Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Persistant adware/trojans

Started by techiefIve , Apr 12 2008 01:51 PM

  • This topic is locked This topic is locked
5 replies to this topic

#1 techiefIve

techiefIve

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 12 April 2008 - 01:51 PM

I've tried Spybot, Ad-Aware, Spy Sweeper, and HJT to remove a few of these buggers, but there are a couple that just won't leave. I had 50 "threats" when I started, now I'm down to about 10. Anyway, here's my HJT log. Thanks in advance for all the help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:44:16 PM, on 4/12/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\MROFIN~1.EXE C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\TEMP\DILE.tmp C:\PROGRA~1\TRENDM~1\HIJACK~1\HIJACK~1.EXE C:\WINDOWS\17PHolmes1001186.exe O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe" /minimized O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [iclsni] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DILD.tmp O4 - HKLM\..\Policies\Explorer\Run: [apilor] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing) O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing) -- End of file - 2165 bytes If you need any more info, don't hesitate to ask.

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 12 April 2008 - 09:27 PM

Hello techiefIve and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Please download Deckard's System Scanner (DSS) to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  • Please go to that FOLDER and also copy the contents of Extra.txt to your post as well.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What DSS will do:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.

Post Logs:
  • DSS Scan Results: contents of 1) Main.txt and 2) Extra.txt

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 techiefIve

techiefIve

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 13 April 2008 - 11:39 AM

Thank you Trevuren for responding so quickly.

Here is the contents of Main.txt and Extra.txt:

Deckard's System Scanner v20071014.68
Run by l on 2008-04-13 11:24:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-04-13 18:24:47 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2008-04-12 00:36:40 UTC - RP9 - Removed Ad-Aware 2007
8: 2008-04-11 23:44:36 UTC - RP8 - Installed Ad-Aware 2007
7: 2008-04-06 18:21:56 UTC - RP7 - Last Good System Checkpoint
6: 2008-04-06 18:22:06 UTC - RP6 - Last known good configuration


-- First Restore Point --
1: 2008-04-06 18:22:14 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as l.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:05 AM, on 4/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\DOCUME~1\l\Desktop\dss.exe
C:\WINDOWS\17PHolmes1001186.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\l.exe

O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [iclsni] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\srqcemccq.drv" WLEntryPoint
O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DILD.tmp
O4 - HKLM\..\Policies\Explorer\Run: [apilor] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

--
End of file - 2096 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080407-165008-151 O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
backup-20080407-165008-179 O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jswnw64l.exe
backup-20080407-165008-254 O4 - HKLM\..\Run: [288954be] rundll32.exe "C:\WINDOWS\System32\udmyvrgt.dll",b
backup-20080407-165008-286 O4 - Startup: .protected
backup-20080407-165008-306 O2 - BHO: (no name) - {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - C:\WINDOWS\System32\urqnlkl.dll
backup-20080407-165008-307 O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
backup-20080407-165008-371 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080407-165008-378 O2 - BHO: C:\WINDOWS\System32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-165008-498 O2 - BHO: (no name) - {8dc2cfa6-261f-4e40-be2f-731ebd1e2dd3} - C:\WINDOWS\System32\geefe.dll
backup-20080407-165008-499 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
backup-20080407-165008-506 O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\System32\pcnttkdn.exe DWram
backup-20080407-165008-511 O4 - HKCU\..\Run: [Zeckbm] "C:\Documents and Settings\l\My Documents\?ppPatch\??ool32.exe"
backup-20080407-165008-514 O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\l\LOCALS~1\Temp\winlogan.exe
backup-20080407-165008-575 O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
backup-20080407-165008-592 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080407-165008-624 O4 - Global Startup: .protected
backup-20080407-165008-638 O4 - HKLM\..\Run: [{95-54-41-11-DW}] C:\WINDOWS\system32\jswnw64l.exe DWram
backup-20080407-165008-653 O4 - HKCU\..\Run: [SfKg6w] C:\DOCUME~1\l\APPLIC~1\MICROS~1\Windows\dwjwr.exe
backup-20080407-165008-699 O4 - Startup: findfast.exe
backup-20080407-165008-707 O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcnttkdn.exe
backup-20080407-165008-756 O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\l\LOCALS~1\Temp\winlogan.exe
backup-20080407-165008-837 O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\atgban.dll" DllStart
backup-20080407-165008-846 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
backup-20080407-165008-848 O4 - HKLM\..\Policies\Explorer\Run: [nqdgn] rundll32.exe "C:\WINDOWS\System32\apcjmd.drv" WLEntryPoint
backup-20080407-165008-849 O4 - Global Startup: autorun.exe
backup-20080407-165008-867 O4 - HKCU\..\Run: [Ctrc] "C:\PROGRA~1\COMMON~1\CURITY~1\scanregw.exe" -vt yazb
backup-20080407-165008-874 O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
backup-20080407-165008-905 O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\l\LOCALS~1\Temp\csrssc.exe
backup-20080407-165008-923 O4 - HKCU\..\Run: [zkio] C:\PROGRA~1\COMMON~1\zkio\zkiom.exe
backup-20080407-165008-944 O4 - HKLM\..\Run: [SystemDoctor Free] C:\PROGRA~1\SYSTEM~2\SYSTEM~1.EXE /min
backup-20080407-165008-950 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080407-165008-991 O4 - HKLM\..\Run: [mhkrmtkf] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\krmhgn.drv" WLEntryPoint
backup-20080407-165010-485 O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
backup-20080407-165011-110 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080407-165011-156 O17 - HKLM\System\CCS\Services\Tcpip\..\{97DDD8F8-27C7-45E2-A675-93B70D024157}: NameServer = 85.255.113.146,85.255.112.74
backup-20080407-165011-269 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
backup-20080407-165011-280 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080407-165011-429 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.74
backup-20080407-165011-457 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.74
backup-20080407-165011-487 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.146 85.255.112.74
backup-20080407-165011-490 O17 - HKLM\System\CS1\Services\Tcpip\..\{457C7F27-332B-4BF7-AB0B-615F1D9CFA2A}: NameServer = 85.255.113.146,85.255.112.74
backup-20080407-165011-590 O17 - HKLM\System\CCS\Services\Tcpip\..\{55590D1A-6177-4585-B240-FBDE5A52A562}: NameServer = 85.255.113.146,85.255.112.74
backup-20080407-165011-690 O17 - HKLM\System\CCS\Services\Tcpip\..\{457C7F27-332B-4BF7-AB0B-615F1D9CFA2A}: NameServer = 85.255.113.146,85.255.112.74
backup-20080407-165011-799 O17 - HKLM\System\CS2\Services\Tcpip\..\{457C7F27-332B-4BF7-AB0B-615F1D9CFA2A}: NameServer = 85.255.113.146,85.255.112.74
backup-20080407-165012-443 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\System32\ehk.dll
backup-20080407-165012-493 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-165013-733 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe
backup-20080407-165013-872 O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
backup-20080407-170347-163 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080407-170347-173 O4 - Startup: findfast.exe
backup-20080407-170347-266 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080407-170347-316 O4 - HKLM\..\Policies\Explorer\Run: [qjlbetcl] rundll32.exe "C:\WINDOWS\System32\apcjmd.drv" WLEntryPoint
backup-20080407-170347-376 O2 - BHO: (no name) - {8dc2cfa6-261f-4e40-be2f-731ebd1e2dd3} - C:\WINDOWS\System32\geefe.dll
backup-20080407-170347-543 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080407-170347-650 O2 - BHO: C:\WINDOWS\System32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-170347-672 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080407-170347-703 O4 - HKLM\..\Run: [siqljtr] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\krmhgn.drv" WLEntryPoint
backup-20080407-170347-722 O4 - Global Startup: autorun.exe
backup-20080407-170347-768 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080407-170347-831 O2 - BHO: (no name) - {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080407-170348-307 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-170348-558 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\System32\ehk.dll
backup-20080407-180451-108 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
backup-20080407-180451-112 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080407-180451-169 O4 - HKLM\..\Run: [sdtflsdt] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\krmhgn.drv" WLEntryPoint
backup-20080407-180451-189 O4 - HKLM\..\Policies\Explorer\Run: [nmaplkpf] rundll32.exe "C:\WINDOWS\System32\apcjmd.drv" WLEntryPoint
backup-20080407-180451-258 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080407-180451-443 O4 - Startup: findfast.exe
backup-20080407-180451-465 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
backup-20080407-180451-503 O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
backup-20080407-180451-510 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080407-180451-518 O4 - HKCU\..\Run: [WinTouch] C:\DOCUME~1\l\APPLIC~1\WinTouch\WinTouch.exe
backup-20080407-180451-592 O2 - BHO: (no name) - {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080407-180451-641 O4 - Global Startup: autorun.exe
backup-20080407-180451-703 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080407-180451-720 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080407-180451-823 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080407-180451-881 O2 - BHO: C:\WINDOWS\System32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-180451-940 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
backup-20080407-180451-948 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080407-180451-970 O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
backup-20080407-180451-983 O2 - BHO: (no name) - {09b2122e-ee53-4060-b1d0-7e4d237442ac} - C:\WINDOWS\System32\geefe.dll
backup-20080407-180451-995 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080407-180452-363 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080407-180453-315 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
backup-20080407-180453-428 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080407-180453-550 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\System32\ehk.dll
backup-20080407-180453-842 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe
backup-20080407-180453-896 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080407-201335-216 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080407-201335-571 O4 - Startup: findfast.exe
backup-20080407-201335-578 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
backup-20080407-201335-709 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080407-201335-710 O2 - BHO: (no name) - {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080407-201335-718 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
backup-20080407-201335-765 O4 - Global Startup: autorun.exe
backup-20080407-201335-886 O4 - HKLM\..\Run: [siqjd] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\ejmlepiooio.drv" WLEntryPoint
backup-20080407-201335-896 O2 - BHO: (no name) - {40758d55-d339-43ff-800b-d52870748e98} - C:\WINDOWS\System32\geefe.dll
backup-20080407-201335-909 O4 - HKLM\..\Policies\Explorer\Run: [ojqpnnqr] rundll32.exe "C:\WINDOWS\System32\jajojm.drv" WLEntryPoint
backup-20080407-201335-959 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080407-201336-495 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe
backup-20080407-201336-549 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\system32\ehk.dll
backup-20080407-201336-574 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080407-201336-653 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080407-202959-259 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080407-202959-768 O2 - BHO: (no name) - {408549cf-c291-4743-ab88-5dd9040b2db1} - C:\WINDOWS\System32\geefe.dll
backup-20080407-202959-864 O2 - BHO: (no name) - {3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080407-203000-213 O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
backup-20080407-203000-282 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080407-203000-332 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
backup-20080407-203000-392 O4 - HKLM\..\Run: [othjocaf] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\ejmlepiooio.drv" WLEntryPoint
backup-20080407-203000-403 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080407-203000-431 O4 - HKLM\..\Policies\Explorer\Run: [ihsoelks] rundll32.exe "C:\WINDOWS\System32\jajojm.drv" WLEntryPoint
backup-20080407-203000-475 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080407-203000-478 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080407-203000-560 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080407-203000-673 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
backup-20080407-203000-721 O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
backup-20080407-203000-727 O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
backup-20080407-203000-738 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080407-203000-857 O4 - Startup: findfast.exe
backup-20080407-203000-860 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080407-203000-893 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\system32\ehk.dll
backup-20080407-203000-983 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080407-203000-989 O4 - Global Startup: autorun.exe
backup-20080407-203001-446 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080409-210532-128 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080409-210532-150 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080409-210532-157 O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
backup-20080409-210532-327 O4 - HKLM\..\Run: [opkgsrro] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\caoscrpsh.dll" WLEntryPoint
backup-20080409-210532-371 O4 - HKLM\..\Policies\Explorer\Run: [nqdgn] rundll32.exe "C:\WINDOWS\System32\pngortoqnpi.sys" WLEntryPoint
backup-20080409-210532-551 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\System32\urqnlkl.dll
backup-20080409-210532-555 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080409-210532-595 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
backup-20080409-210532-757 O2 - BHO: (no name) - {F81A3753-49B9-4BDB-AA8F-B87F023D8A9B} - C:\WINDOWS\System32\geefe.dll
backup-20080409-210532-887 O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
backup-20080409-210532-942 O2 - BHO: C:\WINDOWS\System32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080409-210532-989 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080409-210532-996 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080409-210533-156 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\system32\ehk.dll
backup-20080409-210533-432 O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\pcnttkdn.exe
backup-20080409-210533-463 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080409-210533-514 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080409-210533-521 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\jfiehayd.dll
backup-20080409-210533-550 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080409-210533-599 O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
backup-20080409-210533-621 O4 - Startup: findfast.exe
backup-20080409-210533-635 O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
backup-20080409-210533-710 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe (file missing)
backup-20080409-210533-789 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080409-210533-859 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080409-210533-877 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080409-210533-892 O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jswnw64l.exe
backup-20080409-210533-921 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080409-210533-965 O4 - Global Startup: autorun.exe
backup-20080409-210533-998 O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/c...::/xpreload.ocx
backup-20080409-211712-110 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080409-211712-478 O4 - HKLM\..\Policies\Explorer\Run: [imfatml] rundll32.exe "C:\WINDOWS\System32\pngortoqnpi.sys" WLEntryPoint
backup-20080409-211712-508 O2 - BHO: (no name) - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
backup-20080409-211712-534 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080409-211712-741 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080409-211712-745 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080409-211712-767 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080409-211712-778 O2 - BHO: (no name) - {5AA21A65-7561-4F95-AA0B-224F22DB3CC5} - C:\WINDOWS\System32\geefe.dll
backup-20080409-211712-904 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\fciuftqu.dll",s
backup-20080409-211712-921 O4 - HKLM\..\Run: [pkfmiter] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\caoscrpsh.dll" WLEntryPoint
backup-20080409-211713-476 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe (file missing)
backup-20080409-211713-577 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080409-211713-795 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\System32\ehk.dll
backup-20080412-115710-387 O21 - SSODL: RhuXDFY - {28895412-8223-FEB8-B7DB-1AC45DDAACDB} - C:\WINDOWS\system32\ehk.dll (file missing)
backup-20080412-115710-471 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-115710-472 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-115710-479 O2 - BHO: (no name) - {A779D134-A37A-4BF8-BE33-A9945D0D3E27} - C:\WINDOWS\System32\ddawu.dll (file missing)
backup-20080412-115710-536 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-115710-550 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-115710-590 O4 - HKLM\..\RunOnce: [SpybotDeletingA6114] command /c del "C:\Documents and Settings\LocalService\cftmon.exe_old"
backup-20080412-115710-699 O2 - BHO: (no name) - {5AA21A65-7561-4F95-AA0B-224F22DB3CC5} - C:\WINDOWS\System32\geefe.dll (file missing)
backup-20080412-115710-718 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080412-115710-725 O4 - HKLM\..\Policies\Explorer\Run: [lfseaarp] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-115710-767 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-115710-857 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-115710-953 O4 - HKLM\..\Run: [bogoqt] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-120137-108 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-120137-260 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-120137-265 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-120137-361 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-120137-379 O4 - HKLM\..\Policies\Explorer\Run: [hcikj] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-123228-406 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-125450-109 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080412-125450-152 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\l\cftmon.exe
backup-20080412-125450-330 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-125450-359 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-125450-366 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080412-125450-457 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-125450-498 O4 - HKLM\..\Policies\Explorer\Run: [oaqbrmji] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-125450-623 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-125450-697 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080412-125450-714 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080412-125450-843 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-125450-934 O4 - HKLM\..\Run: [shfklmim] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-130405-351 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-130405-529 O4 - HKLM\..\Policies\Explorer\Run: [qmgkonqb] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-130405-714 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\awafhsql.dll",s
backup-20080412-130405-850 O4 - HKLM\..\Run: [robjdc] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-130405-855 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-130405-867 O2 - BHO: (no name) - {DD8D55A3-21B7-42F4-B9E7-D3B23266260D} - C:\WINDOWS\System32\iiifd.dll
backup-20080412-130406-823 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-130406-986 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080412-132709-170 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-132709-187 O2 - BHO: {8abeeb66-8251-bd3b-8e84-95b84973edc3} - {3cde3794-8b59-48e8-b3db-152866beeba8} - C:\WINDOWS\System32\ddffksxs.dll
backup-20080412-132709-199 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
backup-20080412-132709-202 O4 - HKLM\..\Run: [288954be] rundll32.exe "C:\WINDOWS\System32\kukiplsg.dll",b
backup-20080412-132709-363 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE
backup-20080412-132709-379 O4 - HKLM\..\Run: [idalmge] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-132709-418 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080412-132709-469 O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL8.tmp
backup-20080412-132709-565 O4 - HKLM\..\Run: [BM2bba6722] Rundll32.exe "C:\WINDOWS\System32\awafhsql.dll",s
backup-20080412-132709-598 O2 - BHO: (no name) - {0375297C-47F1-49D3-B4B9-6CD20FBA6CCE} - C:\WINDOWS\System32\iiifd.dll
backup-20080412-132709-754 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-132709-861 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-132709-868 O4 - HKLM\..\Policies\Explorer\Run: [cfenhfoi] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-132922-132 O4 - HKLM\..\Policies\Explorer\Run: [dospq] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-132922-299 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE
backup-20080412-132922-468 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-132922-489 O4 - HKLM\..\Run: [aeihgpcm] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-132922-662 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-132922-707 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-132922-797 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080412-132922-948 O2 - BHO: (no name) - {6E317A4F-BC8D-4781-9FF7-14BAAB232215} - C:\WINDOWS\System32\iiifd.dll (file missing)
backup-20080412-133452-251 O4 - HKLM\..\Run: [AutoInclude] C:\WINDOWS\TEMP\DIL30.tmp
backup-20080412-133452-262 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20080412-133452-340 O4 - HKLM\..\Policies\Explorer\Run: [hcejcgl] rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint
backup-20080412-133452-405 O20 - Winlogon Notify: nmhsbmdgril - C:\WINDOWS\SYSTEM32\nmhsbmdgril.dll
backup-20080412-133452-411 O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
backup-20080412-133452-436 O4 - HKLM\..\Run: [pjcmpqte] rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\crnbfqsdge.drv" WLEntryPoint
backup-20080412-133452-539 O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
backup-20080412-133452-640 O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\urqnlkl.dll
backup-20080412-133453-374 O20 - Winlogon Notify: urqnlkl - C:\WINDOWS\SYSTEM32\urqnlkl.dll
backup-20080412-133454-416 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20080412-133454-846 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080412-133454-893 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\pqecisjmkmh.drv" WLEntry %1 %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ymgewiwc - c:\windows\system32\drivers\nvkuiivs.dat
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 AR5211 (TP-LINK Wireless Network Adapter Service) - c:\windows\system32\drivers\ar5211.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5001 Wireless Network Adapter>

S1 MSPCLOCKK - c:\windows\system32\drivers\mspclockk.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WmdmPmSp (Portable Media Serial Number) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S2 RpcPatch (WINS Client) - c:\windows\system32\wins\dllhost.exe (file missing)
S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\spools.exe (file missing)
S3 RpcTftpd (Network Connections Sharing) - c:\windows\system32\wins\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S4 ICF - c:\windows\system32\svchost.exe:exe.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&20F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_8086&DEV_1043&SUBSYS_25278086&REV_04\4&16793A72&0&20F0
Service:


-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-13 11:27:28 41984 --a------ C:\WINDOWS\System32\vq.exe
2008-04-12 13:47:35 48128 --a------ C:\WINDOWS\mrofinu1001186.exe
2008-04-12 13:05:37 86592 --a------ C:\WINDOWS\System32\kukiplsg.dll
2008-04-12 13:03:30 3648 --a------ C:\WINDOWS\System32\tuvjsqyg.dll
2008-04-12 13:03:18 94272 --a------ C:\WINDOWS\System32\awafhsql.dll
2008-04-12 13:02:36 272850 --ahs---- C:\WINDOWS\System32\dfiii.ini2
2008-04-12 13:00:58 0 d-------- C:\Documents and Settings\l\Application Data\Adobe
2008-04-12 12:34:59 120855 --ahs---- C:\Documents and Settings\l\cftmon.exe
2008-04-11 18:52:49 0 d-------- C:\WINDOWS\pss
2008-04-11 17:40:55 0 d-------- C:\Documents and Settings\l\Application Data\Grisoft
2008-04-11 17:39:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 17:18:13 3648 --a------ C:\WINDOWS\System32\osshietj.dll
2008-04-11 17:15:12 269620 --ahs---- C:\WINDOWS\System32\uwadd.ini2
2008-04-11 16:44:41 0 d-------- C:\Program Files\Lavasoft
2008-04-11 16:44:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-09 20:55:35 0 d-------- C:\Documents and Settings\l\Application Data\Real
2008-04-09 20:39:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-09 20:39:08 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-09 20:39:08 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-09 20:39:08 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-09 20:39:08 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-09 20:39:08 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-09 20:39:08 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-09 20:39:08 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-09 20:39:08 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-09 20:39:08 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-09 20:39:08 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-09 20:39:08 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-09 20:39:07 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-09 20:39:07 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-09 20:39:07 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 20:38:49 0 d--h----- C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings
2008-04-09 20:38:49 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies
2008-04-09 20:38:49 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data
2008-04-09 20:38:49 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft
2008-04-09 20:38:48 229376 --ah----- C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT
2008-04-09 20:38:45 229376 --ah----- C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
2008-04-09 20:38:45 0 d--h----- C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings
2008-04-09 20:38:45 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies
2008-04-09 20:38:45 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data
2008-04-09 20:38:45 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Microsoft
2008-04-09 16:50:12 485 --a------ C:\WINDOWS\System32\ehrhsdka.dll
2008-04-09 16:47:12 478 --a------ C:\WINDOWS\System32\xvgenbxe.dll
2008-04-09 16:45:10 480 --a------ C:\WINDOWS\System32\vnppxahc.dll
2008-04-09 12:30:13 0 d-------- C:\WINDOWS\tmp
2008-04-07 20:43:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 20:41:18 0 d-------- C:\Documents and Settings\l\Application Data\Google
2008-04-07 20:39:08 0 d-------- C:\Documents and Settings\l\Application Data\Webroot
2008-04-07 16:56:29 0 d--h----- C:\WINDOWS\System32\GroupPolicy
2008-04-07 16:45:52 0 d-------- C:\Program Files\Trend Micro
2008-04-06 12:46:47 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2008-04-06 12:46:30 0 d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-04-06 11:22:25 37376 --a------ C:\WINDOWS\System32\efcBsTLb.dll
2008-04-06 11:21:56 55218 --a------ C:\WINDOWS\zalpqbj.sys
2008-04-06 11:20:56 37376 --a------ C:\WINDOWS\System32\geBtRhfe.dll
2008-04-06 11:20:40 167424 --a------ C:\WINDOWS\System32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-06 11:20:22 19584 --a------ C:\WINDOWS\System32\drivers\nvkuiivs.dat
2008-04-06 11:20:00 83456 --a------ C:\WINDOWS\System32\ctfmona.exe
2008-04-06 11:13:59 36352 --a------ C:\WINDOWS\System32\ssqOFWmj.dll
2008-04-06 10:28:15 36352 --a------ C:\WINDOWS\System32\hgGwXnNh.dll
2008-04-06 09:41:34 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2008-04-06 09:39:09 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-06 09:37:34 0 d-------- C:\Program Files\Common Files\zkio
2008-04-06 09:37:33 0 d-------- C:\WINDOWS\zkio
2008-04-05 13:22:33 0 d-------- C:\WUTemp
2008-04-04 22:57:16 0 d-------- C:\Documents and Settings\l\Download
2008-04-04 22:29:14 270694 --a------ C:\WINDOWS\System32\000090.exe
2008-04-04 14:14:22 0 d-------- C:\Program Files\JavaCore
2008-04-04 14:09:17 0 d-------- C:\Program Files\nvcoi
2008-04-04 14:04:14 0 d-------- C:\Program Files\CPV
2008-04-04 14:04:13 0 d-------- C:\Program Files\Temporary
2008-04-04 09:31:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-04 09:31:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-04 09:26:00 229527 --a------ C:\WINDOWS\System32\000080.exe
2008-04-04 07:06:55 17408 --a------ C:\WINDOWS\System32\000070.exe
2008-04-03 13:57:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-03 13:57:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-03-29 12:03:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Google
2008-03-29 12:03:07 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-03-29 12:01:46 274145 --ahs---- C:\WINDOWS\System32\efeeg.ini2
2008-03-29 12:00:55 38400 --a------ C:\WINDOWS\System32\jkkiifg.dll
2008-03-29 11:57:40 38400 --a------ C:\WINDOWS\System32\ddccayv.dll
2008-03-29 11:57:12 0 d-------- C:\Program Files\Outerinfo
2008-03-29 11:57:04 935 --a------ C:\WINDOWS\System32\winpfz33.sys
2008-03-29 11:56:56 204870 --a------ C:\WINDOWS\System32\pcnttkdn.exe
2008-03-29 11:56:40 0 d-------- C:\WINDOWS\System32\xTmp
2008-03-29 11:56:40 0 d-------- C:\WINDOWS\System32\winz1
2008-03-29 11:56:40 0 d-------- C:\WINDOWS\System32\IDME
2008-03-29 11:56:39 0 d-------- C:\Program Files\Common Files\??curity
2008-03-29 11:56:34 38400 --a------ C:\WINDOWS\System32\urqnlkl.dll
2008-03-29 11:56:34 0 d-------- C:\WINDOWS\System32\aqVreo01
2008-03-29 11:56:34 0 d-------- C:\Temp
2008-03-28 08:41:51 173563 --a------ C:\WINDOWS\System32\msram.dll
2008-03-27 13:21:08 0 d-------- C:\Program Files\Norton Resource CD Files
2008-03-22 14:03:05 4 --a------ C:\WINDOWS\System32\3670DA
2008-03-22 14:02:08 8413 --a------ C:\WINDOWS\System32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2008-03-22 13:54:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-22 13:54:28 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-22 13:54:15 0 d-------- C:\Program Files\Real
2008-03-22 13:54:14 0 d-------- C:\Program Files\Common Files\Real
2008-03-19 11:06:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-03-19 11:06:15 0 d-------- C:\Program Files\Google
2008-03-17 11:51:09 0 d---s---- C:\Documents and Settings\l\UserData


-- Find3M Report ---------------------------------------------------------------

2008-04-12 13:13:08 0 d-------- C:\Program Files\Microsoft Works
2008-04-11 17:36:59 0 d-------- C:\Program Files\Common Files
2008-04-06 11:18:55 15872 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-06 10:33:27 0 d-------- C:\Program Files\Common Files\??curity
2008-04-06 09:39:06 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-04 14:36:59 10 --a------ C:\Program Files\.autoreg
2008-02-12 22:30:52 14848 --a------ C:\WINDOWS\fetchuserid.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
03/29/2008 11:56 AM 38400 --a------ C:\WINDOWS\system32\urqnlkl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [02/14/2003 12:59 PM C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [08/28/2002 06:17 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"!AVG Anti-Spyware"="C:\PROGRA~1\Grisoft\AVGANT~1.5\avgas.exe" [06/11/2007 02:25 AM]
"runner1"="C:\WINDOWS\mrofinu1001186.exe" [04/13/2008 11:25 AM]
"iclsni"="C:\DOCUME~1\l\LOCALS~1\Temp\srqcemccq.drv WLEntryPoint" []
"AutoInclude"="C:\WINDOWS\TEMP\DILD.tmp" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"apilor"=rundll32.exe "C:\WINDOWS\System32\dopnllpgn.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\urqnlkl.dll [03/29/2008 11:56 AM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nmhsbmdgril]
nmhsbmdgril.dll 08/29/2002 12:41 AM 113664 C:\WINDOWS\system32\nmhsbmdgril.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnlkl]
urqnlkl.dll 03/29/2008 11:56 AM 38400 C:\WINDOWS\system32\urqnlkl.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\iiifd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\l\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2bba6722]
Rundll32.exe "C:\WINDOWS\System32\wbqwcwrl.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kktacbad]
rundll32.exe "C:\DOCUME~1\l\LOCALS~1\Temp\bscqknnbkqp.nls" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

*Newly Created Service* - ALG
*Newly Created Service* - INTEGRATED_WINDOWS_AUTHENTICATION
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .supercocklol.com
127.0.0.1 www..webloyalty.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

8117 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-13 11:28:09 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1300MHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 510.98 MiB / 348.5 MiB
Pagefile Memory (total/avail): 1249.84 MiB / 1110.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.5 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 34.11 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N040ATCS04-0 - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\l\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=9UQN2GIJLR7ASTS
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\l
LOGONSERVER=\\9UQN2GIJLR7ASTS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\l\LOCALS~1\Temp
TMP=C:\DOCUME~1\l\LOCALS~1\Temp
USERDOMAIN=9UQN2GIJLR7ASTS
USERNAME=l
USERPROFILE=C:\Documents and Settings\l
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

l (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0


-- Application Event Log -------------------------------------------------------

Event Record #/Type142 / Error
Event Submitted/Written: 04/13/2008 11:27:32 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Event Record #/Type139 / Error
Event Submitted/Written: 04/12/2008 01:40:47 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type136 / Error
Event Submitted/Written: 04/12/2008 10:30:51 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type135 / Error
Event Submitted/Written: 04/12/2008 10:30:51 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type134 / Error
Event Submitted/Written: 04/11/2008 06:55:48 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2009 / Error
Event Submitted/Written: 04/13/2008 11:19:06 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%2

Event Record #/Type2008 / Error
Event Submitted/Written: 04/13/2008 11:18:52 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type2007 / Error
Event Submitted/Written: 04/13/2008 11:18:52 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type2006 / Error
Event Submitted/Written: 04/13/2008 11:18:32 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type2005 / Error
Event Submitted/Written: 04/13/2008 11:18:32 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)



-- End of Deckard's System Scanner: finished at 2008-04-13 11:28:09 ------------



Thanks again for the quick reply.
Hopefully I'll have this sorted out soon.

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 13 April 2008 - 12:09 PM

A. To repair the faulty file associations, please do the following:
  • Make sure that DSS.exe is located on your Desktop.
  • Click on your START button, then choose Run. A little box will appear.
  • Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

    "%userprofile%\desktop\dss.exe" /daft


  • This will start DSS in a different way. A small window will appear.
  • Click on the Scan button.
  • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.


B. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 techiefIve

techiefIve

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 14 April 2008 - 06:24 PM

Well, I ran DSS and it found one bad association, but when I ran comboFix, it killed windows. It ran till it hit 75% complete, then hung for over 2 hours. After waiting patiently and seeing no change I restarted the system. Now it won't even boot up. So thanks for the assistance, but I think I'm just going to reinstall XP.

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 14 April 2008 - 07:16 PM

but when I ran comboFix, it killed windows


Why did you ever run ComboFix without specific direction to do so? You were instructed to run SDFix


Trevuren

Edited by Trevuren, 14 April 2008 - 07:17 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·