Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] heres my hijackthis log.. please help!


  • This topic is locked This topic is locked
19 replies to this topic

#1 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 04 April 2008 - 12:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:19:46 PM, on 4/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\TEMP\BN6.tmp
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\windows\system32\jownw64o.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\Frank Butler\cftmon.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\SYSTEM32\rcntpkdn.exe
C:\WINDOWS\System32\ctfmona.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\STEM~1\nslookup.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\Frank Butler\cftmon.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ttlms.exe
C:\Program Files\TZO\TZO_NT_Service.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wumss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: {95fbaf26-ea7c-038b-0f34-cbccd90c6a83} - {38a6c09d-ccbc-43f0-b830-c7ae62fabf59} - C:\WINDOWS\System32\vqtvmufk.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\System32\ssqpopp.dll
O2 - BHO: cj helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\IE Extensions\cj.v2.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" *
O4 - HKLM\..\Run: [{D3-3F-F7-76-DW}] C:\windows\system32\jownw64o.exe DWram
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\atgban.dll" DllStart
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\SYSTEM32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [BMcbbe0c45] Rundll32.exe "C:\WINDOWS\System32\crxhlbck.dll",s
O4 - HKLM\..\Run: [c88d3fd9] rundll32.exe "C:\WINDOWS\System32\wuhlgsgq.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [TZOClient] C:\Program Files\TZO\TZOClient.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\STEM~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Wwaa] C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Frank Butler\cftmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\jownw64o.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429MMUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145274234906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O20 - Winlogon Notify: ssqpopp - C:\WINDOWS\SYSTEM32\ssqpopp.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: RomCD - {fed2e853-b7b9-4ec8-b178-12e896a07311} - C:\WINDOWS\Installer\{fed2e853-b7b9-4ec8-b178-12e896a07311}\RomCD.dll
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: Track Learning Management System (TTLMS) - Unknown owner - C:\WINDOWS\System32\ttlms.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager Security Service (wumss) - Unknown owner - C:\WINDOWS\system32\wumss.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 05 April 2008 - 10:22 PM

Hello kyle b and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Many of the identified infections are backdoor trojans. In addition, you appear to have every other infection in the book.


A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to a known clean computer and change any passwords or security information held on the infected computer. In particular, check whatever relates to online banking financial transactions, shopping, credit cards, or sensitive personal information. It is also wise to contact your financial institutions to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log. However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what information can be accessed from it.

Knowing the above, let us know if you wish to proceed.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 06 April 2008 - 01:53 PM

well this is the only computer hooked up to the network and a camera system that is it.. we have some files on there but nothing important.. my boss would like to repair it before we reformat because of the camera systems we do not want to call tech back in to reinstall.

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 April 2008 - 02:08 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 07 April 2008 - 05:34 AM

i am having a problem.. the bat file will not open nor will other ones on my pc.. what is going on? and yes im in safe mode

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 07 April 2008 - 04:09 PM

We will try to see why your file associations are not working.

Please download Deckard's System Scanner (DSS) to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  • Please go to that FOLDER and also copy the contents of Extra.txt to your post as well.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What DSS will do:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.

Post Logs:
  • DSS Scan Results: contents of 1) Main.txt and 2) Extra.txt

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 08 April 2008 - 05:22 AM

Main.txt

Deckard's System Scanner v20071014.68
Run by Frank Butler on 2008-04-08 07:11:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-08 07:17:34
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\CSRSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\SYSTEM32\jownw64o.exe
C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\SYSTEM32\rcntpkdn.exe
C:\WINDOWS\SYSTEM32\brsvc01a.exe
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
C:\WINDOWS\SYSTEM32\brss01a.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\??stem\nslookup.exe
C:\WINDOWS\SYSTEM32\CISVC.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\SYSTEM32\ttlms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\wumss.exe
C:\Documents and Settings\Frank Butler\Desktop\dss.exe
C:\DOCUME~1\FRANKB~1\LOCALS~1\Temp\653C.tmp
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GOOGLE.COM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 download.microsoft.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads.microsoft.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 go.microsoft.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 microsoft.com
O1 - Hosts: 10.18.250.4 msdn.microsoft.com
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 office.microsoft.com
O1 - Hosts: 10.18.250.4 pandasoftware.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 support.microsoft.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.microsoft.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.pandasoftware.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\SYSTEM32\ssqpopp.dll
O2 - BHO: (no name) - {4334C196-737A-0788-0A14-2C00B6B581B6} - C:\WINDOWS\SYSTEM32\aofpbic.dll
O2 - BHO: (no name) - {578E9A99-C316-41FD-992B-07FE242A1E2E} - C:\WINDOWS\SYSTEM32\geeba.dll
O2 - BHO: {7c1a7a56-f923-c57b-9c34-b03f79b5b5c5} - {5c5b5b97-f30b-43c9-b75c-329f65a7a1c7} - C:\WINDOWS\SYSTEM32\jjbykcbo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\SYSTEM32\iSecurity.cpl
O2 - BHO: cj helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\IE Extensions\cj.v2.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\MSDXM.OCX
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" *
O4 - HKLM\..\Run: [{D3-3F-F7-76-DW}] C:\WINDOWS\SYSTEM32\jownw64o.exe DWram
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\SYSTEM32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BMcbbe0c45] Rundll32.exe "C:\WINDOWS\System32\uvvhuiwe.dll",s
O4 - HKLM\..\Run: [c88d3fd9] rundll32.exe "C:\WINDOWS\System32\pfmrujqw.dll",b
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Frank Butler\cftmon.exe
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\System32\alt.exe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\STEM~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Wwaa] C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Frank Butler\cftmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" * (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" * (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\jownw64o.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429MMUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: PD - {FE53AEB5-AEF4-4CFB-8DED-8E494A5F6D37} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} () - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} () - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145274234906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ssqpopp - C:\WINDOWS\System32\ssqpopp.dll
O21 - SSODL: RomCD - {fed2e853-b7b9-4ec8-b178-12e896a07311} - C:\WINDOWS\Installer\{fed2e853-b7b9-4ec8-b178-12e896a07311}\RomCD.dll
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\SYSTEM32\cryper.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\SYSTEM32\iSecurity.cpl
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\SYSTEM32\brsvc01a.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - C:\Program Files\McAfee.com\VSO\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\SYSTEM32\NMSSvc.Exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\SYSTEM\smscg.exe
O23 - Service: Track Learning Management System (TTLMS) - Unknown owner - C:\WINDOWS\SYSTEM32\ttlms.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager Security Service (wumss) - Unknown owner - C:\WINDOWS\SYSTEM32\wumss.exe


--
End of file - 18271 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Qva26 - c:\windows\system32\drivers\qva26.sys
R1 MODEMM - c:\windows\system32\drivers\modemm.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>

S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys <Not Verified; America Online; ATW Protocol Driver>
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 FileObjInfo (STFileDriver) - c:\documents and settings\all users\application data\spyware terminator\fileobjinfo.sys (file missing)
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
S3 SMALUSB (Digital Camera Driver) - c:\windows\system32\drivers\smalidt.sys <Not Verified; SMaL Camera Technologies, Inc.; SMaL Camera Technolgies IDT Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TTLMS (Track Learning Management System) - c:\windows\system32\ttlms.exe
R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R2 WmdmPmSp (Portable Media Serial Number) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 wumss (Windows Update Manager Security Service) - c:\windows\system32\wumss.exe

S2 ICF - c:\windows\system32\svchost.exe:exe.exe
S2 SMSCGISVC (System Managment Controler) - "c:\windows\system\smscg.exe"
S2 TZONTService (TZO Client) - c:\program files\tzo\tzo_nt_service.exe
S3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-08 07:06:25 506 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Frank Butler).job
2008-04-01 13:49:38 508 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Alicia Dunlow).job
2008-04-01 12:18:14 490 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-user).job
2008-04-01 12:17:05 490 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-mark).job
2008-04-01 12:16:04 494 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark H).job
2008-04-01 12:16:01 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (D7174T21-Owner).job
2008-04-01 12:15:12 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-randy).job
2008-04-01 12:15:03 496 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark II).job
2008-04-01 12:15:02 500 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Dale Holt).job
2006-11-09 10:57:07 258 --a------ C:\WINDOWS\Tasks\WebReg officejet 6200 series.job


