Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with Hacktool.rootkit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with Hacktool.rootkit

Unread postby Ihatevirus » May 1st, 2007, 10:19 am

Nortan Antivirus says I have an infected file:
C:\Documents and settings\...\Local Settings\Temp\r7w.dll

Trendmicro Housecall says:
Possible_MLWR-3
C:\Windows\Temp\kimtwz75.dll

My HJT logfile is as follows, please help, help... Thanks in anticipation!!

Logfile of HijackThis v1.99.1
Scan saved at 6:59:27 AM, on 5/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk = C:\Program Files\Kaiser\VPN Client\ipsecdialer.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3617918562
O16 - DPF: {89D122E1-99E6-11D2-BB1E-0040053B6D66} (FnetEdit Class) - http://fnt-bkfd/web-cpr/session/software/fnetedit.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - AppInit_DLLs: KB608769M.LOG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Update Service For Windows (SoftUpdate) - Unknown owner - C:\WINDOWS\SoftUpdate.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am
Advertisement
Register to Remove

Unread postby askey127 » May 1st, 2007, 2:49 pm

Hi ihatevirus,
This machine has quite a few items to fix.

First, It has parts of at least three antivirus suites on here (Command Software, Nortons and AVG). When they battle for control it leaves the machine vulnerable.
We will Uninstall all but one in the next post.

Secondly, I see you have automatic updates running, but the machine is only updated to Service Pack 1.
(1)Is this on Dialup?
(2)Why does it not have SP2?

It also has some kind of security setup from Authentium on there.
(3)Did you install it?
(4)Is this part of a corporate network?

Let's take a few preliminary steps first:
-----------------------------------------------------------
Set Your Computer to Show All Files
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Download and install CCleaner from here.
Set Options in CCleaner and run Cleaning Scan. Open the CCleaner program.
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck "Only delete files in Windows Temp folders older than 48 hours".
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

If you or an administrator did not purposely restrict access to the Control Panel then check these two also and click Fix Checked
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), before you Click Fix Checked.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
I am also looking for answers to the first (4) questions above, and the contents of the file you saved called install.txt from CCleaner.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

2nd poster

Unread postby Ihatevirus » May 2nd, 2007, 2:59 am

Dear Askey127,

Thanks a lot for taking the time to help me!

"Secondly, I see you have automatic updates running, but the machine is only updated to Service Pack 1.
(1)Is this on Dialup?
(2)Why does it not have SP2? "

It also has some kind of security setup from Authentium on there.
(3)Did you install it?
(4)Is this part of a corporate network? "

Answers to your 4 questions above:
1)Not a dial up, it is DSL from Yahoo/SBC
2)I don't know why, but sp2 might interfere with opening corportate files?
3) I did not install it myself, but this computer was taken to someelse in technical support to install remote access software
4)This computer is not part of a corporate network, but is used for remote access to a corporate network

Logfile of HijackThis v1.99.1
Scan saved at 11:48:22 PM, on 5/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://idoc.wellpoint.com/registration
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk = C:\Program Files\Kaiser\VPN Client\ipsecdialer.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3617918562
O16 - DPF: {89D122E1-99E6-11D2-BB1E-0040053B6D66} (FnetEdit Class) - http://fnt-bkfd/web-cpr/session/software/fnetedit.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - AppInit_DLLs: KB608769M.LOG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Update Service For Windows (SoftUpdate) - Unknown owner - C:\WINDOWS\SoftUpdate.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby Ihatevirus » May 2nd, 2007, 3:03 am

Sorry, I forgot to post install.txt, here it is:

