C:\Program Files\PokerStars\ImgCache\00391C3D.psi
C:\Program Files\PokerStars\ImgCache\0039654B.psi
C:\Program Files\PokerStars\ImgCache\0039D01E.psi
C:\Program Files\PokerStars\ImgCache\003A406B.psi
C:\Program Files\PokerStars\ImgCache\003A767E.psi
C:\Program Files\PokerStars\ImgCache\003B2800.psi
C:\Program Files\PokerStars\ImgCache\003B3522.psi
C:\Program Files\PokerStars\ImgCache\003B5A37.psi
C:\Program Files\PokerStars\ImgCache\003B5A39.psi
C:\Program Files\PokerStars\ImgCache\003B5A3A.psi
C:\Program Files\PokerStars\ImgCache\003B800C.psi
C:\Program Files\PokerStars\ImgCache\003BB45C.psi
C:\Program Files\PokerStars\ImgCache\003BC64E.psi
C:\Program Files\PokerStars\ImgCache\003BEEA0.psi
C:\Program Files\PokerStars\ImgCache\003C4369.psi
C:\Program Files\PokerStars\ImgCache\003C680B.psi
C:\Program Files\PokerStars\ImgCache\003C7ACE.psi
C:\Program Files\PokerStars\ImgCache\003CA851.psi
C:\Program Files\PokerStars\ImgCache\003CAE21.psi
C:\Program Files\PokerStars\ImgCache\003CCB4B.psi
C:\Program Files\PokerStars\ImgCache\003CF211.psi
C:\Program Files\PokerStars\ImgCache\003D0E67.psi
C:\Program Files\PokerStars\ImgCache\003D18CC.psi
C:\Program Files\PokerStars\ImgCache\003D51CB.psi
C:\Program Files\PokerStars\ImgCache\003D6228.psi
C:\Program Files\PokerStars\ImgCache\003D6D90.psi
C:\Program Files\PokerStars\ImgCache\003D8244.psi
C:\Program Files\PokerStars\ImgCache\003D892C.psi
C:\Program Files\PokerStars\ImgCache\003D99D6.psi
C:\Program Files\PokerStars\ImgCache\003DB5C6.psi
C:\Program Files\PokerStars\ImgCache\003DB71A.psi
C:\Program Files\PokerStars\ImgCache\003DD568.psi
C:\Program Files\PokerStars\ImgCache\003DECEB.psi
C:\Program Files\PokerStars\ImgCache\003E03A3.psi
C:\Program Files\PokerStars\ImgCache\003E3A75.psi
C:\Program Files\PokerStars\ImgCache\003E5BF9.psi
C:\Program Files\PokerStars\ImgCache\003EA2B0.psi
C:\Program Files\PokerStars\ImgCache\003EC067.psi
C:\Program Files\PokerStars\ImgCache\003ED905.psi
C:\Program Files\PokerStars\ImgCache\003EDA39.psi
C:\Program Files\PokerStars\ImgCache\003EDE3C.psi
C:\Program Files\PokerStars\ImgCache\003EF06D.psi
C:\Program Files\PokerStars\ImgCache\003EF88B.psi
C:\Program Files\PokerStars\ImgCache\003F0C1A.psi
C:\Program Files\PokerStars\ImgCache\003F0D1D.psi
C:\Program Files\PokerStars\ImgCache\003F13FF.psi
C:\Program Files\PokerStars\ImgCache\003F1F38.psi
C:\Program Files\PokerStars\ImgCache\003F262D.psi
C:\Program Files\PokerStars\ImgCache\003F303E.psi
C:\Program Files\PokerStars\ImgCache\003F3649.psi
C:\Program Files\PokerStars\ImgCache\003F3C3A.psi
C:\Program Files\PokerStars\ImgCache\003F4B4B.psi
C:\Program Files\PokerStars\ImgCache\003F4CE4.psi
C:\Program Files\PokerStars\ImgCache\003F4D99.psi
C:\Program Files\PokerStars\ImgCache\003F7827.psi
C:\Program Files\PokerStars\ImgCache\003FAADD.psi
C:\Program Files\PokerStars\ImgCache\003FD60B.psi
C:\Program Files\PokerStars\ImgCache\003FE2F1.psi
C:\Program Files\PokerStars\ImgCache\003FF0FB.psi
C:\Program Files\PokerStars\ImgCache\004020B6.psi
C:\Program Files\PokerStars\ImgCache\00402340.psi
C:\Program Files\PokerStars\ImgCache\00404B12.psi
C:\Program Files\PokerStars\ImgCache\00404E97.psi
C:\Program Files\PokerStars\ImgCache\00407C1A.psi
C:\Program Files\PokerStars\ImgCache\0040B29B.psi
C:\Program Files\PokerStars\ImgCache\0040D10F.psi
C:\Program Files\PokerStars\ImgCache\00411B1C.psi
C:\Program Files\PokerStars\ImgCache\00413FB9.psi
C:\Program Files\PokerStars\ImgCache\00419B88.psi
C:\Program Files\PokerStars\ImgCache\0041BB7D.psi
C:\Program Files\PokerStars\ImgCache\0041D684.psi
C:\Program Files\PokerStars\ImgCache\0041DE87.psi
C:\Program Files\PokerStars\ImgCache\0041F995.psi
C:\Program Files\PokerStars\ImgCache\00420F99.psi
C:\Program Files\PokerStars\ImgCache\00421000.psi
C:\Program Files\PokerStars\ImgCache\00421159.psi
C:\Program Files\PokerStars\ImgCache\00423F99.psi
C:\Program Files\PokerStars\ImgCache\00424240.psi
C:\Program Files\PokerStars\ImgCache\004247D4.psi
C:\Program Files\PokerStars\ImgCache\00427223.psi
C:\Program Files\PokerStars\ImgCache\00427F72.psi
C:\Program Files\PokerStars\ImgCache\00428AFF.psi
C:\Program Files\PokerStars\ImgCache\00429D88.psi
C:\Program Files\PokerStars\ImgCache\0042AFA9.psi
C:\Program Files\PokerStars\ImgCache\0042B77F.psi
C:\Program Files\PokerStars\ImgCache\0042C464.psi
C:\Program Files\PokerStars\ImgCache\0042EE7D.psi
C:\Program Files\PokerStars\ImgCache\00432521.psi
C:\Program Files\PokerStars\ImgCache\00434539.psi
C:\Program Files\PokerStars\ImgCache\00434704.psi
C:\Program Files\PokerStars\ImgCache\004347BB.psi
C:\Program Files\PokerStars\ImgCache\00434893.psi
C:\Program Files\PokerStars\ImgCache\0043764C.psi
C:\Program Files\PokerStars\ImgCache\00438802.psi
C:\Program Files\PokerStars\ImgCache\00438DA5.psi
C:\Program Files\PokerStars\ImgCache\0043B288.psi
C:\Program Files\PokerStars\ImgCache\0043B498.psi
C:\Program Files\PokerStars\ImgCache\0043EA2A.psi
C:\Program Files\PokerStars\ImgCache\0043FCFD.psi
C:\Program Files\PokerStars\ImgCache\00440BAB.psi
C:\Program Files\PokerStars\ImgCache\0044389E.psi
C:\Program Files\PokerStars\ImgCache\004440EC.psi
C:\Program Files\PokerStars\ImgCache\00449436.psi
C:\Program Files\PokerStars\ImgCache\0044A6F7.psi
C:\Program Files\PokerStars\ImgCache\0044C565.psi
C:\Program Files\PokerStars\ImgCache\00455183.psi
C:\Program Files\PokerStars\ImgCache\00495992.psi
C:\Program Files\PokerStars\ImgCache\00499E65.psi
C:\Program Files\PokerStars\ImgCache\0049C467.psi
C:\Program Files\PokerStars\ImgCache\0049FFDD.psi
C:\Program Files\PokerStars\ImgCache\004B03E1.psi
C:\Program Files\PokerStars\ImgCache\004B13E2.psi
C:\Program Files\PokerStars\ImgCache\img.idx
C:\Program Files\PokerStars\Notes.txt
C:\Program Files\PokerStars\PokerStars.log.0
C:\Program Files\PokerStars\PokerStars.log.1
C:\Program Files\PokerStars\PokerStarsUpdate.log.0
C:\Program Files\PokerStars\PokerStarsUpdate.log.1
C:\Program Files\PokerStars\Themes\simple\reserved.a.bmp
C:\Program Files\PokerStars\Themes\simple\reserved.bmp
C:\Program Files\PokerStars\update\_update2.dat
C:\Program Files\PokerStars\update\_update2g.dat
C:\Program Files\PokerStars\update\_update2ni.dat
C:\Program Files\PokerStars\update\_updatehttptmp.gz
C:\Program Files\PokerStars\update\i18n.msg_cli.txt
C:\Program Files\PokerStars\update\Themes\&default\gx.ini
C:\Program Files\PokerStars\update\Themes\preview\azure.jpg
C:\Program Files\PokerStars\update\Themes\preview\techno.jpg
C:\Program Files\PokerStars\update\Themes\themes.ini
C:\Program Files\PokerStars\update\update.ini
C:\Program Files\PokerStars\user.ini
C:\WINDOWS\system32\msxml3a.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\psa64s
-------\psa64u