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 07:17:51 83520 --a------ C:\WINDOWS\System32\eumrpvnk.dll
2008-04-08 07:14:51 91712 --a------ C:\WINDOWS\System32\jjbykcbo.dll
2008-04-08 07:14:29 32768 --a------ C:\Program Files\tmp548890.exe
2008-04-08 07:14:29 222720 --a------ C:\Program Files\tmp547250.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-08 07:13:14 282112 --a------ C:\WINDOWS\aromis.exe
2008-04-08 07:06:05 5120 --a------ C:\WINDOWS\System32\ftp33.dll
2008-04-07 13:08:18 98304 --a------ C:\Program Files\tmp11497234.exe
2008-04-07 13:08:16 32768 --a------ C:\Program Files\tmp11498515.exe
2008-04-07 13:07:30 32768 --a------ C:\Program Files\tmp11463531.exe
2008-04-07 13:07:29 131072 --a------ C:\Program Files\tmp11462531.exe
2008-04-07 13:07:01 32768 --a------ C:\Program Files\tmp11434328.exe
2008-04-07 13:06:58 32768 --a------ C:\Program Files\tmp11430937.exe
2008-04-07 13:06:54 98304 --a------ C:\Program Files\tmp11426468.exe
2008-04-07 12:36:40 98304 --a------ C:\Program Files\tmp9602015.exe
2008-04-07 12:36:16 35576 --a------ C:\Program Files\tmp9571296.exe
2008-04-07 12:35:57 16464 --a------ C:\Program Files\tmp9562843.exe
2008-04-07 11:58:14 32768 --a------ C:\Program Files\tmp7307171.exe
2008-04-07 11:58:03 98304 --a------ C:\Program Files\tmp7295546.exe
2008-04-07 11:55:57 32768 --a------ C:\Program Files\tmp7170015.exe
2008-04-07 11:55:56 163840 --a------ C:\Program Files\tmp7169453.exe
2008-04-07 11:54:54 65536 --a------ C:\Program Files\tmp7106578.exe
2008-04-07 11:54:45 131072 --a------ C:\Program Files\tmp7097953.exe
2008-04-07 11:54:45 32768 --a------ C:\Program Files\tmp7097937.exe
2008-04-07 11:54:44 163840 --a------ C:\Program Files\tmp7095437.exe
2008-04-07 11:54:44 32768 --a------ C:\Program Files\tmp7095281.exe
2008-04-07 11:54:43 32768 --a------ C:\Program Files\tmp7095296.exe
2008-04-07 10:51:24 0 d-------- C:\Documents and Settings\Frank Butler\.housecall6.6
2008-04-07 10:50:49 0 d-------- C:\WINDOWS\Sun
2008-04-07 10:50:49 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Sun
2008-04-07 10:45:07 0 d-------- C:\Program Files\Java
2008-04-07 10:44:26 0 d-------- C:\Program Files\Common Files\Java
2008-04-07 10:36:16 0 d-------- C:\Program Files\Pop up Blocker
2008-04-07 10:30:54 5708 --a------ C:\WINDOWS\System32\k9371937.DLL
2008-04-07 10:30:50 21264 --a------ C:\WINDOWS\System32\rundll32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-04-07 10:19:18 131072 --a------ C:\Program Files\tmp1370609.exe
2008-04-07 10:19:09 32768 --a------ C:\Program Files\tmp1361718.exe
2008-04-07 10:18:40 65536 --a------ C:\Program Files\tmp1321828.exe
2008-04-07 10:02:32 35540 --a------ C:\Program Files\tmp305328.exe
2008-04-07 10:02:16 32768 --a------ C:\Program Files\tmp305093.exe
2008-04-07 10:02:03 35648 --a------ C:\Program Files\tmp305562.exe
2008-04-07 10:01:53 195072 --a------ C:\Program Files\tmp305109.exe
2008-04-07 10:01:44 16600 --a------ C:\Program Files\tmp305375.exe
2008-04-07 08:56:29 10752 --a------ C:\WINDOWS\System32\WLCtrl32.dll
2008-04-07 08:42:55 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Uniblue
2008-04-07 08:40:50 35664 --a------ C:\Program Files\tmp227390.exe
2008-04-07 08:40:16 35512 --a------ C:\Program Files\tmp226312.exe
2008-04-07 08:40:06 16496 --a------ C:\Program Files\tmp225125.exe
2008-04-07 07:35:53 38400 --a------ C:\WINDOWS\System32\iiffcbx.dll
2008-04-07 07:35:53 0 d-------- C:\WINDOWS\System32\bharebio01
2008-04-07 07:29:17 167936 --a------ C:\WINDOWS\System32\drivers\Oktj56.sys
2008-04-07 07:29:16 167936 --a------ C:\WINDOWS\System32\drivers\msoft98.sys
2008-04-07 07:28:27 35576 --a------ C:\Program Files\tmp275281.exe
2008-04-07 07:28:22 16508 --a------ C:\Program Files\tmp275375.exe
2008-04-07 07:28:11 97792 --a------ C:\Program Files\tmp275359.exe
2008-04-07 07:27:54 16488 --a------ C:\Program Files\tmp275218.exe
2008-04-07 07:02:21 90176 --a------ C:\WINDOWS\System32\oxnaopwe.dll
2008-04-07 07:02:21 35604 --a------ C:\Program Files\tmp569359.exe
2008-04-07 06:59:25 16472 --a------ C:\Program Files\tmp402703.exe
2008-04-07 06:59:21 85056 --a------ C:\WINDOWS\System32\pfmrujqw.dll
2008-04-07 06:59:15 0 d-------- C:\WINDOWS\System32\a?sembly
2008-04-07 06:59:11 60928 --a------ C:\WINDOWS\System32\aofpbic.dll
2008-04-07 06:59:02 88128 --a------ C:\WINDOWS\System32\uvvhuiwe.dll
2008-04-04 15:54:17 16560 --a------ C:\Program Files\tmp319250.exe
2008-04-04 15:54:17 16492 --a------ C:\Program Files\tmp319062.exe
2008-04-04 15:42:17 0 d-------- C:\Program Files\iSecurity
2008-04-04 15:17:17 83520 --a------ C:\WINDOWS\System32\gjaucsrn.dll
2008-04-04 15:14:58 90176 --a------ C:\WINDOWS\System32\kdybvjln.dll
2008-04-04 15:14:38 87104 --a------ C:\WINDOWS\System32\eyshyxwp.dll
2008-04-04 14:17:10 64000 --a------ C:\Program Files\tmp337140.exe
2008-04-04 14:17:10 35732 --a------ C:\Program Files\tmp337062.exe
2008-04-04 14:16:43 16452 --a------ C:\Program Files\tmp321531.exe
2008-04-03 15:16:14 86592 --a------ C:\WINDOWS\System32\wuhlgsgq.dll
2008-04-03 15:14:12 89152 --a------ C:\WINDOWS\System32\vqtvmufk.dll
2008-04-03 15:14:05 88640 --a------ C:\WINDOWS\System32\crxhlbck.dll
2008-04-03 15:13:31 98816 --a------ C:\WINDOWS\System32\drivers\svchost.exe
2008-04-03 15:13:13 346857 --ahs---- C:\WINDOWS\System32\abeeg.ini2
2008-04-03 15:13:07 268288 --a------ C:\WINDOWS\System32\geeba.dll
2008-04-03 15:11:42 35736 --a------ C:\Program Files\tmp212921.exe
2008-04-03 15:11:12 35580 --a------ C:\Program Files\tmp212859.exe
2008-04-03 15:11:03 16636 --a------ C:\Program Files\tmp212750.exe
2008-04-03 14:52:15 446464 -ra------ C:\WINDOWS\System32\hhactivex.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>
2008-04-03 14:52:14 176128 --a------ C:\WINDOWS\System32\RcdScan.dll <Not Verified; Dell Computer Corporation; RcdScan Module>
2008-04-03 08:19:00 289280 --a------ C:\WINDOWS\regedit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-03 07:41:30 3638 --a------ C:\Start_.cmd
2008-04-03 07:41:30 0 d-------- C:\327882R2FWJFW
2008-04-03 07:01:55 89152 --a------ C:\WINDOWS\System32\sytsepkj.dll
2008-04-03 07:00:31 0 d-------- C:\Program Files\RegistryFix
2008-04-03 06:58:38 65536 --a------ C:\Program Files\tmp306593.exe
2008-04-03 06:58:37 124 --a------ C:\tempdel.bat
2008-04-03 06:58:30 35804 --a------ C:\Program Files\tmp306109.exe
2008-04-03 06:58:30 0 d-------- C:\Program Files\IE Extensions
2008-04-03 06:58:16 16656 --a------ C:\Program Files\tmp306312.exe
2008-04-02 16:28:58 171520 --a------ C:\WINDOWS\System32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-02 16:28:44 87552 --a------ C:\WINDOWS\System32\ctfmona.exe
2008-04-02 16:23:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-01 14:40:16 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\MailFrontier
2008-04-01 14:16:23 127000 --a------ C:\WINDOWS\System32\jownw64o.exe <Not Verified; ; Browser Driver>
2008-04-01 13:42:59 113184 --ahs---- C:\WINDOWS\System32\drivers\fidbox2.dat
2008-04-01 13:42:59 654112 --ahs---- C:\WINDOWS\System32\drivers\fidbox.dat
2008-04-01 12:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2008-04-01 12:49:42 47461 --ahs---- C:\Documents and Settings\Administrator\cftmon.exe
2008-04-01 12:43:41 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-01 12:43:22 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-04-01 12:42:28 0 d-------- C:\WINDOWS\System32\ZoneLabs
2008-04-01 12:41:53 0 d-------- C:\WINDOWS\Internet Logs
2008-04-01 12:41:23 0 d-------- C:\Program Files\SystemDefender
2008-04-01 12:41:20 98709 --a------ C:\Documents and Settings\Administrator\Application Data\sysdefender.exe
2008-04-01 12:36:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2008-04-01 12:22:51 937 --a------ C:\WINDOWS\System32\winpfz33.sys
2008-04-01 12:21:49 208972 --a------ C:\WINDOWS\System32\rcntpkdn.exe
2008-04-01 12:19:50 126984 --a------ C:\WINDOWS\System32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-04-01 12:19:33 60226 --a------ C:\Documents and Settings\Frank Butler\cftmon.exe
2008-04-01 12:19:24 62464 --a------ C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
2008-04-01 12:19:19 47461 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-04-01 12:16:00 57344 --a------ C:\WINDOWS\shell.exe
2008-04-01 12:15:58 57344 --a------ C:\WINDOWS\System32\spoolvs.exe
2008-04-01 12:15:52 57344 --a------ C:\WINDOWS\System32\printer.exe
2008-04-01 12:15:28 261632 --a------ C:\WINDOWS\System32\cryper.dll
2008-04-01 12:15:22 18944 --a------ C:\WINDOWS\System32\wowfx.dll
2008-04-01 12:15:08 57344 --a------ C:\Documents and Settings\Alicia Dunlow\Application Data\printer.exe
2008-04-01 12:15:06 5120 --a------ C:\WINDOWS\System32\ftpdll.dll
2008-04-01 12:15:06 5120 --a------ C:\Documents and Settings\Alicia Dunlow\ftpdll.dll
2008-04-01 12:14:53 25472 --a------ C:\WINDOWS\System32\drivers\Qva26.sys
2008-04-01 12:14:34 167936 --a------ C:\WINDOWS\System32\drivers\Swj45.sys
2008-04-01 12:14:30 10 --a------ C:\WINDOWS\System32\kr_done1
2008-04-01 12:14:23 62976 --a------ C:\WINDOWS\System32\~.exe
2008-04-01 12:13:53 48451 --a------ C:\WINDOWS\System32\drivers\spools.exe
2008-04-01 12:13:53 28990 --a------ C:\Documents and Settings\Alicia Dunlow\cftmon.exe
2008-04-01 12:13:50 30208 --a------ C:\W3NG.exe
2008-04-01 09:55:54 38400 --a------ C:\WINDOWS\System32\iifeeba.dll
2008-04-01 09:51:46 51200 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-01 09:51:42 0 d-------- C:\WINDOWS\System32\?ymbols
2008-04-01 09:51:42 0 d-------- C:\Program Files\Outerinfo
2008-04-01 09:51:29 0 d-------- C:\WINDOWS\??stem
2008-04-01 09:51:23 38400 --a------ C:\WINDOWS\System32\wvutust.dll
2008-04-01 09:47:51 6705 --ahs---- C:\WINDOWS\System32\rtutv.ini2
2008-04-01 09:47:33 268288 --a------ C:\WINDOWS\System32\vtutr.dll
2008-04-01 08:43:32 0 d-------- C:\Documents and Settings\Alicia Dunlow\Application Data\Spyware Terminator
2008-04-01 08:12:41 38400 --a------ C:\WINDOWS\System32\xxywwwx.dll
2008-04-01 08:01:55 38400 --a------ C:\WINDOWS\System32\qommlig.dll
2008-04-01 07:59:54 320 --ahs---- C:\WINDOWS\System32\bccdd.ini2
2008-04-01 07:55:57 38400 --a------ C:\WINDOWS\System32\gebyabb.dll
2008-04-01 07:55:11 38400 --a------ C:\WINDOWS\System32\xxyxwuv.dll
2008-04-01 07:54:40 60928 --a------ C:\WINDOWS\System32\arykdmx.dll
2008-04-01 07:54:40 0 d-------- C:\Program Files\?icrosoft
2008-04-01 07:54:29 0 d-------- C:\WINDOWS\System32\F?nts
2008-04-01 07:54:27 38400 --a------ C:\WINDOWS\System32\urqonop.dll
2008-04-01 07:54:18 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-01 07:54:17 0 d-------- C:\Program Files\?racle
2008-04-01 07:54:15 0 d-------- C:\WINDOWS\System32\aqVreo01
2008-04-01 07:54:14 38400 --a------ C:\WINDOWS\System32\ssqpopp.dll
2008-04-01 06:56:58 51200 --a------ C:\WINDOWS\mrofinu.exe
2008-04-01 06:56:46 39883 --a------ C:\WINDOWS\System32\targetedbanner-uninst.exe
2008-04-01 06:56:38 86016 --a------ C:\WINDOWS\System32\drivers\MODEMM.sys
2008-04-01 06:56:36 0 d-------- C:\WINDOWS\System32\xTmp
2008-04-01 06:56:36 0 d-------- C:\WINDOWS\System32\winz1
2008-04-01 06:56:36 0 d-------- C:\WINDOWS\System32\IDME
2008-04-01 06:56:34 0 d-------- C:\WINDOWS\System32\aqVreo04
2008-04-01 06:56:34 0 d-------- C:\Temp
2008-03-27 09:46:42 0 d-------- C:\Documents and Settings\Mark H\Application Data\Mozilla
2008-03-21 15:10:54 0 d-------- C:\Storage
2008-03-13 15:20:46 204800 --a------ C:\WINDOWS\TinyBHO.dll
2008-03-11 12:41:00 150 --a------ C:\WINDOWS\HoneyWellClient.dat
2008-03-11 12:40:19 512000 --a------ C:\WINDOWS\System32\ndmpeg4v.dll
2008-03-11 12:40:19 0 d-------- C:\Program Files\Honeywell
2008-03-11 11:18:06 58880 --a------ C:\WINDOWS\System32\atgban.dll
2008-03-10 06:58:45 418936 -rahs---- C:\WINDOWS\System32\wumss.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-07 10:44:26 0 d-------- C:\Program Files\Common Files
2008-04-05 08:47:18 0 d-------- C:\Program Files\Common Files\aol
2008-04-04 15:53:30 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\MSN6
2008-04-03 14:52:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 09:10:09 89600 --a------ C:\WINDOWS\System32\DRWTSN32.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-02 06:16:42 359936 --a------ C:\WINDOWS\System32\fxssvc.exe <Not Verified; Microsoft Corporation; Microsoft® Fax Server>
2008-04-02 06:16:02 81920 --a------ C:\WINDOWS\System32\HPZipm12.exe <Not Verified; HP; HP PML>
2008-04-02 06:15:57 192512 --a------ C:\WINDOWS\System32\DWWIN.EXE <Not Verified; Microsoft Corporation; Microsoft Application Error Reporting>
2008-04-02 06:15:57 16384 --a------ C:\WINDOWS\System32\CISVC.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-02 06:15:29 128000 --a------ C:\WINDOWS\System32\SPOOLSV.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 14:05:52 651264 --a------ C:\WINDOWS\System32\SSTEXT3D.SCR <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 14:03:35 84992 --a------ C:\WINDOWS\System32\CIDAEMON.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 13:58:07 100864 --a------ C:\WINDOWS\System32\SOL.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 13:53:42 77824 --a------ C:\WINDOWS\wanmpsvc.exe <Not Verified; America Online, Inc.; America Online>
2008-04-01 13:44:03 139776 --a------ C:\WINDOWS\System32\TASKMGR.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 13:43:27 164352 --a------ C:\WINDOWS\System32\USERINIT.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 12:15:17 24064 --a------ C:\WINDOWS\System32\SVCHOST.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-01 08:50:56 0 d-------- C:\Program Files\MyWebSearch
2008-04-01 07:54:40 0 d-------- C:\Program Files\?icrosoft
2008-04-01 07:54:18 0 d-------- C:\Program Files\?racle
2008-03-07 09:40:28 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\AdobeUM
2008-03-06 12:51:02 0 d-------- C:\Program Files\TZO
2008-03-05 11:18:54 0 d-------- C:\Program Files\America Online 8.0
2008-03-04 11:17:56 187904 --ahs---- C:\WINDOWS\System32\.exe
2008-03-03 08:22:40 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\AdobeAUM
2008-02-28 16:25:58 0 d-------- C:\Program Files\Google
2008-02-28 15:59:43 681 --a------ C:\WINDOWS\mozver.dat
2008-02-28 15:27:24 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Viewpoint
2008-02-28 15:23:14 0 d-------- C:\Program Files\Modem Helper
2008-02-28 15:23:14 0 d-------- C:\Program Files\EarthLink 5.0
2008-02-28 15:23:13 29 --a------ C:\WINDOWS\dscc.dll
2008-02-28 15:20:30 0 d-------- C:\Program Files\Yahoo!
2008-02-28 14:58:15 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\U3
2008-02-28 12:51:12 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Google
2008-02-28 10:11:45 0 d-------- C:\Program Files\AOL Search
2008-02-28 10:11:36 0 d-------- C:\Program Files\Viewpoint
2008-02-27 09:47:46 1366016 -rahs---- C:\WINDOWS\System32\ttlms.exe
2008-02-27 08:52:29 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Adobe
2008-02-27 08:51:52 0 d-------- C:\Documents and Settings\Frank Butler\Application Data\Mozilla
2008-01-15 17:52:24 185344 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