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Authentium
AVG 7.5
BroadJump Client Foundation
Business Contact Manager for Outlook 2003
CCleaner (remove only)
Conexant SmartHSFi V92 56K DF PCI Modem
Cox High Speed Internet security suite
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Dell ResourceCD
Dell Solution Center
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
Epocrates Essentials
EXTRA! Personal Client 32-bit
Help and Support Customization
HijackThis 1.99.1
iFacts (Palm) v 9.11.1 by Skyscape
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Office Small Business Edition 2003
Modem Helper
Mosby's Primary Care Procedures, Office Procedures
MSXML 4.0 SP2 (KB925672)
NetWaiting
Norton AntiVirus 2002
Norton Spyware Scan - Yahoo!
Norton Spyware Scan provided by Yahoo!
Palm Desktop
Panda ActiveScan
PowerDVD
QuickTime
RealPlayer Basic
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
smARTupdate
Spellbound!
Spybot - Search & Destroy 1.4
Super Solvers Reading Ages 9-12
Trend Micro Anti-Spyware
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Viewpoint Media Player
VPN Client
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) q329623
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q813862
Windows XP Hotfix (SP2) Q816981
Windows XP Hotfix (SP2) Q819696
Windows XP Hotfix (SP2) [See Q331060 for more information]
Windows XP Hotfix - KB816486
Windows XP Hotfix - KB817611
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824810
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB826959
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Yahoo! Toolbar
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 2nd, 2007, 6:12 am

Ihatevirus,
Print this out or save it to your desktop as a Notepad file, as you will not have Internet access in SAFE Mode.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

BroadJump Client Foundation
Java 2 Runtime Environment, SE v1.4.2_03


CHOOSE ONE of these three AntiVirus Products to Keep, and UNINSTALL THE OTHER TWO.
Make sure you have the ability to update the one you decide to keep.

TO Uninstall Norton, Choose Remove for all three of these, one at a time:
Norton AntiVirus 2002
Norton Spyware Scan - Yahoo!
Norton Spyware Scan provided by Yahoo!


TO Uninstall AVG, Choose Remove for this one:
AVG 7.5

TO Uninstall Cox High Speed Internet security suite. Choose Remove for these, one at a time.
Cox High Speed Internet security suite
Authentium


Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
If you choose to keep Norton, you will need to disable the Script Blocking Service before proceeding:

Disable the Norton Script Blocking Service
To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties. On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.
Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck "Enable Script Blocking (recommended)".
Click OK
-----------------------------------------------------------
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
(That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here, along with a new HijackThis log

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

RE:

Unread postby Ihatevirus » May 4th, 2007, 12:24 am

Hi, I followed the recommendations of your second post. Not everything went smoothly, I hope this makes sense to you. My computer still has problems, it is always slow when I restart it, but after 10-15 min of 100% CPU usage, it "unfreeze" itself, and runs like normal. Thanks again for your time!

Logfile of HijackThis v1.99.1
Scan saved at 9:14:09 PM, on 5/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Kaiser\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_ ... ch/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kaiser VPN Client.lnk = C:\Program Files\Kaiser\VPN Client\ipsecdialer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3617918562
O16 - DPF: {89D122E1-99E6-11D2-BB1E-0040053B6D66} (FnetEdit Class) - http://fnt-bkfd/web-cpr/session/software/fnetedit.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O20 - AppInit_DLLs: KB608769M.LOG
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Kaiser\VPN Client\cvpnd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Update Service For Windows (SoftUpdate) - Unknown owner - C:\WINDOWS\SoftUpdate.exe (file missing)


SDFix: Version 1.81

Run by My Account - Thu 05/03/2007 - 20:49:49.98

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------




Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\My Account\My Documents\~WRL0001.tmp
C:\Documents and Settings\My Account\My Documents\~WRL0003.tmp
C:\Documents and Settings\My Account\My Documents\~WRL0110.tmp
C:\Documents and Settings\My Account\My Documents\~WRL0720.tmp
C:\Documents and Settings\My Account\My Documents\~WRL3454.tmp
C:\Documents and Settings\My Account\My Documents\~WRL3661.tmp
C:\Documents and Settings\My Account\My Documents\~WRL3718.tmp

Finished
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 4th, 2007, 7:12 am

ihatevirus,
Run Cleaning Scan with CCleaner. Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
-----------------------------------------------------------
Download Blacklight Beta from here:
https://europe.f-secure.com/exclude/blacklight/fsbl.exe
* Download fsbl.exe and save it to the C:\
* Once saved... double click blbeta.exe to install the program.
Go to Start-->Run, copy in the following text and press Enter:
C:\fsbl.exe /expert
(note the space between fsbl.exe and /expert)

Accept the agreement, leave [X]scan through Windows Explorer checked.
Click > scan, Then > next
You'll see a list of all items found.
There will also be a log in C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.
-----------------------------------------------------------
Run an Online scan.
* Close all EXTRA Internet Explorer windows before doing this.