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-27 20:31 . 2008-01-27 20:31 <DIR> d----c--- C:\Deckard
2008-01-27 15:30 . 2008-01-27 15:31 <DIR> d----c--- C:\WINDOWS\ERUNT
2008-01-25 23:37 . 2000-08-31 08:00 51,200 --a--c--- C:\WINDOWS\Nircmd.exe
2008-01-25 23:28 . 2008-01-26 00:57 229 --a--c--- C:\WINDOWS\wininit.ini
2008-01-25 23:19 . 2008-01-25 23:19 <DIR> d----c--- C:\Program Files\Trend Micro
2008-01-25 01:33 . 2008-01-25 01:31 102,664 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-24 23:58 . 2008-01-26 00:57 <DIR> d----c--- C:\Program Files\Acceleration Software
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d----c--- C:\Program Files\HighMAT CD Writing Wizard
2008-01-24 00:18 . 2008-01-24 00:18 <DIR> d----c--- C:\Program Files\MediaEntertainmentCodec
2008-01-16 22:57 . 2008-01-28 20:01 54,156 --ah-c--- C:\WINDOWS\QTFont.qfn
2008-01-16 22:57 . 2008-01-16 22:57 1,409 --a--c--- C:\WINDOWS\QTFont.for
2008-01-16 22:56 . 2008-01-16 22:56 <DIR> d----c--- C:\Program Files\iTunes
2008-01-16 22:56 . 2008-01-16 22:56 <DIR> d----c--- C:\Program Files\iPod
2008-01-16 22:55 . 2008-01-16 22:55 <DIR> d----c--- C:\Program Files\QuickTime
2008-01-16 22:55 . 2008-01-16 22:55 <DIR> d----c--- C:\Program Files\Bonjour
2008-01-16 22:53 . 2008-01-16 22:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 22:53 . 2008-01-16 22:53 <DIR> d----c--- C:\Program Files\Common Files\Apple
2008-01-16 22:53 . 2008-01-15 02:39 30,464 --a--c--- C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a--c--- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a--c--- C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 04:53 --------- dc----w C:\Program Files\Apple Software Update
2007-12-16 05:16 --------- dc----w C:\Program Files\Windows Media Connect 2
2007-12-16 05:02 --------- dc----w C:\Program Files\Sony
2007-12-16 05:01 --------- dc----w C:\Program Files\Common Files\InstallShield
2007-12-02 06:57 --------- dc----w C:\Program Files\Google
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_23.48.08.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 05:41:05 1,421,312 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-29 01:54:18 1,421,312 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 05:41:05 8,192 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-29 01:54:18 8,192 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 05:41:07 1,417,216 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-29 01:54:18 1,417,216 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 05:41:07 8,192 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-29 01:54:18 8,192 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 05:41:12 5,275,648 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-29 01:54:19 5,345,280 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 05:41:12 159,744 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-29 01:54:19 163,840 -c--a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 15:01:35 163,328 -c--a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-27 21:31:30 5,345,280 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:31:30 163,840 -c--a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-24 15:01:35 163,328 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-27 21:31:15 5,345,280 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-27 21:31:15 163,840 -c--a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-01-16 11:07 176173]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-11-26 11:40 149152]
"SiSUSBRG"="C:\WINDOWS\sisUSBrg.exe" [2002-04-25 18:06 32768]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"nwiz"="nwiz.exe" [2003-05-02 01:19 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 01:19 4640768]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 04:50 155648]
"LiveNote"="livenote.exe" [2002-07-11 07:31 40960 C:\WINDOWS\livenote.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-06-26 18:30 1101874]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-23 23:08 49152]
"anvshell"="anvshell.exe" [2003-05-29 01:53 348160 C:\WINDOWS\anvshell.exe]