Unable to run batchfile; The system cannot find the file specified.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net

90 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-08 07:18:37 ------------

--------------------------------------------------------------------------------------------------

Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.53GHz
Percentage of Memory in Use: 78%
Physical Memory (total/avail): 255 MiB / 55.97 MiB
Pagefile Memory (total/avail): 616.5 MiB / 290.87 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.8 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.75 GiB total, 104.72 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BB-00GUA0 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 111.75 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer has updates disabled.


-- Environment Variables -------------------------------------------------------

Unable to get environment variables; The system cannot find the file specified.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- User Profiles ---------------------------------------------------------------

Alicia Dunlow (admin)
Frank Butler (admin)
Mark H (admin)
user (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
America Online --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Search --> C:\Program Files\AOL Search\uninstaller.exe AOL Search
AOL Coach Version 1.0(Build:20020823.1) --> C:\WINDOWS\AolCInUn.exe
BarBack for Windows --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BarBack\BarBack for Windows\Uninst.isu"
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
--> C:\WINDOWS\IsUninst.exe -fC:\Sierra\CoolPool8ballNetDemo\Uninst.isu
Deewoo Network Manager removal --> C:\WINDOWS\System32\rcntpkdn.exe -UPop
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HMA Control Chart Version 1.0 --> "C:\TL100Records\unins000.exe"
hp instant support --> C:\PROGRA~1\HEWLET~1\AiO\HPis\Uninstall.exe CeS
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photo Printing Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
hp psc 700 series --> C:\WINDOWS\System32\hpocon09.exe /u 1143479452 /d "hp psc 700 series"
HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9D98F245-3010-43C6-B3B0-67A464DA298E}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Windows XP Hotfix - KB822603 --> C:\WINDOWS\$NtUninstallKB822603$\spuninst\spuninst.exe
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
McAfee.com SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
Microsoft .NET Framework (English) v1.0.3705 --> C:\WINDOWS\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Pop up Blocker v6.0.6 (remove only) --> "C:\Program Files\Pop up Blocker\uninst.exe"
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Samsung SCX-4100 Series --> C:\WINDOWS\Samsung\SCX-4100\SETUP.EXE
Pine-Pave 5.01 --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Microsoft Office\Office10\ST5UNST.LOG"
Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\System32\targetedbanner-uninst.exe
TZO Internet Naming System --> C:\WINDOWS\iun6002.exe "C:\Program Files\TZO\irunin.ini"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
McAfee.com VirusScan Online --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Virtual Superpave Laboratory --> MsiExec.exe /I{4D1DFF63-706D-4885-AFE8-253B75F527F0}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
DAO --> MsiExec.exe /I{64116298-93C5-401D-B06C-39D8E3338508}
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
Microsoft Office Access 2003 --> MsiExec.exe /I{90150409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{975145C6-8BB2-41BF-A435-BB5A64B8DCF8}\SETUP.EXE"
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Microsoft .NET Framework (English) --> MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Oregon Scientific Photo Album --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5673AC2-0EDF-4EF8-99B6-D2F012B9877C}\setup.exe" -l0x0
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
--> MsiExec.exe /X{DEBEA68F-45AA-4707-A9A7-DBD6DB4FBE89}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F840E2F3-138C-4307-83F7-D0A5DD75B6CE}\SETUP.EXE" -l0x9
HRDE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCA9F7DD-524E-47B7-85EE-F2F22BE7B703}\Setup.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type46 / Error
Event Submitted/Written: 04/08/2008 07:17:13 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aromis.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.

Event Record #/Type45 / Error
Event Submitted/Written: 04/08/2008 07:16:08 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application alt.exe.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x10105b05.

Event Record #/Type41 / Error
Event Submitted/Written: 04/08/2008 07:14:04 AM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.

Event Record #/Type40 / Error
Event Submitted/Written: 04/08/2008 07:14:03 AM / 04/08/2008 07:14:04 AM
Event ID/Source: 4124 / Ci
Event Description:
Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart
the Indexing Service (cisvc).

Event Record #/Type39 / Warning
Event Submitted/Written: 04/08/2008 07:14:03 AM
Event ID/Source: 4132 / Ci
Event Description:
1 inconsistencies were detected in PropertyStore during recovery of catalog c:\system volume information\catalog.wci.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type108912 / Error
Event Submitted/Written: 04/08/2008 07:17:53 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type108895 / Error
Event Submitted/Written: 04/08/2008 07:10:35 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1053

Event Record #/Type108894 / Error
Event Submitted/Written: 04/08/2008 07:10:35 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.

Event Record #/Type108887 / Error
Event Submitted/Written: 04/08/2008 07:10:28 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.

Event Record #/Type108885 / Error
Event Submitted/Written: 04/08/2008 07:09:20 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Security Center service failed to start due to the following error:
%%1083



-- End of Deckard's System Scanner: finished at 2008-04-08 07:18:37 ------------

#8 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 08 April 2008 - 05:29 AM

i aslo found a virus called "blackster.scr" just looking through my system32 folder.. this is what is causing the bugs on my screen.

#9 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 08 April 2008 - 07:07 AM

ok.. i guess it was cmd.exe missing.. i installed that and i got the dsfix to work.. ran it and heres what i got...


SDFix: Version 1.167
Run by Frank Butler on Tue 04/08/2008 at 08:40 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
ICF
TTLMS

Path:
C:\WINDOWS\System32\svchost.exe:exe.exe
C:\WINDOWS\System32\ttlms.exe

ICF - Deleted
TTLMS - Deleted

Killing PID 608 'ttlms.exe'
Killing PID 1068 'shell.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Restoring Default Schedule Service Path
Resetting AppInit_DLLs value


Rebooting

Service Xkhe30 - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{fed2e853-b7b9-4ec8-b178-12e896a07311}\RomCD.dll - Deleted
C:\WINDOWS\system32\kdtha.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\drivers\Xkhe30.sys - Deleted



Folder C:\WINDOWS\Installer\{fed2e853-b7b9-4ec8-b178-12e896a07311} - Removed
Folder C:\Program Files\iSecurity - Removed
Folder C:\Program Files\SystemDefender - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\gbRve12 - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\aqVreo01 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 43008 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 09:00:33
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\WINDOWS\system32\wowfx.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"load"="C:\WINDOWS\system32\wumss.exe"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\wumss.exe"="C:\\WINDOWS\\system32\\wumss.exe:*:Enabled:Windows Update Manager Security Service"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.exeExplorer.exe:*:Enabled:Windows Update Manager Security Service"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exewinlogon.exe:*:Enabled:Windows Update Manager Security Service"
"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"="C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exeC:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe:*:Enabled:Windows Update Manager Security Service"
"C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe"="C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frank Butler\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Frank Butler\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exeC:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Windows Update Manager Security Service"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\svchost.exe"="C:\\WINDOWS\\System32\\svchost.exeC:\\WINDOWS\\System32\\svchost.exe:*:Enabled:Windows Update Manager Security Service"
"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exec:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe:*:Enabled:Windows Update Manager Security Service"
"C:\\Documents and Settings\\Frank Butler\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Frank Butler\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frank Butler\\Application Data\\avsyscare.exe"="C:\\Documents and Settings\\Frank Butler\\Application Data\\avsyscare.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe"="C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\printer.exe"="C:\\WINDOWS\\System32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\System32\\spoolvs.exe"="C:\\WINDOWS\\System32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frank Butler\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Frank Butler\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frank Butler\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Frank Butler\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frank Butler\\Application Data\\avsyscare.exe"="C:\\Documents and Settings\\Frank Butler\\Application Data\\avsyscare.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

----------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:06:12 AM, on 4/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wumss.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SYSTEM32\jownw64o.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\rcntpkdn.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\STEM~1\nslookup.exe
C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GOOGLE.COM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" *
O4 - HKLM\..\Run: [{D3-3F-F7-76-DW}] C:\WINDOWS\SYSTEM32\jownw64o.exe DWram
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\System32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BMcbbe0c45] Rundll32.exe "C:\WINDOWS\System32\uvvhuiwe.dll",s
O4 - HKLM\..\Run: [c88d3fd9] rundll32.exe "C:\WINDOWS\System32\eumrpvnk.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\STEM~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Wwaa] C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\jownw64o.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429MMUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PD - {FE53AEB5-AEF4-4CFB-8DED-8E494A5F6D37} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145274234906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager Security Service (wumss) - Unknown owner - C:\WINDOWS\system32\wumss.exe

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 08 April 2008 - 07:39 PM

Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

Go to Posted Image -> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

Posted Image
  • ComboFix will automatically start. Any monitoring programs will be shut down like your antivirus, antispyware programs for example.
  • DO NO USE your computer for any other purpose while ComboFix is running. It could prove to be disastrous.
  • ComboFix may restart your computer, this is normal.
  • When finished, it will produce a log, ComboFix.txt.
  • Please post ComboFix.txt in your next reply along with a new HijackThis log.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

    Advertisements

Register to Remove


#11 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 09 April 2008 - 05:20 AM