Go here and click the Kaspersky Online Scanner button.
  • Read the Requirements and limitations before you click Accept.
  • Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then go have lunch !!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply.
-----------------------------------------------------------
There may be a number of security updates missing from your system and this may cause problems with cleaning your PC.
Please do the following:
  • Download a diagnostic tool (MGADiag.exe) from >here< and save this to your Desktop.
  • Double-click on MGADiag.exe.
  • When the program has finished, click on the Validation tab and then click on Copy to Clipboard
  • Please post the results in your next reply.
So we are looking for the Blacklight log, the Kaspersky log, and the report from the Microsoft Diagnostic tool.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Ihatevirus » May 5th, 2007, 12:54 am

Dear Askey127,

Here is the 3 reports. My Nortan can not find that virus anymore but the computer is still freezing at the beginning.

05/04/07 20:25:44 [Info]: BlackLight Engine 1.0.61 initialized
05/04/07 20:25:44 [Info]: OS: 5.1 build 2600 (Service Pack 1)
05/04/07 20:25:44 [Note]: 7019 4
05/04/07 20:25:44 [Note]: 7005 0
05/04/07 20:25:47 [Note]: 7006 0
05/04/07 20:25:47 [Note]: 7011 220
05/04/07 20:25:47 [Note]: 7026 0
05/04/07 20:25:47 [Note]: 7026 0
05/04/07 20:25:49 [Note]: FSRAW library version 1.7.1021
05/04/07 20:29:37 [Note]: 2000 1012
05/04/07 20:29:37 [Note]: 2000 1012
05/04/07 20:29:47 [Note]: 7007 0

--------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 04, 2007 9:33:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/05/2007
Kaspersky Anti-Virus database records: 313370
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40282
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:29:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\My Account3\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\My Account3\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\My Account3\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\My Account3\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\My Account3\Local Settings\History\History.IE5\MSHist012007050420070505\index.dat Object is locked skipped
C:\Documents and Settings\My Account3\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\My Account3\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\My Account3\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\My Account2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\My Account2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\My Account2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\My Account2\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\My Account\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\My Account\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\My Account\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\My Account\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\My Account\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\My Account\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\My Account\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant SmartHSFi V92 56K DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{150ECB87-BF20-42B0-9B78-3150A87E72FC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_514.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

----------------------------------------------------------------------------------------------------------------------------------
MGDADiag Report

Diagnostic Report (1.7.0012.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Detailed Status: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 55274-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.1.0.pro
ID: bcd056c4-0c5d-49c5-8e9d-b8c7c4ddb64d
Is Admin: Yes
AutoDial: No
Registry: 0x0
WGA Version: Registered, 1.5.530.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic:
Resolution Status: N/A

Notifications Data-->
Cached Result: N/A
File Exists: No
Version: N/A
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
OGA Version: Failed to retrieve file version. - 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-3178-80070002

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: c:\windows\system32\oembios.bin
File Mismatch: c:\windows\system32\oembios.dat
File Mismatch: c:\windows\system32\oembios.sig

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>bcd056c4-0c5d-49c5-8e9d-b8c7c4ddb64d</UGUID><Version>1.7.0012.0</Version><OS>5.1.2600.2.00010100.1.0.pro</OS><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>55274-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-3950782149-2714309196-2454585326</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>OptiPlex GX270 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A04</Version><SMBIOSVersion major="2" minor="3"/><Date>20040517******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>233B3FE701848063</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell OPTIPLEX GX270</model></SBID><OEM/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91CA0409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Small Business Edition 2003</Name><Ver>11</Ver><Val>1C4E0E0EF7B4F0E</Val><Hash>7o9QaQeCIj4MBZ36V7IA/FqMHps=</Hash><Pid>70160-OEM-5690357-37124</Pid><PidType>6</PidType></Product></Products></Office></Software></GenuineResults>
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 5th, 2007, 7:12 am

Ihatevirus,
I don't see any malware at present which would likely cause the symptoms you describe.
I have a couple questions you can help me with:
(1) Can you tell me if your PC has had Windows XP re-installed, and if so was the original CD used?
(2) If you try to run Windows Updates, do you get errors? If so, can you tell me the error message?
------------------------------------------
Go to Start, All Programs, Accessories, Command Prompt
type chkdsk and hit Enter

When it finishes, note anything it quotes as errors and add to reply back here
------------------------------------------
Let's look a bit more:
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

    • In the Files Created Within group click 30 days
    • In the Files Modified Within group select 30 days
    • In the File String Search group select Non-Microsoft
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

I'll be looking for answers to questions (1) and (2), chkdsk results, and the log from WinPFind3u
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Ihatevirus » May 6th, 2007, 1:22 pm

Hi, Askey127,

First of all, thanks for your time again!