C:\Documents and Settings\Charlie Mitchell\PrintHood\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-15 23:02:28 344064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-12 11:20:14 110592]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-23 23:28:44 282624]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 19:00:00 65588]

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2003-05-19 02:12]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-06-17 04:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 14:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 20:01:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-28 20:03:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 02:03:45
ComboFix2.txt 2008-01-28 04:32:56
ComboFix3.txt 2008-01-26 06:12:30
ComboFix4.txt 2008-01-26 05:48:34
.
2008-01-10 05:24:21 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:29 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.5/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7125 bytes


Thanks amigo

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 08:27 PM

Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 ziachuck

ziachuck

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 28 January 2008 - 10:05 PM

Fantastic :thumbup: !!!

Everything seems to be working great.

I really do appreciate your help with this. I admire your knowledge and selflessness. You are a great person...I mean that!

Thank you, thank you, thank you.

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:47 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...31.5/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7001 bytes

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 January 2008 - 10:25 PM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • A. Please DELETE the following folder and all its content from your system: C:\SDFix

    B. Go to Posted Image -> Run -> copy/paste in the following single line command & click OK


    combofix /u


    Posted Image

    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

    Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

    • Microsoft Windows Update - http://www.windowsupdate.com
      Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • SpywareBlaster to help prevent spyware from installing in the first place.[list]Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • FIREWALL
    Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 04 February 2008 - 06:45 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users