ComboFix 08-04-08.9 - Frank Butler 2008-04-09 7:07:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.83 [GMT -4:00]
Running from: C:\Documents and Settings\Frank Butler\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3.tmp
C:\4.tmp
C:\7.tmp
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\icroso~1
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.ren
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\racle~1
C:\Program Files\racle~1\?racle\
C:\Program Files\racle~1\svchost.exe
C:\temp\tn3
C:\WINDOWS\aromis.config
C:\WINDOWS\aromis.exe
C:\WINDOWS\BMcbbe0c45.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\shell.exe
C:\WINDOWS\stem~1
C:\WINDOWS\stem~1\??stem\
C:\WINDOWS\stem~1\nslookup.exe
C:\WINDOWS\SYSTEM32\.exe
C:\WINDOWS\SYSTEM32\abeeg.ini
C:\WINDOWS\SYSTEM32\abeeg.ini2
C:\WINDOWS\system32\aofpbic.dll
C:\WINDOWS\system32\arykdmx.dll
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\SYSTEM32\bccdd.ini2
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\crxhlbck.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\MODEMM.sys
C:\WINDOWS\system32\drivers\Oktj56.sys
C:\WINDOWS\system32\drivers\Qva26.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\Swj45.sys
C:\WINDOWS\system32\eumrpvnk.dll
C:\WINDOWS\system32\eyshyxwp.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~1\l?rear.exe
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\gebyabb.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\gjaucsrn.dll
C:\WINDOWS\system32\iifeeba.dll
C:\WINDOWS\system32\iiffcbx.dll
C:\WINDOWS\system32\jjbykcbo.dll
C:\WINDOWS\system32\kdybvjln.dll
C:\WINDOWS\SYSTEM32\knvprmue.ini
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\nrscuajg.ini
C:\WINDOWS\system32\oxnaopwe.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfmrujqw.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\SYSTEM32\qgsglhuw.ini
C:\WINDOWS\system32\qommlig.dll
C:\WINDOWS\SYSTEM32\rtutv.ini
C:\WINDOWS\SYSTEM32\rtutv.ini2
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\ssqpopp.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\sytsepkj.dll
C:\WINDOWS\system32\urqonop.dll
C:\WINDOWS\system32\uvvhuiwe.dll
C:\WINDOWS\system32\vqtvmufk.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\SYSTEM32\wqjurmfp.ini
C:\WINDOWS\system32\wuhlgsgq.dll
C:\WINDOWS\system32\wvutust.dll
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\xxyxwuv.dll
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ymbols~1\w?auboot.exe
C:\WINDOWS\system32\zxdnt3d.cfg

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
hxxp://eservicesupport.us.dell.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MODEMM
-------\Legacy_OKTJ56
-------\Legacy_QVA26
-------\Legacy_SWJ45
-------\Service_MODEMM
-------\Service_Oktj56
-------\Service_Qva26
-------\Service_Swj45


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 06:59 . 2008-04-09 06:59 269,334 --a------ C:\WINDOWS\SYSTEM32\adormlonmt.bmp
2008-04-08 10:09 . 2008-04-08 10:09 269,334 --a------ C:\WINDOWS\SYSTEM32\ofilcrehojmpsr.bmp
2008-04-08 10:02 . 2008-04-08 10:02 <DIR> d-------- C:\Documents and Settings\Mark H\Application Data\MailFrontier
2008-04-08 10:01 . 2008-04-08 10:01 269,334 --a------ C:\WINDOWS\SYSTEM32\lkjqlobapgr.bmp
2008-04-08 09:04 . 2008-04-08 09:04 269,334 --a------ C:\WINDOWS\SYSTEM32\psfmhgrmd.bmp
2008-04-08 08:34 . 2008-04-08 08:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 08:33 . 2008-04-08 08:33 5,120 --a------ C:\Documents and Settings\Frank Butler\ftp33.dll
2008-04-08 08:30 . 2004-08-04 07:00 399,872 --a------ C:\WINDOWS\SYSTEM32\cmd.exe
2008-04-08 08:29 . 2008-04-08 08:29 0 --a------ C:\LOG16E.tmp
2008-04-08 08:25 . 2008-04-08 08:25 19,968 --a------ C:\Program Files\tmp4814218.exe
2008-04-08 08:25 . 2008-04-08 08:25 19,968 --a------ C:\Program Files\tmp4813265.exe
2008-04-08 07:24 . 2008-04-08 07:24 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-08 07:11 . 2008-04-08 07:11 <DIR> d-------- C:\Deckard
2008-04-08 07:06 . 2008-04-08 07:06 269,334 --a------ C:\WINDOWS\SYSTEM32\mlsbitoridcf.bmp
2008-04-08 07:06 . 2008-04-08 08:33 5,120 --a------ C:\WINDOWS\SYSTEM32\ftp33.dll
2008-04-07 13:08 . 2008-04-07 13:08 98,304 --a------ C:\Program Files\tmp11497234.exe
2008-04-07 13:08 . 2008-04-07 13:08 32,768 --a------ C:\Program Files\tmp11498515.exe
2008-04-07 13:07 . 2008-04-07 13:07 131,072 --a------ C:\Program Files\tmp11462531.exe
2008-04-07 13:07 . 2008-04-07 13:07 32,768 --a------ C:\Program Files\tmp11463531.exe
2008-04-07 13:07 . 2008-04-07 13:07 32,768 --a------ C:\Program Files\tmp11434328.exe
2008-04-07 13:06 . 2008-04-07 13:06 98,304 --a------ C:\Program Files\tmp11426468.exe
2008-04-07 13:06 . 2008-04-07 13:06 32,768 --a------ C:\Program Files\tmp11430937.exe
2008-04-07 12:36 . 2008-04-07 12:36 98,304 --a------ C:\Program Files\tmp9602015.exe
2008-04-07 12:36 . 2008-04-07 12:36 35,576 --a------ C:\Program Files\tmp9571296.exe
2008-04-07 12:35 . 2008-04-07 12:35 16,464 --a------ C:\Program Files\tmp9562843.exe
2008-04-07 11:58 . 2008-04-07 11:58 98,304 --a------ C:\Program Files\tmp7295546.exe
2008-04-07 11:58 . 2008-04-07 11:58 32,768 --a------ C:\Program Files\tmp7307171.exe
2008-04-07 11:55 . 2008-04-07 11:55 163,840 --a------ C:\Program Files\tmp7169453.exe
2008-04-07 11:55 . 2008-04-07 11:55 32,768 --a------ C:\Program Files\tmp7170015.exe
2008-04-07 11:54 . 2008-04-07 11:54 163,840 --a------ C:\Program Files\tmp7095437.exe
2008-04-07 11:54 . 2008-04-07 11:54 131,072 --a------ C:\Program Files\tmp7097953.exe
2008-04-07 11:54 . 2008-04-07 11:54 65,536 --a------ C:\Program Files\tmp7106578.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7097937.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7095296.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7095281.exe
2008-04-07 11:04 . 2008-04-07 11:04 72,566 --a------ C:\WINDOWS\SYSTEM32\GameFly_2.ico
2008-04-07 10:51 . 2008-04-07 10:52 <DIR> d-------- C:\Documents and Settings\Frank Butler\.housecall6.6
2008-04-07 10:51 . 2008-04-07 10:51 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-04-07 10:50 . 2008-04-07 10:50 <DIR> d-------- C:\WINDOWS\Sun
2008-04-07 10:46 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-07 10:45 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\Java
2008-04-07 10:44 . 2008-04-07 10:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-07 10:36 . 2008-04-07 10:36 <DIR> d-------- C:\Program Files\Pop up Blocker
2008-04-07 10:30 . 2001-03-18 17:36 21,264 --a------ C:\WINDOWS\SYSTEM32\rundll32.exe
2008-04-07 10:30 . 2001-03-18 20:37 5,708 --a------ C:\WINDOWS\SYSTEM32\k9371937.DLL
2008-04-07 10:19 . 2008-04-07 10:19 131,072 --a------ C:\Program Files\tmp1370609.exe
2008-04-07 10:19 . 2008-04-07 10:19 32,768 --a------ C:\Program Files\tmp1361718.exe
2008-04-07 10:18 . 2008-04-07 10:18 65,536 --a------ C:\Program Files\tmp1321828.exe
2008-04-07 10:02 . 2008-04-07 10:02 35,648 --a------ C:\Program Files\tmp305562.exe
2008-04-07 10:02 . 2008-04-07 10:02 35,540 --a------ C:\Program Files\tmp305328.exe
2008-04-07 10:02 . 2008-04-07 10:02 32,768 --a------ C:\Program Files\tmp305093.exe
2008-04-07 10:01 . 2008-04-07 10:01 195,072 --a------ C:\Program Files\tmp305109.exe
2008-04-07 10:01 . 2008-04-07 10:01 16,600 --a------ C:\Program Files\tmp305375.exe
2008-04-07 09:57 . 2008-04-07 09:57 269,334 --a------ C:\WINDOWS\SYSTEM32\cnidgred.bmp
2008-04-07 08:56 . 2008-04-07 08:58 48,640 --a------ C:\91.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\9B.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\9A.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\99.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\98.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\97.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\95.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\93.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\90.tmp
2008-04-07 08:42 . 2008-04-07 08:42 <DIR> d-------- C:\Documents and Settings\Frank Butler\Application Data\Uniblue
2008-04-07 08:40 . 2008-04-07 08:40 35,664 --a------ C:\Program Files\tmp227390.exe
2008-04-07 08:40 . 2008-04-07 08:40 35,512 --a------ C:\Program Files\tmp226312.exe
2008-04-07 08:40 . 2008-04-07 08:40 16,496 --a------ C:\Program Files\tmp225125.exe
2008-04-07 08:37 . 2008-04-07 08:37 269,334 --a------ C:\WINDOWS\SYSTEM32\pcnapof.bmp
2008-04-07 08:37 . 2008-04-07 08:38 48,640 --a------ C:\94.tmp
2008-04-07 08:37 . 2008-04-07 08:37 2 --a------ C:\8F.tmp
2008-04-07 08:37 . 2008-04-07 08:37 0 --a------ C:\92.tmp
2008-04-07 08:36 . 2008-04-07 08:37 47,104 --a------ C:\8E.tmp
2008-04-07 08:36 . 2008-04-07 08:36 0 --a------ C:\8C.tmp
2008-04-07 08:12 . 2008-04-08 09:03 <DIR> d-------- C:\SDFix
2008-04-07 07:35 . 2008-04-07 07:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\bharebio01
2008-04-07 07:35 . 2008-04-07 07:36 <DIR> d-------- C:\Temp\wdlw14
2008-04-07 07:29 . 2008-04-07 07:29 167,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msoft98.sys
2008-04-07 07:28 . 2008-04-07 07:28 97,792 --a------ C:\Program Files\tmp275359.exe
2008-04-07 07:28 . 2008-04-07 07:28 35,576 --a------ C:\Program Files\tmp275281.exe
2008-04-07 07:28 . 2008-04-07 07:28 16,508 --a------ C:\Program Files\tmp275375.exe
2008-04-07 07:27 . 2008-04-07 07:27 16,488 --a------ C:\Program Files\tmp275218.exe
2008-04-07 07:24 . 2008-04-07 07:24 269,334 --a------ C:\WINDOWS\SYSTEM32\cjelsbedorepsf.bmp
2008-04-07 07:24 . 2008-04-07 07:24 48,640 --a------ C:\8D.tmp
2008-04-07 07:23 . 2008-04-07 07:23 47,104 --a------ C:\89.tmp
2008-04-07 07:23 . 2008-04-07 07:23 2 --a------ C:\8B.tmp
2008-04-07 07:23 . 2008-04-07 07:23 0 --a------ C:\8A.tmp
2008-04-07 07:02 . 2008-04-07 07:02 35,604 --a------ C:\Program Files\tmp569359.exe
2008-04-07 06:59 . 2008-04-07 06:59 16,472 --a------ C:\Program Files\tmp402703.exe
2008-04-07 06:53 . 2008-04-07 06:53 269,334 --a------ C:\WINDOWS\SYSTEM32\tcbat.bmp
2008-04-07 06:53 . 2008-04-07 06:53 48,640 --a------ C:\87.tmp
2008-04-07 06:53 . 2008-04-07 06:53 47,104 --a------ C:\86.tmp
2008-04-07 06:53 . 2008-04-07 06:53 2 --a------ C:\88.tmp
2008-04-05 08:48 . 2008-04-05 08:48 269,334 --a------ C:\WINDOWS\SYSTEM32\qlcrqdgbep.bmp
2008-04-05 08:47 . 2008-04-05 08:48 48,640 --a------ C:\84.tmp
2008-04-05 08:47 . 2008-04-05 08:47 48,640 --a------ C:\83.tmp
2008-04-05 08:47 . 2008-04-05 08:48 2 --a------ C:\85.tmp
2008-04-04 15:54 . 2008-04-04 15:54 16,560 --a------ C:\Program Files\tmp319250.exe
2008-04-04 15:54 . 2008-04-04 15:54 16,492 --a------ C:\Program Files\tmp319062.exe
2008-04-04 15:42 . 2008-04-07 10:18 125,440 -r-hs---- C:\WINDOWS\SYSTEM32\iSecurity.cpl
2008-04-04 14:17 . 2008-04-04 14:17 64,000 --a------ C:\Program Files\tmp337140.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 22:52 2,129,408 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-08 14:07 2,852,352 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-04-07 13:10 2,865,152 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-04-07 13:10 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-04-07 12:56 2,992,640 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-04-07 12:56 2,018,304 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-04-05 14:40 1,999,872 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2008-04-05 14:10 1,999,360 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-04-05 14:09 1,728,000 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-04-05 12:47 --------- d-----w C:\Program Files\Common Files\aol
2008-04-04 19:53 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\MSN6
2008-04-04 19:49 1,180,633 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-03 19:03 2,927,104 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2008-04-03 18:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 12:00 2,777,088 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-04-03 12:00 1,970,688 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-04-02 15:34 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-04-02 15:34 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-04-02 15:25 714,240 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-04-02 15:25 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-04-02 14:21 193,024 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-04-02 14:21 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-04-02 14:02 150,528 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-02 14:02 1,919,488 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-04-02 13:58 65,536 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-04-02 13:58 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-04-02 13:10 89,600 ----a-w C:\WINDOWS\SYSTEM32\DRWTSN32.EXE
2008-04-02 13:10 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-02 13:10 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-02 13:00 1,923,072 ----a-w C:\WINDOWS\Internet Logs\xDB3F.tmp
2008-04-02 13:00 1,137,664 ----a-w C:\WINDOWS\Internet Logs\xDB3E.tmp
2008-04-02 10:18 1,916,928 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-02 10:18 1,013,760 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-02 10:16 81,920 ----a-w C:\WINDOWS\SYSTEM32\HPZipm12.exe
2008-04-02 10:16 359,936 ----a-w C:\WINDOWS\SYSTEM32\fxssvc.exe
2008-04-02 10:15 204,800 ----a-w C:\WINDOWS\SYSTEM32\nvsvc32.exe
2008-04-02 10:15 192,512 ----a-w C:\WINDOWS\SYSTEM32\DWWIN.EXE
2008-04-02 10:15 16,384 ----a-w C:\WINDOWS\SYSTEM32\CISVC.EXE
2008-04-02 10:15 128,000 ----a-w C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
2008-04-01 19:05 2,780,672 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-01 18:05 651,264 ----a-w C:\WINDOWS\SYSTEM32\SSTEXT3D.SCR
2008-04-01 18:03 84,992 ----a-w C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
2008-04-01 17:58 100,864 ----a-w C:\WINDOWS\SYSTEM32\SOL.EXE
2008-04-01 17:54 1,775,616 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-04-01 17:54 1,008,640 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-04-01 17:53 77,824 ----a-w C:\WINDOWS\wanmpsvc.exe
2008-04-01 17:51 135,168 ----a-w C:\WINDOWS\BCMSMMSG.exe
2008-04-01 17:50 1,250,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-01 17:45 2,815,488 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-01 17:45 1,763,328 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-01 17:44 139,776 ----a-w C:\WINDOWS\SYSTEM32\TASKMGR.EXE
2008-04-01 17:43 164,352 ----a-w C:\WINDOWS\SYSTEM32\USERINIT.EXE
2008-04-01 16:15 24,064 ----a-w C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2008-04-01 16:14 62,976 ----a-w C:\WINDOWS\SYSTEM32\~.exe
2008-03-14 04:11 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-11 16:28 557,056 ----a-w C:\WINDOWS\JAVA\GoToAssist_phone__317_en.exe
2008-03-07 13:40 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\AdobeUM
2008-03-06 16:51 --------- d-----w C:\Program Files\TZO
2008-03-05 15:18 --------- d-----w C:\Program Files\America Online 8.0
2008-03-03 12:22 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\AdobeAUM
2008-02-28 20:25 --------- d-----w C:\Program Files\Google
2008-02-28 19:27 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\Viewpoint
2008-02-28 19:23 --------- d-----w C:\Program Files\Modem Helper
2008-02-28 19:23 --------- d-----w C:\Program Files\EarthLink 5.0
2008-02-28 19:20 --------- d-----w C:\Program Files\Yahoo!
2008-02-28 18:58 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\U3
2008-02-28 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-28 14:11 --------- d-----w C:\Program Files\Viewpoint
2008-02-28 14:11 --------- d-----w C:\Program Files\AOL Search
2008-02-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-27 13:47 1,366,016 --sh--r C:\WINDOWS\SYSTEM32\ttlms.exe
2008-01-15 21:52 185,344 --sha-w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
.