1) I do not recall having Windows XP re-installed, even if I did, it would be with the original CD
2) I don't receive errors for Windows update. I did not set it on automatic update though. I did set it that way after I read your message and I did OK.
3) When should I turn the Script blocking on?


----------------------------------------------------------------------------------
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\My Account>chkdsk
The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

117113849 KB total disk space.
13568724 KB in 40217 files.
11664 KB in 2920 indexes.
0 KB in bad sectors.
131561 KB in use by the system.
65536 KB occupied by the log file.
103401900 KB available on disk.

4096 bytes in each allocation unit.
29278462 total allocation units on disk.
25850475 allocation units available on disk.

C:\Documents and Settings\ My Account >

-----------------------------------------------------------------------------

WinPFind3 logfile created on: 5/5/2007 8:15:28 AM
WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Documents and Settings\My Account\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

1021.98 Mb Total Physical Memory | 599.87 Mb Available Physical Memory | 58.70% Memory free
2.41 Gb Paging File | 2.03 Gb Available in Paging File | 84.52% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.69 Gb Total Space | 98.61 Gb Free Space | 88.29% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: DFL5DG51
Current User Name: My Account
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
asfagent.exe -> %ProgramFiles%\Intel\ASF Agent\ASFAgent.exe -> Intel Corporation [Ver = 4.0.7.0 | Size = 114688 bytes | Modified Date = 2/10/2003 2:52:30 AM | Attr = ]
cvpnd.exe -> %ProgramFiles%\Kaiser\VPN Client\cvpnd.exe -> Cisco Systems, Inc. [Ver = 3.6.1 (Rel) | Size = 1282112 bytes | Modified Date = 9/3/2002 2:46:36 PM | Attr = ]
directcd.exe -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 10:28:00 AM | Attr = ]
directcd.exe -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 10:28:00 AM | Attr = ]
directcd.exe -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 10:28:00 AM | Attr = ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 9/12/2002 7:28:14 AM | Attr = ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 9/12/2002 7:28:14 AM | Attr = ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 9/12/2002 7:28:14 AM | Attr = ]
dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 4:22:52 PM | Attr = R ]
dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 4:22:52 PM | Attr = R ]
dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 4:22:52 PM | Attr = R ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,2104 | Size = 114688 bytes | Modified Date = 4/6/2003 10:07:38 PM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,2104 | Size = 114688 bytes | Modified Date = 4/6/2003 10:07:38 PM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,2104 | Size = 114688 bytes | Modified Date = 4/6/2003 10:07:38 PM | Attr = ]
hotsync.exe -> %ProgramFiles%\Sony Handheld\HOTSYNC.EXE -> Palm, Inc. [Ver = 4.0.4 | Size = 299008 bytes | Modified Date = 8/9/2002 4:36:20 PM | Attr = ]
lexbces.exe -> %System32%\lexbces.exE -> Lexmark International, Inc. [Ver = 9.39 | Size = 303104 bytes | Modified Date = 3/5/2004 1:09:00 PM | Attr = ]
navapsvc.exe -> %ProgramFiles%\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 115792 bytes | Modified Date = 8/16/2001 6:16:12 PM | Attr = ]
navapw32.exe -> %ProgramFiles%\Norton AntiVirus\Navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 74832 bytes | Modified Date = 8/16/2001 5:52:42 PM | Attr = ]
navapw32.exe -> %ProgramFiles%\Norton AntiVirus\Navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 74832 bytes | Modified Date = 8/16/2001 5:52:42 PM | Attr = ]
navapw32.exe -> %ProgramFiles%\Norton AntiVirus\Navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 74832 bytes | Modified Date = 8/16/2001 5:52:42 PM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.3 | Size = 77824 bytes | Modified Date = 8/10/2004 12:27:12 PM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.3 | Size = 77824 bytes | Modified Date = 8/10/2004 12:27:12 PM | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.3 | Size = 77824 bytes | Modified Date = 8/10/2004 12:27:12 PM | Attr = ]
realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 8/10/2004 12:26:56 PM | Attr = ]
realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 8/10/2004 12:26:56 PM | Attr = ]
realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 8/10/2004 12:26:56 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 4/10/2007 10:00:18 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(ASFAgent) ASF Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\ASF Agent\ASFAgent.exe -> Intel Corporation [Ver = 4.0.7.0 | Size = 114688 bytes | Modified Date = 2/10/2003 2:52:30 AM | Attr = ]
(CVPND) Cisco Systems, Inc. VPN Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Kaiser\VPN Client\cvpnd.exe -> Cisco Systems, Inc. [Ver = 3.6.1 (Rel) | Size = 1282112 bytes | Modified Date = 9/3/2002 2:46:36 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\DMADMIN.EXE -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 3/19/2004 3:35:18 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\lexbces.exE -> Lexmark International, Inc. [Ver = 9.39 | Size = 303104 bytes | Modified Date = 3/5/2004 1:09:00 PM | Attr = ]
(navapsvc) Norton AntiVirus Auto Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 115792 bytes | Modified Date = 8/16/2001 6:16:12 PM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 11:33:40 AM | Attr = ]
(SBService) ScriptBlocking Service [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBServ.exe -> Symantec Corporation [Ver = 1, 1, 0, 126 | Size = 54408 bytes | Modified Date = 8/13/2001 11:18:36 PM | Attr = ]
(SoftUpdate) Update Service For Windows [Win32_Shared | Auto | Stopped] -> %SystemRoot%\SoftUpdate.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 10:28:00 AM | Attr = ]
DVDSentry -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 4:22:52 PM | Attr = R ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,2104 | Size = 114688 bytes | Modified Date = 4/6/2003 10:07:38 PM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3,0,0,2104 | Size = 155648 bytes | Modified Date = 4/6/2003 10:19:52 PM | Attr = ]
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 3/31/2003 3:00:00 AM | Attr = ]
NAV Agent -> %ProgramFiles%\Norton AntiVirus\Navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 74832 bytes | Modified Date = 8/16/2001 5:52:42 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.3 | Size = 77824 bytes | Modified Date = 8/10/2004 12:27:12 PM | Attr = ]
RealTray -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 8/10/2004 12:26:56 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 29696 bytes | Modified Date = 12/14/2004 4:44:06 AM | Attr = ]
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 9/12/2002 7:28:14 AM | Attr = ]
%AllUsersStartup%\Kaiser VPN Client.lnk -> %ProgramFiles%\Kaiser\VPN Client\ipsecdialer.exe -> Cisco Systems, Inc. [Ver = 3.6.1 (Rel) | Size = 1269836 bytes | Modified Date = 9/3/2002 2:42:46 PM | Attr = ]
< User Startup > -> C:\Documents and Settings\My Account\Start Menu\Programs\Startup
%UserStartup%\HotSync Manager.lnk -> %ProgramFiles%\Sony Handheld\HOTSYNC.EXE -> Palm, Inc. [Ver = 4.0.4 | Size = 299008 bytes | Modified Date = 8/9/2002 4:36:20 PM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
KB608769M.LOG -> KB608769M.LOG -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3,0,0,2104 | Size = 315392 bytes | Modified Date = 4/6/2003 10:06:48 PM | Attr = ]
WgaLogon -> Reg Data - Value does not exist -> File not found
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dl ... ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> ->
HKLM: Start Page -> http://www.yahoo.com ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Page_URL -> http://idoc.wellpoint.com/registration ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Bar -> http://us.rd.yahoo.com/customize/ycomp_ ... ch/ie.html ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> 127.0.0.1 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 1:56:50 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{BDF3E430-B101-42AD-A544-FADC6B084872} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [CNavExtBho Class] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 8/16/2001 4:35:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 8/16/2001 4:35:10 PM | Attr = ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\MSDXM.OCX [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 10:01:28 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 8/16/2001 4:35:10 PM | Attr = ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 8/16/2001 4:35:10 PM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