------- Sigcheck -------

2008-04-01 12:15 24064 dd6ff528b4668240e45dbcd2a2443e11 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2002-08-29 06:00 1048064 53ebb982a02260dedc847aa23cfa999c C:\WINDOWS\EXPLORER.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08 1654813]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 317952]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Wwaa"="C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"Pop up Blocker"="C:\Program Files\Pop up Blocker\pd.exe" [2007-01-12 17:43 1201664]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [2005-08-15 08:04 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2008-04-01 13:51 135168 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 40960]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 18:15 204800]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 10:28 196608]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-05-11 12:13 163885]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-04-01 13:56 794624]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 16:09 151552]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 102400]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-04-01 13:47 167936]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-04-01 13:53 102449]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-04-02 07:59 299008]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 61440]
"Windows Update Manager Security Service"="C:\WINDOWS\system32\wumss.exe" [2008-03-10 06:58 418936]
"{D3-3F-F7-76-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-01 12:19 126984]
"g]eeV\mWhjlnspB"="C:\WINDOWS\System32\rcntpkdn.exe" [2008-04-01 12:21 208972]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Printer"="C:\WINDOWS\System32\printer.exe" [2005-08-15 08:04 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Manager Security Service"="C:\WINDOWS\system32\wumss.exe" [2008-03-10 06:58 418936]

C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\SYSTEM32\rcntpkdn.exe [2008-04-01 12:21:49 208972]
DW_Start.lnk - C:\WINDOWS\SYSTEM32\rwwnw64d.exe [2008-04-01 12:19:50 126984]
findfast.exe [2005-08-15 08:04:52 57344]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
findfast.exe [2005-08-05 01:37:13 57344]

C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\SYSTEM32\rcntpkdn.exe [2008-04-01 12:21:49 208972]
DW_Start.lnk - C:\WINDOWS\SYSTEM32\jownw64o.exe [2008-04-01 14:16:23 127000]
findfast.exe [2005-08-07 02:34:24 57344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 40960]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-05-11 12:12:46 245835]
autorun.exe [2005-08-06 04:46:28 57344]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll [2008-04-01 12:15 261632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TZOClient]
--a------ 2005-06-17 04:02 1003520 C:\Program Files\TZO\TZOClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\wumss.exe"=
"C:\\WINDOWS\\Explorer.EXE"=C:\\WINDOWS\\Explorer.EXE
"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe
"C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe"=
"C:\\WINDOWS\\System32\\printer.exe"=
"C:\\WINDOWS\\System32\\spoolvs.exe"=
"C:\\WINDOWS\\shell.exe"=
"C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe"=
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=
"%windir%\\system32\\winav.exe"=
"C:\\Documents and Settings\\Frank Butler\\Start Menu\\Programs\\Startup\\findfast.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=C:\\Program Files\\Internet Explorer\\iexplore.exe
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"=
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"=
"C:\\WINDOWS\\System32\\svchost.exe"=C:\\WINDOWS\\System32\\svchost.exe
"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe"=c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\Mark H\\Start Menu\\Programs\\Startup\\findfast.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2008-04-02 06:16]
R2 wumss;Windows Update Manager Security Service;C:\WINDOWS\system32\wumss.exe [2008-03-10 06:58]
S2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" [2008-03-07 15:12]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 22:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 06:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]
S3 SMALUSB;Digital Camera Driver;C:\WINDOWS\System32\DRIVERS\smalidt.sys [2002-05-31 02:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 11:16:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D7174T21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:14:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Alicia Dunlow).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:15:02 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Dale Holt).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agen
"2008-04-09 11:13:43 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Frank Butler).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:15:03 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark H).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent.Mark HXMcAfee.com SecurityCenter periodically checks for updates for your McAfee.com Services.
"2008-04-09 11:15:03 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark II).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:12:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-mark).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:15:04 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-randy).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 11:08:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-user).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2006-11-09 14:57:07 C:\WINDOWS\Tasks\WebReg officejet 6200 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 07:13:43
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\spoolvs.exe 57344 bytes executable
C:\WINDOWS\system32\printer.exe 57344 bytes executable
C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\System32\\rcntpkdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-09 7:17:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 11:17:00
Pre-Run: 111,914,680,320 bytes free
Post-Run: 111,813,402,624 bytes free

-------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:19:13 AM, on 4/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rcntpkdn.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\system32\wumss.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GOOGLE.COM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" *
O4 - HKLM\..\Run: [{D3-3F-F7-76-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\System32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wwaa] C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429MMUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PD - {FE53AEB5-AEF4-4CFB-8DED-8E494A5F6D37} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145274234906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS3\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS4\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager Security Service (wumss) - Unknown owner - C:\WINDOWS\system32\wumss.exe

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 09 April 2008 - 10:48 AM

A. First to fix the file associations:

To repair the faulty file associations, please do the following:
  • Make sure that DSS.exe is located on your Desktop.
  • Click on your START button, then choose Run. A little box will appear.
  • Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

    "%userprofile%\desktop\dss.exe" /daft


  • This will start DSS in a different way. A small window will appear.
  • Click on the Scan button.
  • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post
.


B. Now for the Wareout infection:

Please download FixWareout from the following site:
http://download.blee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Please post the text that will open (report.txt.


C. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\SYSTEM32\adormlonmt.bmp
C:\WINDOWS\SYSTEM32\ofilcrehojmpsr.bmp
C:\WINDOWS\SYSTEM32\lkjqlobapgr.bmp
C:\WINDOWS\SYSTEM32\psfmhgrmd.bmp
C:\Documents and Settings\Frank Butler\ftp33.dll
C:\LOG16E.tmp
C:\Program Files\tmp4814218.exe
C:\Program Files\tmp4813265.exe
C:\WINDOWS\SYSTEM32\mlsbitoridcf.bmp
C:\WINDOWS\SYSTEM32\ftp33.dll
C:\Program Files\tmp11497234.exe
C:\Program Files\tmp11498515.exe
C:\Program Files\tmp11462531.exe
C:\Program Files\tmp11463531.exe
C:\Program Files\tmp11434328.exe
C:\Program Files\tmp11426468.exe
C:\Program Files\tmp11430937.exe
C:\Program Files\tmp9602015.exe
C:\Program Files\tmp9571296.exe
C:\Program Files\tmp9562843.exe
C:\Program Files\tmp7295546.exe
C:\Program Files\tmp7307171.exe
C:\Program Files\tmp7169453.exe
C:\Program Files\tmp7170015.exe
C:\Program Files\tmp7095437.exe
C:\Program Files\tmp7097953.exe
C:\Program Files\tmp7106578.exe
C:\Program Files\tmp7097937.exe
C:\Program Files\tmp7095296.exe
C:\Program Files\tmp7095281.exe
C:\WINDOWS\SYSTEM32\GameFly_2.ico
C:\Program Files\tmp1370609.exe
C:\Program Files\tmp1361718.exe
C:\Program Files\tmp1321828.exe
C:\Program Files\tmp305562.exe
C:\Program Files\tmp305328.exe
C:\Program Files\tmp305093.exe
C:\Program Files\tmp305109.exe
C:\Program Files\tmp305375.exe
C:\WINDOWS\SYSTEM32\cnidgred.bmp
C:\91.tmp
C:\9B.tmp
C:\9A.tmp
C:\99.tmp
C:\98.tmp
C:\97.tmp
C:\95.tmp
C:\93.tmp
C:\90.tmp
C:\Program Files\tmp227390.exe
C:\Program Files\tmp226312.exe
C:\Program Files\tmp225125.exe
C:\WINDOWS\SYSTEM32\pcnapof.bmp
C:\94.tmp
C:\8F.tmp
C:\92.tmp
C:\8E.tmp
C:\8C.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\msoft98.sys
C:\Program Files\tmp275359.exe
C:\Program Files\tmp275281.exe
C:\Program Files\tmp275375.exe
C:\Program Files\tmp275218.exe
C:\WINDOWS\SYSTEM32\cjelsbedorepsf.bmp
C:\8D.tmp
C:\89.tmp
C:\8B.tmp
C:\8A.tmp
C:\Program Files\tmp569359.exe
C:\Program Files\tmp402703.exe
C:\WINDOWS\SYSTEM32\tcbat.bmp
C:\87.tmp
C:\86.tmp
C:\88.tmp
C:\WINDOWS\SYSTEM32\qlcrqdgbep.bmp
C:\84.tmp
C:\83.tmp
C:\85.tmp
C:\Program Files\tmp319250.exe
C:\Program Files\tmp319062.exe
C:\WINDOWS\SYSTEM32\iSecurity.cpl
C:\Program Files\tmp337140.exe
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB89.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB70.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB3F.tmp
C:\WINDOWS\Internet Logs\xDB3E.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB30.tmp
C:\WINDOWS\Internet Logs\xDB2F.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\SYSTEM32\~.exe
C:\WINDOWS\SYSTEM32\ttlms.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\rcntpkdn.exe
C:\WINDOWS\system32\wumss.exe
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\C:\WINDOWS\SYSTEM32\rcntpkdn.exe
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\C:\WINDOWS\SYSTEM32\rcntpkdn.exe
C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\C:\WINDOWS\SYSTEM32\rwwnw64d.exe
 C:\WINDOWS\System32\cryper.dll

Folder::
C:\WINDOWS\SYSTEM32\bharebio01
C:\Temp
C:\SDFix

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wwaa"=-
"Uniblue RegistryBooster 2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{D3-3F-F7-76-DW}"=-
"g]eeV\mWhjlnspB"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Manager Security Service"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F5735C15-1FB2-41FE-BA12-242757E69DDE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F5735C15-1FB2-41FE-BA12-242757E69DDE}]
[-HKEY_CLASSES_ROOT\TYPELIB\{F5735C15-1FB2-41FE-BA12-242757E69DDE}]

Driver::
wumss

Rootkit::
C:\WINDOWS\system32\spoolvs.exe 
C:\WINDOWS\system32\printer.exe 
C:\WINDOWS\system32\zxdnt3d.cfg
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. Do not use your computer for any other purpose while ComboFix is running.

5. All your monitoring programs (Antivirus/Antispyware, Guards and Shields) will be stopped.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


D. Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

    Posted Image

  • Click the Save as Text button to save the file to your desktop and post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 kyle b

kyle b

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 10 April 2008 - 05:28 AM

well i havent ran the virus scan yet.. as i am busy at work.. dont have much time to be on the computer as i am on the road all the time... the fixwareout did not leave me a report.txt nor opened one... heres are the ones i have..


ComboFix 08-04-08.9 - Frank Butler 2008-04-10 7:11:34.2 - NTFSx86
Running from: C:\Documents and Settings\Frank Butler\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Frank Butler\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Alicia Dunlow\ftpdll.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Mark H\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\dscc.dll
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-10 07:18 . 185 C:\1.reg
2008-04-10 07:03 . 2008-04-10 07:03 5,120 --a------ C:\WINDOWS\SYSTEM32\ftp33.dll
2008-04-10 07:00 . 2008-04-10 07:01 <DIR> d-------- C:\fixwareout
2008-04-09 06:59 . 2008-04-09 06:59 269,334 --a------ C:\WINDOWS\SYSTEM32\adormlonmt.bmp
2008-04-08 10:09 . 2008-04-08 10:09 269,334 --a------ C:\WINDOWS\SYSTEM32\ofilcrehojmpsr.bmp
2008-04-08 10:02 . 2008-04-08 10:02 <DIR> d-------- C:\Documents and Settings\Mark H\Application Data\MailFrontier
2008-04-08 10:01 . 2008-04-08 10:01 269,334 --a------ C:\WINDOWS\SYSTEM32\lkjqlobapgr.bmp
2008-04-08 09:04 . 2008-04-08 09:04 269,334 --a------ C:\WINDOWS\SYSTEM32\psfmhgrmd.bmp
2008-04-08 08:34 . 2008-04-08 08:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-08 08:30 . 2004-08-04 07:00 399,872 --a------ C:\WINDOWS\SYSTEM32\cmd.exe
2008-04-08 08:29 . 2008-04-08 08:29 0 --a------ C:\LOG16E.tmp
2008-04-08 08:25 . 2008-04-08 08:25 65,536 --a------ C:\Program Files\tmp4814218.exe
2008-04-08 08:25 . 2008-04-08 08:25 65,536 --a------ C:\Program Files\tmp4813265.exe
2008-04-08 07:24 . 2008-04-08 07:24 9,662 --a------ C:\WINDOWS\SYSTEM32\ZoneAlarmIconUS.ico
2008-04-08 07:11 . 2008-04-08 07:11 <DIR> d-------- C:\Deckard
2008-04-08 07:06 . 2008-04-08 07:06 269,334 --a------ C:\WINDOWS\SYSTEM32\mlsbitoridcf.bmp
2008-04-07 13:08 . 2008-04-07 13:08 98,304 --a------ C:\Program Files\tmp11497234.exe
2008-04-07 13:08 . 2008-04-07 13:08 32,768 --a------ C:\Program Files\tmp11498515.exe
2008-04-07 13:07 . 2008-04-07 13:07 131,072 --a------ C:\Program Files\tmp11462531.exe
2008-04-07 13:07 . 2008-04-07 13:07 32,768 --a------ C:\Program Files\tmp11463531.exe
2008-04-07 13:07 . 2008-04-07 13:07 32,768 --a------ C:\Program Files\tmp11434328.exe
2008-04-07 13:06 . 2008-04-07 13:06 98,304 --a------ C:\Program Files\tmp11426468.exe
2008-04-07 13:06 . 2008-04-07 13:06 32,768 --a------ C:\Program Files\tmp11430937.exe
2008-04-07 12:36 . 2008-04-07 12:36 98,304 --a------ C:\Program Files\tmp9602015.exe
2008-04-07 12:36 . 2008-04-07 12:36 35,576 --a------ C:\Program Files\tmp9571296.exe
2008-04-07 12:35 . 2008-04-07 12:35 16,464 --a------ C:\Program Files\tmp9562843.exe
2008-04-07 11:58 . 2008-04-07 11:58 98,304 --a------ C:\Program Files\tmp7295546.exe
2008-04-07 11:58 . 2008-04-07 11:58 32,768 --a------ C:\Program Files\tmp7307171.exe
2008-04-07 11:55 . 2008-04-07 11:55 163,840 --a------ C:\Program Files\tmp7169453.exe
2008-04-07 11:55 . 2008-04-07 11:55 32,768 --a------ C:\Program Files\tmp7170015.exe
2008-04-07 11:54 . 2008-04-07 11:54 196,608 --a------ C:\Program Files\tmp7095437.exe
2008-04-07 11:54 . 2008-04-07 11:54 131,072 --a------ C:\Program Files\tmp7097953.exe
2008-04-07 11:54 . 2008-04-07 11:54 65,536 --a------ C:\Program Files\tmp7106578.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7097937.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7095296.exe
2008-04-07 11:54 . 2008-04-07 11:54 32,768 --a------ C:\Program Files\tmp7095281.exe
2008-04-07 11:04 . 2008-04-07 11:04 72,566 --a------ C:\WINDOWS\SYSTEM32\GameFly_2.ico
2008-04-07 10:51 . 2008-04-07 10:52 <DIR> d-------- C:\Documents and Settings\Frank Butler\.housecall6.6
2008-04-07 10:51 . 2008-04-07 10:51 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-04-07 10:50 . 2008-04-07 10:50 <DIR> d-------- C:\WINDOWS\Sun
2008-04-07 10:46 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-04-07 10:45 . 2008-04-07 10:46 <DIR> d-------- C:\Program Files\Java
2008-04-07 10:44 . 2008-04-07 10:44 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-07 10:36 . 2008-04-07 10:36 <DIR> d-------- C:\Program Files\Pop up Blocker
2008-04-07 10:30 . 2001-03-18 17:36 21,264 --a------ C:\WINDOWS\SYSTEM32\rundll32.exe
2008-04-07 10:30 . 2001-03-18 20:37 5,708 --a------ C:\WINDOWS\SYSTEM32\k9371937.DLL
2008-04-07 10:19 . 2008-04-07 10:19 131,072 --a------ C:\Program Files\tmp1370609.exe
2008-04-07 10:19 . 2008-04-07 10:19 32,768 --a------ C:\Program Files\tmp1361718.exe
2008-04-07 10:18 . 2008-04-07 10:18 65,536 --a------ C:\Program Files\tmp1321828.exe
2008-04-07 10:02 . 2008-04-07 10:02 35,648 --a------ C:\Program Files\tmp305562.exe
2008-04-07 10:02 . 2008-04-07 10:02 35,540 --a------ C:\Program Files\tmp305328.exe
2008-04-07 10:02 . 2008-04-07 10:02 32,768 --a------ C:\Program Files\tmp305093.exe
2008-04-07 10:01 . 2008-04-07 10:01 195,072 --a------ C:\Program Files\tmp305109.exe
2008-04-07 10:01 . 2008-04-07 10:01 16,600 --a------ C:\Program Files\tmp305375.exe
2008-04-07 09:57 . 2008-04-07 09:57 269,334 --a------ C:\WINDOWS\SYSTEM32\cnidgred.bmp
2008-04-07 08:56 . 2008-04-07 08:58 48,640 --a------ C:\91.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\9B.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\9A.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\99.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\98.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\97.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\95.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\93.tmp
2008-04-07 08:56 . 2008-04-07 08:56 0 --a------ C:\90.tmp
2008-04-07 08:42 . 2008-04-07 08:42 <DIR> d-------- C:\Documents and Settings\Frank Butler\Application Data\Uniblue
2008-04-07 08:40 . 2008-04-07 08:40 35,664 --a------ C:\Program Files\tmp227390.exe
2008-04-07 08:40 . 2008-04-07 08:40 35,512 --a------ C:\Program Files\tmp226312.exe
2008-04-07 08:40 . 2008-04-07 08:40 16,496 --a------ C:\Program Files\tmp225125.exe
2008-04-07 08:37 . 2008-04-07 08:37 269,334 --a------ C:\WINDOWS\SYSTEM32\pcnapof.bmp
2008-04-07 08:37 . 2008-04-07 08:38 48,640 --a------ C:\94.tmp
2008-04-07 08:37 . 2008-04-07 08:37 2 --a------ C:\8F.tmp
2008-04-07 08:37 . 2008-04-07 08:37 0 --a------ C:\92.tmp
2008-04-07 08:36 . 2008-04-07 08:37 47,104 --a------ C:\8E.tmp
2008-04-07 08:36 . 2008-04-07 08:36 0 --a------ C:\8C.tmp
2008-04-07 08:12 . 2008-04-08 09:03 <DIR> d-------- C:\SDFix
2008-04-07 07:35 . 2008-04-07 07:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\bharebio01
2008-04-07 07:35 . 2008-04-07 07:36 <DIR> d-------- C:\Temp\wdlw14
2008-04-07 07:29 . 2008-04-07 07:29 167,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msoft98.sys
2008-04-07 07:28 . 2008-04-07 07:28 97,792 --a------ C:\Program Files\tmp275359.exe
2008-04-07 07:28 . 2008-04-07 07:28 35,576 --a------ C:\Program Files\tmp275281.exe
2008-04-07 07:28 . 2008-04-07 07:28 16,508 --a------ C:\Program Files\tmp275375.exe
2008-04-07 07:27 . 2008-04-07 07:27 16,488 --a------ C:\Program Files\tmp275218.exe
2008-04-07 07:24 . 2008-04-07 07:24 269,334 --a------ C:\WINDOWS\SYSTEM32\cjelsbedorepsf.bmp
2008-04-07 07:24 . 2008-04-07 07:24 48,640 --a------ C:\8D.tmp
2008-04-07 07:23 . 2008-04-07 07:23 47,104 --a------ C:\89.tmp
2008-04-07 07:23 . 2008-04-07 07:23 2 --a------ C:\8B.tmp
2008-04-07 07:23 . 2008-04-07 07:23 0 --a------ C:\8A.tmp
2008-04-07 07:02 . 2008-04-07 07:02 35,604 --a------ C:\Program Files\tmp569359.exe
2008-04-07 06:59 . 2008-04-07 06:59 16,472 --a------ C:\Program Files\tmp402703.exe
2008-04-07 06:53 . 2008-04-07 06:53 269,334 --a------ C:\WINDOWS\SYSTEM32\tcbat.bmp
2008-04-07 06:53 . 2008-04-07 06:53 48,640 --a------ C:\87.tmp
2008-04-07 06:53 . 2008-04-07 06:53 47,104 --a------ C:\86.tmp
2008-04-07 06:53 . 2008-04-07 06:53 2 --a------ C:\88.tmp
2008-04-05 08:48 . 2008-04-05 08:48 269,334 --a------ C:\WINDOWS\SYSTEM32\qlcrqdgbep.bmp
2008-04-05 08:47 . 2008-04-05 08:48 48,640 --a------ C:\84.tmp
2008-04-05 08:47 . 2008-04-05 08:47 48,640 --a------ C:\83.tmp
2008-04-05 08:47 . 2008-04-05 08:48 2 --a------ C:\85.tmp
2008-04-04 15:54 . 2008-04-04 15:54 16,560 --a------ C:\Program Files\tmp319250.exe
2008-04-04 15:54 . 2008-04-04 15:54 16,492 --a------ C:\Program Files\tmp319062.exe
2008-04-04 15:42 . 2008-04-07 10:18 125,440 -r-hs---- C:\WINDOWS\SYSTEM32\iSecurity.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 22:52 2,129,408 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-08 14:07 2,852,352 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-04-07 13:10 2,865,152 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-04-07 13:10 2,022,912 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-04-07 12:56 2,992,640 ----a-w C:\WINDOWS\Internet Logs\xDB17.tmp
2008-04-07 12:56 2,018,304 ----a-w C:\WINDOWS\Internet Logs\xDB18.tmp
2008-04-05 14:40 1,999,872 ----a-w C:\WINDOWS\Internet Logs\xDB89.tmp
2008-04-05 14:10 1,999,360 ----a-w C:\WINDOWS\Internet Logs\xDB16.tmp
2008-04-05 14:09 1,728,000 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-04-05 12:47 --------- d-----w C:\Program Files\Common Files\aol
2008-04-04 19:53 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\MSN6
2008-04-04 19:49 1,180,633 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-03 19:03 2,927,104 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2008-04-03 18:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 12:00 2,777,088 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-04-03 12:00 1,970,688 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-04-02 15:34 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-04-02 15:34 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-04-02 15:25 714,240 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-04-02 15:25 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-04-02 14:21 193,024 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-04-02 14:21 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-04-02 14:02 150,528 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-02 14:02 1,919,488 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-04-02 13:58 65,536 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-04-02 13:58 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-04-02 13:10 89,600 ----a-w C:\WINDOWS\SYSTEM32\DRWTSN32.EXE
2008-04-02 13:10 462,336 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-02 13:10 1,922,560 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-02 13:00 1,923,072 ----a-w C:\WINDOWS\Internet Logs\xDB3F.tmp
2008-04-02 13:00 1,137,664 ----a-w C:\WINDOWS\Internet Logs\xDB3E.tmp
2008-04-02 10:18 1,916,928 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-02 10:18 1,013,760 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-02 10:16 81,920 ----a-w C:\WINDOWS\SYSTEM32\HPZipm12.exe
2008-04-02 10:16 359,936 ----a-w C:\WINDOWS\SYSTEM32\fxssvc.exe
2008-04-02 10:15 204,800 ----a-w C:\WINDOWS\SYSTEM32\nvsvc32.exe
2008-04-02 10:15 192,512 ----a-w C:\WINDOWS\SYSTEM32\DWWIN.EXE
2008-04-02 10:15 16,384 ----a-w C:\WINDOWS\SYSTEM32\CISVC.EXE
2008-04-02 10:15 128,000 ----a-w C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
2008-04-01 19:05 2,780,672 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-01 18:05 651,264 ----a-w C:\WINDOWS\SYSTEM32\SSTEXT3D.SCR
2008-04-01 18:03 84,992 ----a-w C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
2008-04-01 17:58 100,864 ----a-w C:\WINDOWS\SYSTEM32\SOL.EXE
2008-04-01 17:54 1,775,616 ----a-w C:\WINDOWS\Internet Logs\xDB30.tmp
2008-04-01 17:54 1,008,640 ----a-w C:\WINDOWS\Internet Logs\xDB2F.tmp
2008-04-01 17:53 77,824 ----a-w C:\WINDOWS\wanmpsvc.exe
2008-04-01 17:51 135,168 ----a-w C:\WINDOWS\BCMSMMSG.exe
2008-04-01 17:50 1,250,816 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-01 17:45 2,815,488 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-01 17:45 1,763,328 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-01 17:44 139,776 ----a-w C:\WINDOWS\SYSTEM32\TASKMGR.EXE
2008-04-01 17:43 164,352 ----a-w C:\WINDOWS\SYSTEM32\USERINIT.EXE
2008-04-01 16:15 24,064 ----a-w C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2008-03-14 04:11 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-03-11 16:28 557,056 ----a-w C:\WINDOWS\JAVA\GoToAssist_phone__317_en.exe
2008-03-07 13:40 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\AdobeUM
2008-03-06 16:51 --------- d-----w C:\Program Files\TZO
2008-03-05 15:18 --------- d-----w C:\Program Files\America Online 8.0
2008-03-03 12:22 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\AdobeAUM
2008-02-28 20:25 --------- d-----w C:\Program Files\Google
2008-02-28 19:27 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\Viewpoint
2008-02-28 19:23 --------- d-----w C:\Program Files\Modem Helper
2008-02-28 19:23 --------- d-----w C:\Program Files\EarthLink 5.0
2008-02-28 19:20 --------- d-----w C:\Program Files\Yahoo!
2008-02-28 18:58 --------- d-----w C:\Documents and Settings\Frank Butler\Application Data\U3
2008-02-28 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-28 14:11 --------- d-----w C:\Program Files\Viewpoint
2008-02-28 14:11 --------- d-----w C:\Program Files\AOL Search
2008-02-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-28 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-27 13:47 1,366,016 --sh--r C:\WINDOWS\SYSTEM32\ttlms.exe
.

------- Sigcheck -------

2008-04-01 12:15 24064 dd6ff528b4668240e45dbcd2a2443e11 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2002-08-29 06:00 1048064 53ebb982a02260dedc847aa23cfa999c C:\WINDOWS\EXPLORER.EXE
.
((((((((((((((((((((((((((((( snapshot@2008-04-09_ 7.16.17.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 178,176 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2000-08-31 12:00:00 86,016 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 151,552 ----a-w C:\WINDOWS\fdsv.exe
- 2000-08-31 12:00:00 91,676 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 12:00:00 124,444 ----a-w C:\WINDOWS\grep.exe
- 2002-08-29 10:00:00 703,488 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
+ 2002-08-29 10:00:00 714,752 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
- 2000-08-31 12:00:00 173,568 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 206,336 ----a-w C:\WINDOWS\swreg.exe
- 2002-08-29 10:00:00 90,688 ----a-w C:\WINDOWS\SYSTEM32\CLICONFG.EXE
+ 2002-08-29 10:00:00 123,456 ----a-w C:\WINDOWS\SYSTEM32\CLICONFG.EXE
- 2008-04-09 11:12:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-10 11:17:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-09 11:12:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-10 11:17:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-10 11:01:53 40,448 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\unpr[1].exe
- 2008-04-09 11:12:54 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-04-10 11:17:54 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2008-04-08 22:52:22 654,112 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
+ 2008-04-10 11:17:30 654,112 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
- 2008-04-08 22:52:22 113,184 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
+ 2008-04-10 11:17:30 113,184 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
- 2002-08-29 10:00:00 83,456 ----a-w C:\WINDOWS\SYSTEM32\ESENTUTL.EXE
+ 2002-08-29 10:00:00 116,224 ----a-w C:\WINDOWS\SYSTEM32\ESENTUTL.EXE
- 2002-08-29 10:00:00 53,248 ----a-w C:\WINDOWS\SYSTEM32\EVENTVWR.EXE
+ 2002-08-29 10:00:00 86,016 ----a-w C:\WINDOWS\SYSTEM32\EVENTVWR.EXE
- 2002-08-29 10:00:00 53,248 ----a-w C:\WINDOWS\SYSTEM32\FIND.EXE
+ 2002-08-29 10:00:00 118,784 ----a-w C:\WINDOWS\SYSTEM32\FIND.EXE
- 2002-08-29 10:00:00 64,000 ----a-w C:\WINDOWS\SYSTEM32\FONTVIEW.EXE
+ 2002-08-29 10:00:00 96,768 ----a-w C:\WINDOWS\SYSTEM32\FONTVIEW.EXE
- 2002-08-29 10:00:00 51,712 ----a-w C:\WINDOWS\SYSTEM32\FORCEDOS.EXE
+ 2002-08-29 10:00:00 84,480 ----a-w C:\WINDOWS\SYSTEM32\FORCEDOS.EXE
- 2002-08-29 10:00:00 96,256 ----a-w C:\WINDOWS\SYSTEM32\IPCONFIG.EXE
+ 2002-08-29 10:00:00 129,024 ----a-w C:\WINDOWS\SYSTEM32\IPCONFIG.EXE
- 2002-08-29 10:00:00 66,560 ----a-w C:\WINDOWS\SYSTEM32\IPXROUTE.EXE
+ 2002-08-29 10:00:00 99,328 ----a-w C:\WINDOWS\SYSTEM32\IPXROUTE.EXE
- 1998-03-26 05:00:00 38,160 ----a-w C:\WINDOWS\SYSTEM32\MAPISRVR.EXE
+ 1998-03-26 05:00:00 49,424 ----a-w C:\WINDOWS\SYSTEM32\MAPISRVR.EXE
- 2002-08-29 10:00:00 115,712 ----a-w C:\WINDOWS\SYSTEM32\NSLOOKUP.EXE
+ 2002-08-29 10:00:00 148,480 ----a-w C:\WINDOWS\SYSTEM32\NSLOOKUP.EXE
- 2002-08-29 10:00:00 84,480 ----a-w C:\WINDOWS\SYSTEM32\OSUNINST.EXE
+ 2002-08-29 10:00:00 117,248 ----a-w C:\WINDOWS\SYSTEM32\OSUNINST.EXE
- 2002-08-29 10:00:00 89,088 ----a-w C:\WINDOWS\SYSTEM32\PROQUOTA.EXE
+ 2002-08-29 10:00:00 155,136 ----a-w C:\WINDOWS\SYSTEM32\PROQUOTA.EXE
- 2002-08-29 10:00:00 47,616 ----a-w C:\WINDOWS\SYSTEM32\REGEDT32.EXE
+ 2002-08-29 10:00:00 80,384 ----a-w C:\WINDOWS\SYSTEM32\REGEDT32.EXE
- 2002-08-29 10:00:00 64,000 ----a-w C:\WINDOWS\SYSTEM32\SAVEDUMP.EXE
+ 2002-08-29 10:00:00 96,768 ----a-w C:\WINDOWS\SYSTEM32\SAVEDUMP.EXE
- 2002-08-29 10:00:00 147,968 ----a-w C:\WINDOWS\SYSTEM32\SYSOCMGR.EXE
+ 2002-08-29 10:00:00 180,736 ----a-w C:\WINDOWS\SYSTEM32\SYSOCMGR.EXE
- 2002-08-29 10:00:00 56,320 ----a-w C:\WINDOWS\SYSTEM32\TCMSETUP.EXE
+ 2002-08-29 10:00:00 89,088 ----a-w C:\WINDOWS\SYSTEM32\TCMSETUP.EXE
- 2002-08-29 10:00:00 77,891 ----a-w C:\WINDOWS\SYSTEM32\USRMLNKA.EXE
+ 2002-08-29 10:00:00 90,179 ----a-w C:\WINDOWS\SYSTEM32\USRMLNKA.EXE
- 2002-08-29 10:00:00 61,508 ----a-w C:\WINDOWS\SYSTEM32\USRPRBDA.EXE
+ 2002-08-29 10:00:00 73,796 ----a-w C:\WINDOWS\SYSTEM32\USRPRBDA.EXE
- 2002-08-29 10:00:00 69,700 ----a-w C:\WINDOWS\SYSTEM32\USRSHUTA.EXE
+ 2002-08-29 10:00:00 81,988 ----a-w C:\WINDOWS\SYSTEM32\USRSHUTA.EXE
- 2002-08-29 10:00:00 52,224 ----a-w C:\WINDOWS\SYSTEM32\WINHLP32.EXE
+ 2002-08-29 10:00:00 84,992 ----a-w C:\WINDOWS\SYSTEM32\WINHLP32.EXE
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 16:08 1654813]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51 317952]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Wwaa"="C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"Pop up Blocker"="C:\Program Files\Pop up Blocker\pd.exe" [2007-01-12 17:43 1201664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2008-04-01 13:51 135168 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 40960]
"MCAgentExe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2002-09-06 18:15 204800]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 10:28 196608]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-05-11 12:13 163885]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-04-01 13:56 794624]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 16:09 151552]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 10:11 102400]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-04-01 13:47 167936]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-04-01 13:53 102449]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-04-02 07:59 299008]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 61440]
"Windows Update Manager Security Service"="C:\WINDOWS\system32\wumss.exe" [2008-03-10 06:58 418936]
"{D3-3F-F7-76-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-01 12:19 126984]
"g]eeV\mWhjlnspB"="C:\WINDOWS\System32\rcntpkdn.exe" [2008-04-01 12:21 208972]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Manager Security Service"="C:\WINDOWS\system32\wumss.exe" [2008-03-10 06:58 418936]