E&xport to Microsoft Excel -> -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{30698A62-1CCB-49C1-8052-39C5DC391C8B} -> (Intel(R) PRO/1000 MT Network Connection) ->
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\MSDXM.OCX -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 10:01:28 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partne ... nicode.cab ->
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase = http://eu-housecall.trendmicro-europe.c ... hcImpl.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftup ... 3617918562 ->
{89D122E1-99E6-11D2-BB1E-0040053B6D66} -> FnetEdit Class - CodeBase = http://fnt-bkfd/web-cpr/session/software/fnetedit.cab ->
{90051A81-3018-4826-8B38-DD60B6B53F9C} -> Snapfish File Upload ActiveX Control - CodeBase = http://www.costcophotocenter.com/CostcoUpload.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shoc ... wflash.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Files/Folders - Created Within 30 days]
fsbl.exe -> %SystemDrive%\fsbl.exe -> F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Created Date = 5/4/2007 7:12:38 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Created Date = 1/1/1601 8:00:00 AM | Attr = HS]
Nailsetter.exe -> %SystemDrive%\Nailsetter.exe -> [Ver = | Size = 231390 bytes | Created Date = 4/30/2007 5:58:00 AM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 5/3/2007 7:16:52 PM | Attr = ]
tsc.zip -> %SystemDrive%\tsc.zip -> [Ver = | Size = 2225045 bytes | Created Date = 4/30/2007 5:54:48 AM | Attr = ]
LastGood -> %SystemRoot%\LastGood -> [Folder | Created Date = 5/4/2007 7:36:03 PM | Attr = ]
msoffice.ini -> %SystemRoot%\msoffice.ini -> [Ver = | Size = 2 bytes | Created Date = 5/3/2007 6:16:03 AM | Attr = ]
Norton AntiVirus - Scan my computer.job -> %SystemRoot%\tasks\Norton AntiVirus - Scan my computer.job -> [Ver = | Size = 472 bytes | Created Date = 4/29/2007 9:23:39 AM | Attr = ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 420 bytes | Created Date = 4/29/2007 9:22:36 AM | Attr = ]
001.ast -> %System32%\001.ast -> [Ver = | Size = 41368 bytes | Created Date = 5/3/2007 5:56:09 AM | Attr = ]
002.ast -> %System32%\002.ast -> [Ver = | Size = 998279 bytes | Created Date = 5/3/2007 5:56:09 AM | Attr = ]
003.ast -> %System32%\003.ast -> [Ver = | Size = 28 bytes | Created Date = 5/3/2007 5:56:09 AM | Attr = ]
appmgmt -> %System32%\appmgmt -> [Folder | Created Date = 5/3/2007 5:54:59 AM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 4/30/2007 8:54:18 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 4/30/2007 8:53:20 PM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 5/4/2007 7:36:04 PM | Attr = ]
S32EVNT1.DLL -> %System32%\S32EVNT1.DLL -> Symantec Corporation [Ver = 10.3.2.7 | Size = 36864 bytes | Created Date = 4/29/2007 9:22:26 AM | Attr = ]
SYMEVNT.386 -> %System32%\SYMEVNT.386 -> [Ver = | Size = 120379 bytes | Created Date = 4/29/2007 9:22:26 AM | Attr = ]
SYMEVNT1.DLL -> %System32%\SYMEVNT1.DLL -> Symantec Corporation [Ver = 10.3.2.7 | Size = 4032 bytes | Created Date = 4/29/2007 9:22:26 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 4/30/2007 8:53:21 PM | Attr = ]
SYMEVENT.SYS -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 10.3.2.7 | Size = 57696 bytes | Created Date = 4/29/2007 9:22:26 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
fsbl.exe -> %SystemDrive%\fsbl.exe -> F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Modified Date = 5/4/2007 8:12:40 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071697920 bytes | Modified Date = 5/3/2007 8:52:00 PM | Attr = HS]
Nailsetter.exe -> %SystemDrive%\Nailsetter.exe -> [Ver = | Size = 231390 bytes | Modified Date = 4/30/2007 6:58:02 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 5/3/2007 7:36:16 AM | Attr = R ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 5/3/2007 8:52:28 PM | Attr = ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 4/29/2007 11:24:12 AM | Attr = HS]