C:\Documents and Settings\Frank Butler\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\SYSTEM32\rcntpkdn.exe [2008-04-01 12:21:49 208972]
DW_Start.lnk - C:\WINDOWS\SYSTEM32\rwwnw64d.exe [2008-04-01 12:19:50 126984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 40960]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [2003-05-11 12:12:46 245835]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 270336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll [2008-04-01 12:15 261632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TZOClient]
--a------ 2005-06-17 04:02 1003520 C:\Program Files\TZO\TZOClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\wumss.exe"=
"C:\\WINDOWS\\Explorer.EXE"=C:\\WINDOWS\\Explorer.EXE
"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe"=C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe
"C:\\Documents and Settings\\Alicia Dunlow\\Application Data\\printer.exe"=
"C:\\Documents and Settings\\Alicia Dunlow\\Start Menu\\Programs\\Startup\\findfast.exe"=
"%windir%\\system32\\winav.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=C:\\Program Files\\Internet Explorer\\iexplore.exe
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"=
"C:\\WINDOWS\\System32\\svchost.exe"=C:\\WINDOWS\\System32\\svchost.exe
"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe"=c:\\PROGRA~1\\mcafee.com\\vso\\mcvsrte.exe
"%windir%\\system32\\sessmgr.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2008-04-02 06:16]
S2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" [2008-03-07 15:12]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 22:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 06:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]
S3 SMALUSB;Digital Camera Driver;C:\WINDOWS\System32\DRIVERS\smalidt.sys [2002-05-31 02:57]
Start Pending2 wumss;Windows Update Manager Security Service;C:\WINDOWS\system32\wumss.exe [2008-03-10 06:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 21:46:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D7174T21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:47:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Alicia Dunlow).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:45:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Dale Holt).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agen
"2008-04-10 11:18:24 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Frank Butler).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:45:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark H).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent.Mark HXMcAfee.com SecurityCenter periodically checks for updates for your McAfee.com Services.
"2008-04-09 21:45:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-Mark II).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:47:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-mark).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:45:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-randy).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2008-04-09 21:48:00 C:\WINDOWS\Tasks\McAfee.com Update Check (HYLAS-LAB-user).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.ex
- C:\PROGRA~1\McAfee.com\Agent
"2006-11-09 14:57:07 C:\WINDOWS\Tasks\WebReg officejet 6200 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 07:18:24
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\System32\\rcntpkdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-10 7:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 11:21:58
ComboFix2.txt 2008-04-09 11:17:13
Pre-Run: 111,764,516,864 bytes free
Post-Run: 111,689,572,352 bytes free


---------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:28:00 AM, on 4/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rcntpkdn.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wumss.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = GOOGLE.COM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Update Manager Security Service] "C:\WINDOWS\system32\wumss.exe" *
O4 - HKLM\..\Run: [{D3-3F-F7-76-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\System32\rcntpkdn.exe DWram
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Wwaa] C:\WINDOWS\SYSTEM32\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429MMUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PD - {FE53AEB5-AEF4-4CFB-8DED-8E494A5F6D37} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145274234906
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.100 85.255.112.115
O17 - HKLM\System\CS1\Services\Tcpip\..\{40DA52B0-AA07-4885-8D08-F9F734F9D6DF}: NameServer = 85.255.116.100,85.255.112.115
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
O23 - Service: TZO Client (TZONTService) - Unknown owner - C:\Program Files\TZO\TZO_NT_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager Security Service (wumss) - Unknown owner - C:\WINDOWS\system32\wumss.exe

#14 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 10 April 2008 - 11:26 AM

Please do not use your machine for anything else until this mess is cleaned up. It is just spreading this infection like wildfire.

A. First we must disable some of your security programs so that they do not interfere with the running of our tools:

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\1.reg
C:\WINDOWS\SYSTEM32\ftp33.dll
C:\WINDOWS\SYSTEM32\adormlonmt.bmp
C:\WINDOWS\SYSTEM32\ofilcrehojmpsr.bmp
C:\WINDOWS\SYSTEM32\lkjqlobapgr.bmp
C:\WINDOWS\SYSTEM32\psfmhgrmd.bmp
C:\LOG16E.tmp
C:\Program Files\tmp4814218.exe
C:\Program Files\tmp4813265.exe
C:\WINDOWS\SYSTEM32\mlsbitoridcf.bmp
C:\Program Files\tmp11497234.exe
C:\Program Files\tmp11498515.exe
C:\Program Files\tmp11462531.exe
C:\Program Files\tmp11463531.exe
C:\Program Files\tmp11434328.exe
C:\Program Files\tmp11426468.exe
C:\Program Files\tmp11430937.exe
C:\Program Files\tmp9602015.exe
C:\Program Files\tmp9571296.exe
C:\Program Files\tmp9562843.exe
C:\Program Files\tmp7295546.exe
C:\Program Files\tmp7307171.exe
C:\Program Files\tmp7169453.exe
C:\Program Files\tmp7170015.exe
C:\Program Files\tmp7095437.exe
C:\Program Files\tmp7097953.exe
C:\Program Files\tmp7106578.exe
C:\Program Files\tmp7097937.exe
C:\Program Files\tmp7095296.exe
C:\Program Files\tmp7095281.exe
C:\Program Files\tmp1361718.exe
C:\Program Files\tmp1321828.exe
C:\Program Files\tmp305562.exe
C:\Program Files\tmp305328.exe
C:\Program Files\tmp305093.exe
C:\Program Files\tmp305109.exe
C:\Program Files\tmp305375.exe
C:\WINDOWS\SYSTEM32\cnidgred.bmp
C:\91.tmp
C:\9B.tmp
C:\9A.tmp
C:\99.tmp
C:\98.tmp
C:\97.tmp
C:\95.tmp
C:\93.tmp
C:\90.tmp
C:\Program Files\tmp227390.exe
C:\Program Files\tmp226312.exe
C:\Program Files\tmp225125.exe
C:\WINDOWS\SYSTEM32\pcnapof.bmp
C:\94.tmp
C:\8F.tmp
C:\92.tmp
C:\8E.tmp
C:\8C.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\msoft98.sys
C:\Program Files\tmp275359.exe
C:\Program Files\tmp275281.exe
C:\Program Files\tmp275375.exe
C:\Program Files\tmp275218.exe
C:\WINDOWS\SYSTEM32\cjelsbedorepsf.bmp
C:\8D.tmp
C:\89.tmp
C:\8B.tmp
C:\8A.tmp
C:\Program Files\tmp569359.exe
C:\Program Files\tmp402703.exe
C:\WINDOWS\SYSTEM32\tcbat.bmp
C:\87.tmp
C:\86.tmp
C:\88.tmp
C:\WINDOWS\SYSTEM32\qlcrqdgbep.bmp
C:\84.tmp
C:\83.tmp
C:\85.tmp
C:\Program Files\tmp319250.exe
C:\Program Files\tmp319062.exe
C:\WINDOWS\SYSTEM32\iSecurity.cpl
C:\WINDOWS\Internet Logs\xDB1C.tmp
C:\WINDOWS\Internet Logs\xDB1B.tmp
C:\WINDOWS\Internet Logs\xDB19.tmp
C:\WINDOWS\Internet Logs\xDB1A.tmp
C:\WINDOWS\Internet Logs\xDB17.tmp
C:\WINDOWS\Internet Logs\xDB18.tmp
C:\WINDOWS\Internet Logs\xDB89.tmp
C:\WINDOWS\Internet Logs\xDB16.tmp
C:\WINDOWS\Internet Logs\xDB15.tmp
C:\WINDOWS\Internet Logs\xDB70.tmp
C:\WINDOWS\Internet Logs\xDB13.tmp
C:\WINDOWS\Internet Logs\xDB14.tmp
C:\WINDOWS\Internet Logs\xDB11.tmp
C:\WINDOWS\Internet Logs\xDB12.tmp
C:\WINDOWS\Internet Logs\xDBF.tmp
C:\WINDOWS\Internet Logs\xDB10.tmp
C:\WINDOWS\Internet Logs\xDBD.tmp
C:\WINDOWS\Internet Logs\xDBE.tmp
C:\WINDOWS\Internet Logs\xDBB.tmp
C:\WINDOWS\Internet Logs\xDBC.tmp
C:\WINDOWS\Internet Logs\xDB9.tmp
C:\WINDOWS\Internet Logs\xDBA.tmp
C:\WINDOWS\Internet Logs\xDB7.tmp
C:\WINDOWS\Internet Logs\xDB8.tmp
C:\WINDOWS\Internet Logs\xDB3F.tmp
C:\WINDOWS\Internet Logs\xDB3E.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB30.tmp
C:\WINDOWS\Internet Logs\xDB2F.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\SYSTEM32\ttlms.exe
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\system32\wumss.exe
C:\WINDOWS\SYSTEM32\rcntpkdn.exe
C:\WINDOWS\SYSTEM32\rwwnw64d.exe
C:\\WINDOWS\\System32\\rcntpkdn.exe DWram

Folder::
C:\fixwareout
C:\WINDOWS\SYSTEM32\bharebio01
C:\Temp\wdlw14
C:\SDFix

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wwaa"=-
"Uniblue RegistryBooster 2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{D3-3F-F7-76-DW}"=-
"g]eeV\mWhjlnspB"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Manager Security Service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"=

Driver::
FileObjInfo
Start Pending2 wumss

Rootkit::
C:\WINDOWS\system32\zxdnt3d.cfg
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. Do not use your computer for any other purpose while ComboFix is running.

5. All your monitoring programs (Antivirus/Antispyware, Guards and Shields) will be stopped.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


C. Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

    Posted Image

  • Click the Save as Text button to save the file to your desktop and post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#15 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 12 April 2008 - 07:28 PM

I hope you are well and not experiencing any difficulties carrying out my last set of instructions. If you are, do not hesitate to ask for further explanations. If however, your problem has been solved or you no longer require our assistance, please advise us accordingly and we will archive your topic.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users