tsc.zip -> %SystemDrive%\tsc.zip -> [Ver = | Size = 2225045 bytes | Modified Date = 4/30/2007 6:54:50 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 5/4/2007 8:36:06 PM | Attr = ]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 5/3/2007 8:52:00 PM | Attr = S]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 5/1/2007 11:18:58 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/4/2007 8:36:06 PM | Attr = S]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 5/4/2007 8:36:06 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/3/2007 6:56:58 AM | Attr = HS]
LastGood -> %SystemRoot%\LastGood -> [Folder | Modified Date = 5/4/2007 8:36:04 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 5/1/2007 11:18:58 PM | Attr = ]
Motive -> %SystemRoot%\Motive -> [Folder | Modified Date = 5/3/2007 7:21:26 AM | Attr = ]
msoffice.ini -> %SystemRoot%\msoffice.ini -> [Ver = | Size = 2 bytes | Modified Date = 5/3/2007 7:16:04 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 5/5/2007 8:14:26 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 5/3/2007 7:38:32 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 5/4/2007 7:56:08 AM | Attr = H ]
SYSTEM -> %SystemRoot%\SYSTEM -> [Folder | Modified Date = 5/3/2007 7:17:28 AM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 5/4/2007 8:36:06 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 4/29/2007 10:23:40 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 5/4/2007 8:10:14 PM | Attr = ]
WIN.INI -> %SystemRoot%\WIN.INI -> [Ver = | Size = 802 bytes | Modified Date = 5/3/2007 7:16:18 AM | Attr = ]
Norton AntiVirus - Scan my computer.job -> %SystemRoot%\tasks\Norton AntiVirus - Scan my computer.job -> [Ver = | Size = 472 bytes | Modified Date = 4/29/2007 10:23:42 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 5/3/2007 8:52:02 PM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 420 bytes | Modified Date = 4/29/2007 6:54:04 PM | Attr = ]
001.ast -> %System32%\001.ast -> [Ver = | Size = 41368 bytes | Modified Date = 5/3/2007 6:56:10 AM | Attr = ]
002.ast -> %System32%\002.ast -> [Ver = | Size = 998279 bytes | Modified Date = 5/3/2007 6:56:10 AM | Attr = ]
003.ast -> %System32%\003.ast -> [Ver = | Size = 28 bytes | Modified Date = 5/3/2007 6:56:10 AM | Attr = ]
appmgmt -> %System32%\appmgmt -> [Folder | Modified Date = 5/3/2007 6:55:00 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 5/4/2007 9:44:14 PM | Attr = ]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 5/3/2007 7:17:28 AM | Attr = ]
FxsTmp -> %System32%\FxsTmp -> [Folder | Modified Date = 4/29/2007 11:01:22 AM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 4/30/2007 9:53:22 PM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 5/4/2007 8:36:06 PM | Attr = ]
LexFiles.usr -> %System32%\LexFiles.usr -> [Ver = | Size = 4859 bytes | Modified Date = 5/4/2007 7:44:18 PM | Attr = ]
PERFC009.DAT -> %System32%\PERFC009.DAT -> [Ver = | Size = 61930 bytes | Modified Date = 5/3/2007 8:27:12 PM | Attr = ]
PERFH009.DAT -> %System32%\PERFH009.DAT -> [Ver = | Size = 402426 bytes | Modified Date = 5/3/2007 8:27:12 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 471868 bytes | Modified Date = 5/3/2007 8:27:12 PM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 4/29/2007 11:24:12 AM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 4/30/2007 9:53:22 PM | Attr = ]
WPA.DBL -> %System32%\WPA.DBL -> [Ver = | Size = 2278 bytes | Modified Date = 5/4/2007 9:41:52 PM | Attr = ]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 5/3/2007 8:50:02 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\browser.exe -> [Ver = 2, 64, 0, 0 | Size = 43391 bytes | Modified Date = 3/18/2005 4:54:00 AM | Attr = ]
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 3/19/2004 3:35:10 PM | Attr = ]
PTech , -> %System32%\DicomViewFormProj.ocx -> [Ver = 1.5.0.6 | Size = 1538048 bytes | Modified Date = 7/5/2004 5:32:48 PM | Attr = ]
@Alternate Data Stream - 88 bytes -> %System32%\FnetEdit.dll: SummaryInformation ->
@Alternate Data Stream - 0 bytes -> %System32%\FnetEdit.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} ->
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 3/19/2004 3:44:18 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 3/31/2003 3:00:00 AM | Attr = ]

< End of report >
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 6th, 2007, 2:25 pm

Ihatevirus,
Print this out before beginning, as Internet will be disconnected for part of this.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entry :

O20 - AppInit_DLLs: KB608769M.LOG

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
-----------------------------------------------------------
Reboot your machine
-----------------------------------------------------------
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect (the cable) from internet, and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please, and paste the contents into your reply after reconnecting your Internet.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Ihatevirus » May 6th, 2007, 9:27 pm

Dear Askey127,

An error occured when I clicked "Fix Checked", please seel the following error message, thanks!

--------------------------------------------------------------------------------

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: KB608769M.LOG)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 7th, 2007, 5:55 am

Ihatevirus,
Ok, let's do this.
-----------------------------------------------------------
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please, and paste the contents into your reply, along with the results from the following procedure.
-----------------------------------------------------------
Copy/paste the following quote box into a new notepad (not wordpad) document.
regedit /e startup.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
notepad startup.txt
del /q startup.txt

Save it to your Desktop as filename look.bat. Save it as File Type: All Files (not as a text document or it wont work).

Locate look.bat on your Desktop and double-click it.
When notepad opens, copy/paste the content into your reply, along with the log from gmer.
(When you close Notepad the CMD window will close automatically and the text file will be deleted. )

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Ihatevirus » May 7th, 2007, 10:50 pm

Dear Askey127,

Here it is. Thank you!

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-07 19:32:23
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\System32\DRIVERS\update.sys

---- EOF - GMER 1.0.12 ----



-------------------------------------------------
GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-05-07 19:36:17
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName = igfxsrvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ASFAgent /*ASF Agent*/@ = C:\Program Files\Intel\ASF Agent\ASFAgent.exe
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "C:\Program Files\Kaiser\VPN Client\cvpnd.exe"
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
MSSQL$MICROSOFTBCM /*MSSQL$MICROSOFTBCM*/@ = C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM /*file not found*/
navapsvc /*Norton AntiVirus Auto Protect Service*/@ = C:\Program Files\Norton AntiVirus\navapsvc.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoftUpdate /*Update Service For Windows*/@ = C:\WINDOWS\SoftUpdate.exe /*file not found*/
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@DVDSentryC:\WINDOWS\System32\DSentry.exe = C:\WINDOWS\System32\DSentry.exe
@AdaptecDirectCD"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
@RealTrayC:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER /*file not found*/ = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER /*file not found*/
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@IMJPMIG8.1"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
@IMEKRMIG6.1C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
@MSPY2002C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
@PHIME2002ASyncC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@NAV AgentC:\PROGRA~1\NORTON~1\navapw32.exe = C:\PROGRA~1\NORTON~1\navapw32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Program Files\Norton AntiVirus\NavShExt.dll = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\SSMYPICS.SCR

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.yahoo.com = http://www.yahoo.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://idoc.wellpoint.com/registration = http://idoc.wellpoint.com/registration
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Xinbo Cheng MD\Start Menu\Programs\Startup >>>
DESKTOP.INI = DESKTOP.INI
HotSync Manager.lnk = HotSync Manager.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
DESKTOP.INI = DESKTOP.INI
Digital Line Detect.lnk = Digital Line Detect.lnk
Kaiser VPN Client.lnk = Kaiser VPN Client.lnk

---- EOF - GMER 1.0.12 ----
----------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
Ihatevirus
Regular Member
 
Posts: 19
Joined: May 1st, 2007, 10:09 am

Unread postby askey127 » May 8th, 2007, 2:43 pm

Ihatevirus,
Open the WinPFind3u folder on your desktop and double-click WinPFind3U.exe to start the program.
copy and paste the contents of the following quotebox into the WinPFind3u program.
[Registry - Non-Microsoft Only]
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> KB608769M.LOG -> KB608769M.LOG

Hit the Fix button.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware