Hijacked - Privacy Danger - Trojan.Zlob

Started by eddio, Jan 08 2008 06:09 PM

Next

You cannot reply to this topic

23 replies to this topic

#1 OFFLINE eddio

Member

Members
13 posts

Posted 08 January 2008 - 06:09 PM

Hi, please help with removing bug from my pc. As some other posts reported, I got red screen via the Privacy Danger folder. After following the directions I got my desktop back, but continue to get popups. attached word doc has some shots.

thanks
ec

BitDefender Online Scanner - Real Time Virus Report

Generated at: Tue, Jan 08, 2008 - 02:01:19
--------------------------------------------------------------------------------

Scan Info

Scanned Files
300919

Infected Files
2

Virus Detected

Trojan.Zlob.CBQ
2

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

****

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2008 at 02:52 AM

Application Version : 3.9.1008

Core Rules Database Version : 3376
Trace Rules Database Version: 1370

Scan type : Complete Scan
Total Scan Time : 00:41:05

Memory items scanned : 610
Memory threats detected : 2
Registry items scanned : 7525
Registry threats detected : 29
File items scanned : 42690
File threats detected : 9

Trojan.Unclassified/EPXONWO
C:\WINDOWS\EPXONWO.DLL
C:\WINDOWS\EPXONWO.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\InprocServer32
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\InprocServer32#ThreadingModel
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\ProgID
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\Programmable
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\TypeLib
HKCR\CLSID\{D94D49D7-31D6-42E1-A5FE-438C7BFD6498}\VersionIndependentProgID
HKCR\epxonwo.ToolBar.1
HKCR\epxonwo.ToolBar.1\CLSID
HKCR\epxonwo.ToolBar
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}\1.0
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}\1.0
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}\1.0\win32
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}\1.0\FLAGS
HKCR\TypeLib\{1CE33EFE-9E40-4B8C-AA1D-B4FF50414A7B}\1.0\HELPDIR

Trojan.Net-MSV/VPS-Variant
C:\WINDOWS\DNQDLPMSOM.DLL
C:\WINDOWS\DNQDLPMSOM.DLL
HKLM\Software\Classes\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\InprocServer32
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\InprocServer32#ThreadingModel
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\ProgID
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\Programmable
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\TypeLib
HKCR\CLSID\{D3464F94-A3FE-4675-8D96-49B008E12CD3}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3464F94-A3FE-4675-8D96-49B008E12CD3}

Adware.Tracking Cookie
C:\Documents and Settings\Edward Curry\Cookies\edward_curry@www.googleadservices[1].txt
C:\Documents and Settings\Edward Curry\Cookies\edward_curry@specificclick[1].txt
C:\Documents and Settings\Edward Curry\Cookies\edward_curry@meetupcom.122.2o7[1].txt
C:\Documents and Settings\Edward Curry\Cookies\edward_curry@msnportal.112.2o7[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-2226385189-470888065-735474785-1008\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Desktop Hijacker.AboutYourPrivacy
C:\Documents and Settings\Edward Curry\Favorites\Error Cleaner.url
C:\Documents and Settings\Edward Curry\Favorites\Privacy Protector.url
C:\Documents and Settings\Edward Curry\Favorites\Spyware&Malware Protection.url

****
AVG was clean!

<history>

<rec
time="2008/01/08 09:09:04"
user="SYSTEM"
source="Update">
<value>@HL_UpdateOK</value>
<attr
name="version">avi:1236-1225;iavi:1223-1197;</attr>
</rec>
<rec
time="2008/01/08 09:10:47" user="Eddio"
source="General">
<value>@HL_TestStarted</value>
<attr
name="testname">@TestName_02</attr>
</rec>
<rec
time="2008/01/08 09:11:23"
user="Eddio" source="General">
<value>@HL_TestStopped</value>
<attr
name="testname">@TestName_02</attr>
<attr
name="infectedfiles">0</attr>
</rec>
<rec
time="2008/01/08 09:12:44"
user="Eddio" source="General">
<value>@HL_TestStarted</value>
<attr
name="testname">@TestName_02</attr>
</rec>
<rec
time="2008/01/08 10:51:59" user="Eddio"
source="General">
<value>@HL_TestEnded</value>
<attr
name="testname">@TestName_02</attr>
<attr
name="infectedfiles">0</attr>
</rec>
</history>

****
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:33 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxctPSWX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_04\bin\ssv.dll (file missing)
O2 - BHO: BDEX System - {D3464F94-A3FE-4675-8D96-49B008E12CD3} - C:\WINDOWS\dnqdlpmsom.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: The epxonwo - {D94D49D7-31D6-42E1-A5FE-438C7BFD6498} - C:\WINDOWS\epxonwo.dll (file missing)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {81449547-EB5D-422E-8730-932DC5E412C8} (UVUPlayer Control) - http://www.howardste...l/uvuplayer.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} (CLaunchPrint Object) - http://eshare.hpphot...sLocalPrint.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: asvdnmo - {1DAF5A0D-25B7-4187-B7E3-287B4117E5F0} - C:\WINDOWS\asvdnmo.dll
O21 - SSODL: bgntlvo - {D20D64AC-ABC7-461C-955D-2BB4DE4280B2} - C:\WINDOWS\bgntlvo.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 11446 bytes

Attached Files

avg.doc 674.5K 1 downloads

Back to top

#2 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 01 February 2008 - 03:47 AM

I apologize for the delay in getting to your log, the helpers here have been very busy lately. If you still need assistance, please post a fresh HijackThis log for review and I will take a look for you

Back to top

#3 OFFLINE eddio

Member

Members
13 posts

Posted 02 February 2008 - 11:49 PM

Hi __RiP_ChAiN_, I appreciate the follow up. I cleaned up and found the offender from my original inquiry, but certianly do need your feedback. Logfile is below.

What is most disturbing and something that IS left over, are outgoing tcp packets blocked by the firewall. Ports 3716 - 3719 labeled as Back End, Executor or Ring 0. AntiSpyware or AVG and others cannot pick up on this. I have not found specifics on what to hunt for...

example:
Verizon Internet Security Suite Firewall
Blocked Packets Report (1/28/2008 8:47:48 AM)
Protocol Direction Source IP S. Port Destination IP D. Port Date/Time
tcp Outgoing x.x.x.x 4805 206.46.232.12 25 1/28/2008 8:47:46 AM ----------- (starts @ tcp 4602 to 4805)

Also, I get incoming packets bound for my IP addess, blocked by the firewall. If I am behind NAT, how is my IP Address available?

thanks again ec

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:52 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Verizon\Verizon Internet Security Suite\SwchMonR.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\RPS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1007\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1008\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8688 bytes

Back to top

#4 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 04 February 2008 - 07:06 AM

Hello eddio

Quote

What is most disturbing and something that IS left over, are outgoing tcp packets blocked by the firewall. Ports 3716 - 3719 labeled as Back End, Executor or Ring 0. AntiSpyware or AVG and others cannot pick up on this. I have not found specifics on what to hunt for...

Your HijackThis log is clean, so we're going to need more info to effectively find the remaining malware left behind on your computer.

Quote

Also, I get incoming packets bound for my IP addess, blocked by the firewall. If I am behind NAT, how is my IP Address available?

When your on the internet somebody's IP address is ALWAYS going to be available, if your behind NAT then it's possible that the IP shared for multiple computers is being targeted, and not yours specifically.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Back to top

#5 OFFLINE eddio

Member

Members
13 posts

Posted 04 February 2008 - 05:52 PM

Hi __RiP_ChAiN_, I have collected the info.

These entries stand out!

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

Activescan.txt

Incident Status Location

Adware:adware/memorywatcher Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\eddio\My Documents\virus\SDFix.exe[SDFix\apps\Process.exe]

main.txt

Deckard's System Scanner v20071014.68
Run by - eddio - on 2008-02-04 08:33:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as - eddio -.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:45 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\SwchMonR.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Documents and Settings\- eddio -\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\- eddio -.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1007\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1008\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1008\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8501 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080108-162633-622 O3 - Toolbar: The epxonwo - {D94D49D7-31D6-42E1-A5FE-438C7BFD6498} - C:\WINDOWS\epxonwo.dll (file missing)
backup-20080108-162633-705 O2 - BHO: BDEX System - {D3464F94-A3FE-4675-8D96-49B008E12CD3} - C:\WINDOWS\dnqdlpmsom.dll (file missing)
backup-20080108-163003-150 O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
backup-20080108-163003-600 O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
backup-20080108-163003-728 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
backup-20080108-163003-734 O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
backup-20080108-163003-754 O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
backup-20080108-163003-777 O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
backup-20080108-163003-867 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
backup-20080108-163004-182 O16 - DPF: {81449547-EB5D-422E-8730-932DC5E412C8} (UVUPlayer Control) - http://www.howardste...l/uvuplayer.cab
backup-20080108-163004-474 O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
backup-20080108-163005-330 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
backup-20080109-135312-515 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
backup-20080109-135312-569 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
backup-20080109-135312-611 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
backup-20080109-135312-910 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080109-135313-108 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080109-135314-591 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080109-135314-695 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080109-141226-947 O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
backup-20080109-141256-404 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080109-141256-821 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080109-184147-200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080109-184147-595 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080109-184147-908 O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
backup-20080109-184147-951 O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1008\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Cheri')
backup-20080109-184148-241 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
backup-20080109-184148-265 O21 - SSODL: bgntlvo - {D20D64AC-ABC7-461C-955D-2BB4DE4280B2} - C:\WINDOWS\bgntlvo.dll (file missing)
backup-20080109-184148-348 O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
backup-20080109-184148-806 O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
backup-20080109-185735-600 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
backup-20080109-185735-779 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
backup-20080109-185735-820 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080109-185735-995 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_04\bin\ssv.dll (file missing)
backup-20080110-124202-572 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
backup-20080110-124634-344 O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
backup-20080110-124634-564 O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
backup-20080110-124634-739 O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
backup-20080110-124732-741 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
backup-20080110-163204-791 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080120-083102-218 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080120-083102-448 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080120-083102-669 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080120-083102-854 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080120-083102-876 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
backup-20080120-083931-293 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
backup-20080120-083931-492 O16 - DPF: {FFFDF6F2-F7BC-4B90-B789-CB7BBDA13AD6} (CLaunchPrint Object) - http://eshare.hpphot...sLocalPrint.CAB
backup-20080120-083931-712 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080120-083932-856 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080120-085354-237 O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
backup-20080120-085354-679 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080120-085447-882 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080128-213023-557 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080128-213023-877 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080128-213023-961 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-04 01:00:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2008-01-04 and 2008-02-04 -----------------------------

2008-01-28 20:16:26 0 d-------- C:\Program Files\Windows Defender
2008-01-20 10:23:42 0 d-------- C:\Program Files\Java
2008-01-18 17:56:53 0 d-------- C:\Documents and Settings\M&M\Application Data\SUPERAntiSpyware.com
2008-01-09 22:55:54 0 d-------- C:\Documents and Settings\Cheri\Application Data\SUPERAntiSpyware.com
2008-01-09 14:38:26 0 dr-h----- C:\$VAULT$.AVG
2008-01-09 14:27:39 0 d-------- C:\Documents and Settings\M&M\Application Data\AVG7
2008-01-08 17:56:49 0 d-------- C:\Documents and Settings\Cheri\Application Data\AVG7
2008-01-08 13:19:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-08 09:07:18 0 d-------- C:\Documents and Settings\- eddio -\Application Data\AVG7
2008-01-08 09:06:55 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-08 09:06:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 09:06:33 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-08 02:08:29 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-08 02:08:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-08 02:08:15 0 d-------- C:\Documents and Settings\- eddio -\Application Data\SUPERAntiSpyware.com
2008-01-08 02:07:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 00:32:30 0 d-------- C:\WINDOWS\BDOSCAN8
2008-01-08 00:08:06 0 d-------- C:\Program Files\Trend Micro
2008-01-07 18:47:40 0 d-------- C:\Documents and Settings\M&M\Application Data\Lavasoft
2008-01-06 13:10:43 0 d-------- C:\Program Files\DiscwareLite

-- Find3M Report ---------------------------------------------------------------

2008-02-04 08:28:44 0 d-------- C:\Program Files\Lx_cats
2008-01-20 10:27:43 0 d-------- C:\Program Files\Common Files
2008-01-15 20:21:35 0 d-------- C:\Program Files\Intel
2008-01-15 19:47:31 0 d-------- C:\Documents and Settings\- eddio -\Application Data\AdobeUM
2008-01-09 19:22:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-09 19:18:53 0 d-------- C:\Documents and Settings\- eddio -\Application Data\Lavasoft
2008-01-02 12:35:25 0 d-------- C:\Program Files\Dell Support Center
2008-01-02 12:35:04 0 d-------- C:\Program Files\Common Files\supportsoft

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [11/15/2001 12:00 PM]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [01/17/2002 04:40 PM]
"ioloDelayModule"="C:\Program Files\iolo\System Mechanic 6\delay.exe" [06/08/2005 01:31 PM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 09:32 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 01:05 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 04:19 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 12:52 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 02:42 PM]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [06/07/2006 12:09 PM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [05/11/2007 02:20 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [12/31/2007 04:28 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [08/07/2007 04:31 PM]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [01/11/2007 01:57 PM]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [07/10/2006 10:30 PM]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [06/07/2006 02:05 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/08/2008 09:06 AM]
"SystemGuardAlerter"="SystemGuardAlerter.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

C:\Documents and Settings\- eddio -\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 1:04:12 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

-- End of Deckard's System Scanner: finished at 2008-02-04 08:36:42 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Architecture: X86; Language: English

Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1534.07 MiB / 823.02 MiB
Pagefile Memory (total/avail): 2151.26 MiB / 1558.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.76 MiB

C: is Fixed (NTFS) - 70.9 GiB total, 23.15 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Verizon Internet Security Suite Firewall v6.0.1 (Verizon)
AV: AVG 7.5.516 v7.5.516 (Grisoft)
AV: Verizon Internet Security Suite Anti-Virus v6.0.1 (Verizon)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"="C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Disabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Disabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Disabled:avginet.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\- eddio -\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DJGK8Q71
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\- eddio -
LOGONSERVER=\\DJGK8Q71
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\CA\PPRT\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\- eddio -~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\- eddio -~1\LOCALS~1\Temp
USERDOMAIN=DJGK8Q71
USERNAME=- eddio -
USERPROFILE=C:\Documents and Settings\- eddio -
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

- eddio - (admin)
CC (admin)
M&M
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{26792CA7-D87A-4DBE-896B-C2F66B344511}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A Bug's Life Action Game --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\ABUG'S~1\DeIsL1.isu
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001AB29C-5468-4972-8D24-2EBDB2B12133}
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6B8BDABA-6737-4998-AEE4-E218EDE5FC7A}
Canon Camera Window MC 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{89EB3ED7-225A-412E-B048-623D502C000F}
Canon i850 --> C:\WINDOWS\system32\CNMCP4b.exe "-PRINTERNAMECanon i850" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmi0409.dll"
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68D27126-BF6A-457D-8DD0-5F35E8D41310}
Canon PhotoRecord --> MsiExec.exe /X{6693BD7C-CB4E-43AC-A0D6-10D1A1B88DCF}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{001EB665-D9EC-415E-9E13-AD2125B2B992}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DiscwareLite --> "C:\Program Files\DiscwareLite\Uninstall_DiscwareLite\Uninstall DiscwareLite.exe"
Disney/Pixar Finding Nemo: Learning with Nemo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5D0C3D1-0497-4A1C-95DF-48DB0CEB8FCF}\setup.exe" -l0x9 Disney/Pixar Finding Nemo: Learning with Nemo
Dr. Seuss Preschool --> C:\Program Files\The Learning Company\Dr. Seuss Preschool\uninstal.exe
DVD Flick --> "C:\Program Files\DVD Flick\unins000.exe"
FinePixViewer Ver.3.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{24ED4D80-8294-11D5-96CD-0040266301AD} /l1033
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
hp deskjet 840c series (Remove only) --> C:\Program Files\hp deskjet 840c series\hpfiui.exe -c -vdivid=HPF -vpnum=90 -vinstport=LPT1: -vproduct=840c -huninstall
HP eServices Local Prints and Save --> MsiExec.exe /I{939E2189-9B65-41FC-A842-1BBC1588BFD1}
ImageMixer VCD for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3AA158A-9421-4883-8767-E771B0964A1D}\setup.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iolo technologies' System Mechanic 6 --> "C:\Program Files\iolo\System Mechanic 6\unins000.exe"
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
LBT Preschool Adventure --> C:\PROGRA~1\BRIGHT~1\LBTPRE~1\UNWISE.EXE C:\PROGRA~1\BRIGHT~1\LBTPRE~1\INSTALL.LOG
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LeechFTP --> C:\WINDOWS\eraser.exe KILL "C:\Program Files\LeechFTP\uninstall.uif"
Lexmark 5400 Series --> C:\Program Files\Lexmark 5400 Series\Install\x86\Uninst.exe
Lexmark Toolbar --> regsvr32.exe /s /u "C:\Program Files\Lexmark Toolbar\toolband.dll"
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Maisy's Playhouse --> C:\Maisy1\UNWISE.EXE /A C:\Maisy1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
NickToons Racing --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B4F81E0-9150-11D4-A594-0050BAC6946A}\setup.exe"
Nokia Multimedia Player --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4D6183C0-005C-4B1F-8261-4B0F71F1C4A5}
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Photo Explosion Special Edition --> MsiExec.exe /X{DD040AAA-F295-492B-AD91-C8DC24488273}
Photo Viewer --> MsiExec.exe /X{48A34EA8-695B-48BE-B900-C0C44D5D518A}
PlayLinc --> MsiExec.exe /I{9CCE527D-356F-41A8-9718-77A68AC065FB}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PPSDKRedistributables --> MsiExec.exe /I{C869F4FF-E5FF-4FBB-9A31-33C23605E170}
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Radialpoint Security Services --> MsiExec.exe /X{5DFDEAAA-E050-482E-A5B6-138CAE53F7BF}
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
Roxio Easy Media Creator 7 --> MsiExec.exe /I{A99C6296-A311-4D6C-9602-53B4241921D5}
RPS Ad Blocker --> MsiExec.exe /I{42BB4641-F08B-406A-92D3-8B602AA4105A}
RPS AntiFraud --> MsiExec.exe /I{021ED907-41E1-4610-9F60-C5752C46302C}
RPS AntiSpyware --> MsiExec.exe /I{151E93D6-FCE5-4EC0-99E8-CB73D20A1670}
RPS AntiVirus --> MsiExec.exe /I{1CFE4B69-0CCF-4BE7-8627-EA7BF46CB602}
RPS App Detector --> MsiExec.exe /I{DBDBF6F0-08D9-48FB-BF70-EDB4867285B8}
RPS AsRealtime --> MsiExec.exe /I{5B47B6C1-DC60-4E5C-8DC7-C2304939CD16}
RPS Backup --> MsiExec.exe /I{0DC160EA-5AC0-4ECD-9381-D3C9DBB38647}
RPS Burn --> MsiExec.exe /I{039612F9-B264-4B7C-8170-AAA908643962}
RPS Diagnostic Utility --> MsiExec.exe /I{1908B36C-5AFE-495D-A9D9-14A0E5AB1056}
RPS Firewall --> MsiExec.exe /I{473150B1-E053-42A1-B521-634918D2442B}
RPS ParentalControl --> MsiExec.exe /I{7F71F140-FFEB-405B-BFFC-797A4358651C}
RPS Performance Tool --> MsiExec.exe /I{55728951-F14D-4292-8809-8CB13E3FEB28}
RPS PopupBlocker --> MsiExec.exe /I{949F8F97-80C8-47F2-A9BF-C99563EE2FAD}
RPS Privacy Manager --> MsiExec.exe /I{6FB8EC0E-63B8-41F6-894A-1C098A7584AB}
RPS RpsCore --> MsiExec.exe /I{A7F98C80-0B0A-4615-AF9B-CEB17171FEF7}
RPS Security Cleanup --> MsiExec.exe /I{DE420E21-64D3-48A6-AB03-2F0C9B7B6916}
RPS Zip --> MsiExec.exe /I{913A0A14-0092-4257-92E6-F8CBEDD858A0}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SpongeBob SquarePants® Operation Krabby Patty --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\SpongeBob SquarePants\Operation Krabby Patty\Uninst.isu"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tarzan Action Game --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\TARZAN~1\DeIsL1.isu
The Land Before Time Kindergarten Adventure --> C:\Lbtkind\UNWISE.EXE C:\Lbtkind\INSTALL.LOG
Tigger Activity Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42514020-B256-4F9C-9A8C-A00CA04F3E20}\setup.exe" -l0x9 Tigger Activity Center
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
Verizon Internet Security Suite --> C:\Program Files\InstallShield Installation Information\{160B9401-0B67-41CF-A12A-41CE64C8B857}\setup.exe -runfromtemp -l0x0009 -removeonly
Verizon Online Help and Support --> C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG
Verizon Servicepoint 1.5.12 --> "C:\Program Files\Verizon\VSP\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - (mr7910) Image 06/28/2005 1.3.0.0 --> C:\WINDOWS\system32\DRVSTORE\f1490bc41e7d27129cb157cba768cf63b89e7752\DPInst.exe /u mr7910_32bb2befe1e5d1d6012329af0300b36139b7b84a
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type141 / Warning
Event Submitted/Written: 02/04/2008 00:41:02 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type127 / Warning
Event Submitted/Written: 02/03/2008 03:51:16 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type125 / Warning
Event Submitted/Written: 02/03/2008 03:51:05 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type110 / Warning
Event Submitted/Written: 02/03/2008 00:35:48 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type98 / Warning
Event Submitted/Written: 02/02/2008 07:00:31 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type232447 / Error
Event Submitted/Written: 02/04/2008 08:36:27 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Event Record #/Type232446 / Error
Event Submitted/Written: 02/04/2008 08:36:27 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Event Record #/Type232445 / Error
Event Submitted/Written: 02/04/2008 08:36:27 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Event Record #/Type232444 / Error
Event Submitted/Written: 02/04/2008 08:36:27 AM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Event Record #/Type232443 / Warning
Event Submitted/Written: 02/04/2008 08:36:06 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%DJGK8Q7127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DJGK8Q7127 can't undo changes that you allow.

For more information please see the following:
%DJGK8Q71275

Scan ID: {049E07E5-9016-4145-8BCF-638BB085F9CF}

User: DJGK8Q71\- eddio -

Name: %DJGK8Q71271

ID: %DJGK8Q71272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %DJGK8Q71276

Alert Type: %DJGK8Q71278

Detection Type: 1.1.1593.02

-- End of Deckard's System Scanner: finished at 2008-02-04 08:36:42 ------------

thank you
ec

Back to top

#6 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 05 February 2008 - 12:34 AM

Hello eddio

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

Viewpoint Media Player

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

Save it to your drive C:\ as fix131.reg and as Type "All files"

Double click on fix131.reg and allow when prompted to let it merge with the registry.

Then post back with a new hijackThis log, and an update on how your computer is running.

Back to top

#7 OFFLINE eddio

Member

Members
13 posts

Posted 05 February 2008 - 03:49 PM

Hi __RiP_ChAiN_,

I did find Viewpoint Media Player, can you explain it's function? Hiding right in plain site! Not sure if this is the Promail or Backend, Executor that is originating outgoing packets blocked by the firewall.

I created the c:\fix131.reg "all files". I double click on this file and it opens as a notepad doc only. No prompt to merge.

I can right click on fix131.reg and have the option to "merge", but again the doc just seems to open.

Perhaps the log shows the required integration... thank you for your patience.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:59 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1007\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 6805 bytes

Back to top

#8 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 05 February 2008 - 06:28 PM

Hello eddio

Quote

I did find Viewpoint Media Player, can you explain it's function?

This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

Quote

I created the c:\fix131.reg "all files". I double click on this file and it opens as a notepad doc only. No prompt to merge.

This might have to do with your current file assocations, take a look:
.reg - regfile - shell\open\command - NOTEPAD.EXE %1

Let's try this a different way.

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Back to top

#9 OFFLINE eddio

Member

Members
13 posts

Posted 05 February 2008 - 07:27 PM

Hello __RiP_ChAiN_, looks like the reg entries have been integrated. What are their purpose?

Is manully deleting the files captured in ComboFix-quarantined-files.txt a next step?

thank you
ec

Requested info below:

combofix.txt

ComboFix 08-02.05.3 - eddio 2008-02-05 14:02:57.1 - NTFSx86

Running from: C:\Documents and Settings\eddio\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\eddio\Application Data\macromedia\Flash Player\#SharedObjects\F2KCAY6S\www.broadcaster.com
C:\Documents and Settings\eddio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\bszip.dll

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 10:06 . 2008-02-05 10:32 322 --a------ C:\fix131.reg
2008-02-04 09:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-02-04 08:49 . 2008-02-04 10:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-04 08:49 . 2008-02-04 09:09 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-04 08:49 . 2008-02-04 09:09 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-04 08:49 . 2008-02-04 09:09 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-04 08:29 . 2008-02-04 08:29 <DIR> d-------- C:\Deckard
2008-02-04 08:22 . 2008-02-04 08:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-04 08:22 . 2008-02-04 08:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-20 10:23 . 2008-01-20 10:27 <DIR> d-------- C:\Program Files\Java
2008-01-18 17:56 . 2008-01-18 17:56 <DIR> d-------- C:\Documents and Settings\M&M\Application Data\SUPERAntiSpyware.com
2008-01-09 22:55 . 2008-01-09 22:55 <DIR> d-------- C:\Documents and Settings\Cheri\Application Data\SUPERAntiSpyware.com
2008-01-09 15:25 . 2008-01-09 15:25 118 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-01-09 14:27 . 2008-01-09 14:30 <DIR> d-------- C:\Documents and Settings\M&M\Application Data\AVG7
2008-01-08 17:56 . 2008-01-29 19:59 <DIR> d-------- C:\Documents and Settings\CC\Application Data\AVG7
2008-01-08 13:19 . 2008-01-08 13:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-08 09:07 . 2008-01-10 08:00 <DIR> d-------- C:\Documents and Settings\eddio\Application Data\AVG7
2008-01-08 09:06 . 2008-01-08 09:06 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-08 09:06 . 2008-01-08 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 09:06 . 2008-02-05 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-08 02:08 . 2008-02-04 10:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-08 02:08 . 2008-01-08 02:08 <DIR> d-------- C:\Documents and Settings\eddio\Application Data\SUPERAntiSpyware.com
2008-01-08 02:08 . 2008-01-08 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-08 02:07 . 2008-01-08 02:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 00:32 . 2008-01-28 21:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-08 00:08 . 2008-01-08 00:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 18:47 . 2008-01-07 18:47 <DIR> d-------- C:\Documents and Settings\M&M\Application Data\Lavasoft
2008-01-06 13:10 . 2008-01-20 10:33 <DIR> d-------- C:\Program Files\DiscwareLite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 17:41 --------- d-----w C:\Program Files\Lx_cats
2008-02-05 15:10 --------- d-----w C:\Program Files\hp deskjet 840c series
2008-02-05 05:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-04 14:54 --------- d-----w C:\Program Files\Lexmark 5400 Series
2008-02-04 14:47 --------- d-----w C:\Program Files\DellSupport
2008-02-04 14:45 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-26 20:20 --------- d-----w C:\Documents and Settings\Cheri\Application Data\AdobeUM
2008-01-16 01:21 --------- d-----w C:\Program Files\Intel
2008-01-16 00:47 --------- d-----w C:\Documents and Settings\eddio\Application Data\AdobeUM
2008-01-10 00:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 00:18 --------- d-----w C:\Documents and Settings\eddio\Application Data\Lavasoft
2008-01-02 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-02 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
1998-08-24 16:09 10,000 ----a-w C:\WINDOWS\INF\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2007-08-07 16:31 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 12:00 196608]
"hplampc"="C:\WINDOWS\system32\hplampc.exe" [2002-01-17 16:40 40448]
"ioloDelayModule"="C:\Program Files\iolo\System Mechanic 6\delay.exe" [2005-06-08 13:31 96256]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32 53248]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 12:09 106496]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2007-12-31 16:28 303344]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2007-08-07 16:31 13552]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2007-01-11 13:57 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-07-10 22:30 294912]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-06-07 02:05 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 09:06 579072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2007-08-07 16:31 61168]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 20:53:14 200704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:04:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 14:05:15
ComboFix-quarantined-files.txt 2008-02-05 19:05:01
.
2008-01-31 23:34:02 --- E O F ---

ComboFix-quarantined-files.txt

2000-10-27 17:23 50688 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\BSZIP.DLL.vir
2004-08-04 05:00 611328 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_000007_.tmp.dll.vir
2004-08-04 05:00 983552 --a------ C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_000006_.tmp.dll.vir
2008-01-07 12:46 18250 --a------ C:\Qoobox\Quarantine\C\WINDOWS\rs.txt.vir
2008-01-08 00:30 1038 --a------ C:\Qoobox\Quarantine\C\WINDOWS\search_res.txt.vir
2008-01-08 07:51 926 --a------ C:\Qoobox\Quarantine\C\WINDOWS\dat.txt.vir
2008-01-31 18:33 19081 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-01-31 18:33 20305 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:35 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2226385189-470888065-735474785-1007\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" (User '?')
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 6783 bytes

Back to top

#10 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 07 February 2008 - 08:48 PM

Hello eddio

Quote

Hello __RiP_ChAiN_, looks like the reg entries have been integrated. What are their purpose?

All the regfix did was reset the orginal values of that registry field.

STEP #1

Please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Microsoft Windows XP Home Edition
- Without Service Packs
  http://www.microsoft.com/downloads/details...55-BD5AFEE126D8
- Service Pack 1
  http://www.microsoft.com/downloads/details...05-719F45C382A4
- Service Pack 2
  http://www.microsoft.com/downloads/details...3D-81C2137FF464
Microsoft Windows XP Professional
- Without Service Packs
  http://www.microsoft.com/downloads/details...B7-4FED408EA73F
- Service Pack 1
  http://www.microsoft.com/downloads/details...C2-631504EF5E26
- Service Pack 2
  http://www.microsoft.com/downloads/details...0C-0A0205368124

## Important ##
As we do not know the name of the file that's downloaded, you have to save the file as RC.exe to the root of SystemDrive e.g. C:\RC.exe

STEP #2

Download the latest copy of ComboFix.exe => http://download.blee...Bs/ComboFix.exe

Open notepad and copy/paste the text in the quotebox below into it:

RecoveryConsole::
C:\RC.EXE

Save this as "CFScript"

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\CF-RC.txt. Post that log in your next reply.

## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.

Back to top

#11 OFFLINE eddio

Member

Members
13 posts

Posted 12 February 2008 - 02:09 AM

Hi __RiP_ChAiN_ , I selected Home Edition SP2.

here is the contents of CF-RC.txt

RC.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

thanks
ec

Back to top

#12 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 12 February 2008 - 07:10 AM

Hello eddio

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Back to top

#13 OFFLINE eddio

Member

Members
13 posts

Posted 12 February 2008 - 03:33 PM

Hi__RiP_ChAiN_, I did not click the "cure" button, but selected "move".

Dr. Web found 1 issue:

GTDownDE_87.ocx;C:\I386;Adware.Gdown;Moved.;

fyi -

on 2/6 AVG snagged smax4pnp.exe in 3 locations as Trojan Horse Generic9.AYHW

2/8 [bifrost] was quarantined by verizon anti-spyware.

2/9 9000 outgoing tcp blocked by the firewall. Outlook is infected with Promail, Back End, Executor, Ring Zero -
Identified depending upon what source port is highlighted.

thanks very much
ec

Back to top

#14 OFFLINE eddio

Member

Members
13 posts

Posted 13 February 2008 - 02:14 AM

Hi__RiP_ChAiN_,

I got curious and ran Dr Web in normal boot mode:

SktInstall.exe;C:\Program Files\InstallShield Installation Information\{160B9401-0B67-41CF-A12A-41CE64C8B857};Probably BACKDOOR.Trojan;Moved.;
A0000011.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1;Probably BATCH.Virus;Moved.;
A0000200.bat;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6;Probably BATCH.Virus;Moved.;
A0000249.ocx;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7;Adware.Gdown;Moved.;

I hope this does not affect our current path.

thanks again
ec

Back to top

#15 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 14 February 2008 - 08:03 PM

Hello eddio

Quote

I hope this does not affect our current path.

Nope, not at all

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Back to top

#16 OFFLINE eddio

Member

Members
13 posts

Posted 14 February 2008 - 11:22 PM

Hi __RiP_ChAiN_

I expected to see something in the form of a trojan, or one of the Backdoor variants to explain the Outlook hijacking!

thank you
ec

SDFix: Version 1.142

Run by Eddio on Thu 02/14/2008 at 06:03 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 18:09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\MSIMN.EXE"
Wed 13 Feb 2008 8 A..H. --- "C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 13 Feb 2008 8 A..H. --- "C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 13 Feb 2008 8 A..H. --- "C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 13 Feb 2008 8 A..H. --- "C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Back to top

#17 OFFLINE eddio

Member

Members
13 posts

Posted 14 February 2008 - 11:46 PM

Hi __RiP_ChAiN_, funny right after the SDFix step Backdoor kicked in:

Protocol Direction Source IP S. Port Destination IP D. Port Date/Time
tcp Outgoing 192.168.3.200 1724 216.89.80.44 80 2/14/2008 6:39:24 PM
tcp Outgoing 192.168.3.200 1724 216.89.80.44 80 2/14/2008 6:39:21 PM
tcp Outgoing 192.168.3.200 1722 66.7.150.174 80 2/14/2008 6:39:09 PM
tcp Outgoing 192.168.3.200 1722 66.7.150.174 80 2/14/2008 6:39:03 PM
tcp Outgoing 192.168.3.200 1722 66.7.150.174 80 2/14/2008 6:39:00 PM
tcp Outgoing 192.168.3.200 1721 74.200.65.170 80 2/14/2008 6:38:52 PM
tcp Outgoing 192.168.3.200 1721 74.200.65.170 80 2/14/2008 6:38:46 PM
tcp Outgoing 192.168.3.200 1721 74.200.65.170 80 2/14/2008 6:38:43 PM
tcp Outgoing 192.168.3.200 1719 207.46.19.190 80 2/14/2008 6:38:36 PM
tcp Outgoing 192.168.3.200 1718 74.200.66.194 80 2/14/2008 6:38:31 PM
tcp Outgoing 192.168.3.200 1717 74.200.66.194 80 2/14/2008 6:38:31 PM
tcp Outgoing 192.168.3.200 1719 207.46.19.190 80 2/14/2008 6:38:30 PM
tcp Outgoing 192.168.3.200 1719 207.46.19.190 80 2/14/2008 6:38:27 PM
tcp Outgoing 192.168.3.200 1718 74.200.66.194 80 2/14/2008 6:38:25 PM
tcp Outgoing 192.168.3.200 1717 74.200.66.194 80 2/14/2008 6:38:25 PM
tcp Outgoing 192.168.3.200 1718 74.200.66.194 80 2/14/2008 6:38:22 PM
tcp Outgoing 192.168.3.200 1717 74.200.66.194 80 2/14/2008 6:38:22 PM
tcp Outgoing 192.168.3.200 1715 207.46.193.254 80 2/14/2008 6:38:15 PM
tcp Outgoing 192.168.3.200 1714 74.200.66.242 80 2/14/2008 6:38:10 PM
tcp Outgoing 192.168.3.200 1713 74.200.66.242 80 2/14/2008 6:38:10 PM
tcp Outgoing 192.168.3.200 1715 207.46.193.254 80 2/14/2008 6:38:09 PM
tcp Outgoing 192.168.3.200 1715 207.46.193.254 80 2/14/2008 6:38:06 PM
tcp Outgoing 192.168.3.200 1714 74.200.66.242 80 2/14/2008 6:38:04 PM
tcp Outgoing 192.168.3.200 1713 74.200.66.242 80 2/14/2008 6:38:04 PM
tcp Outgoing 192.168.3.200 1714 74.200.66.242 80 2/14/2008 6:38:01 PM
tcp Outgoing 192.168.3.200 1713 74.200.66.242 80 2/14/2008 6:38:01 PM
tcp Outgoing 192.168.3.200 1712 207.46.192.254 80 2/14/2008 6:37:54 PM
tcp Outgoing 192.168.3.200 1711 66.7.150.172 80 2/14/2008 6:37:50 PM
tcp Outgoing 192.168.3.200 1712 207.46.192.254 80 2/14/2008 6:37:48 PM
tcp Outgoing 192.168.3.200 1712 207.46.192.254 80 2/14/2008 6:37:45 PM
tcp Outgoing 192.168.3.200 1711 66.7.150.172 80 2/14/2008 6:37:44 PM
tcp Outgoing 192.168.3.200 1711 66.7.150.172 80 2/14/2008 6:37:41 PM
tcp Outgoing 192.168.3.200 1709 207.46.19.254 80 2/14/2008 6:37:33 PM
tcp Outgoing 192.168.3.200 1707 216.89.80.46 80 2/14/2008 6:37:29 PM
tcp Outgoing 192.168.3.200 1709 207.46.19.254 80 2/14/2008 6:37:27 PM
tcp Outgoing 192.168.3.200 1709 207.46.19.254 80 2/14/2008 6:37:24 PM
tcp Outgoing 192.168.3.200 1707 216.89.80.46 80 2/14/2008 6:37:23 PM
tcp Outgoing 192.168.3.200 1705 206.46.232.10 110 2/14/2008 6:37:21 PM
tcp Outgoing 192.168.3.200 1707 216.89.80.46 80 2/14/2008 6:37:20 PM
tcp Outgoing 192.168.3.200 1705 206.46.232.10 110 2/14/2008 6:37:15 PM
tcp Outgoing 192.168.3.200 1705 206.46.232.10 110 2/14/2008 6:37:12 PM
tcp Outgoing 192.168.3.200 1704 216.89.80.44 80 2/14/2008 6:37:08 PM
tcp Outgoing 192.168.3.200 1704 216.89.80.44 80 2/14/2008 6:37:02 PM
tcp Outgoing 192.168.3.200 1703 216.89.80.45 80 2/14/2008 6:37:01 PM
tcp Outgoing 192.168.3.200 1702 206.46.232.10 110 2/14/2008 6:36:59 PM
tcp Outgoing 192.168.3.200 1704 216.89.80.44 80 2/14/2008 6:36:59 PM
tcp Outgoing 192.168.3.200 1703 216.89.80.45 80 2/14/2008 6:36:55 PM
tcp Outgoing 192.168.3.200 1702 206.46.232.10 110 2/14/2008 6:36:53 PM
tcp Outgoing 192.168.3.200 1703 216.89.80.45 80 2/14/2008 6:36:52 PM
tcp Outgoing 192.168.3.200 1702 206.46.232.10 110 2/14/2008 6:36:50 PM
tcp Outgoing 192.168.3.200 1701 66.7.150.166 80 2/14/2008 6:36:47 PM
tcp Outgoing 192.168.3.200 1701 66.7.150.166 80 2/14/2008 6:36:41 PM
tcp Outgoing 192.168.3.200 1701 66.7.150.166 80 2/14/2008 6:36:38 PM
tcp Outgoing 192.168.3.200 1698 216.89.80.44 80 2/14/2008 6:36:34 PM
tcp Outgoing 192.168.3.200 1697 216.89.80.44 80 2/14/2008 6:36:33 PM

Back to top

#18 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 16 February 2008 - 08:08 PM

Hello eddio

I'm not so sure everything there is a Hijacking, this is what I got from running one of the IP's you listed through a tracing service:
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator Domain domains@microsoft.com
One Microsoft Way
Redmond WA 98052
US
1.4258828080
Technical Contact:
Hostmaster MSN msnhst@microsoft.com

Besides these blocked access attempts, is there anything else out of the ordinary on your computer? Let's do one last scan for some trojans, all the same though.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Back to top

#19 OFFLINE eddio

Member

Members
13 posts

Posted 19 February 2008 - 12:19 AM

Hi __RiP_ChAiN_,

some of the Registrants may be legit, but I can only go by the FW highlighting Promail and others, as I look at each packet. See attached for a visual.

When the issue shows itself - Outlook is polling stuck at 50%-66%- and at the same time the FW is blocking those outgoing messages. The FW locks down so even HTTP and anything else is restricted. I would love to trap this.

Quote

Besides these blocked access attempts, is there anything else out of the ordinary on your computer? Let's do one last scan for some trojans, all the same though.

Since getting rid of the original "Privacy Danger" and red screen, the pc is running well. Not sure is virus can stay hidden then replicate later - since some scans have caught issues in the System Volume/ restore area, with A0090997.xxx nomenclature. I am trying to do a better job of documenting.

thank you
ec

Sunday, February 17, 2008 4:46:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 570059

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 81727
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:21:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Broderbund Software\Print\Party and Crafts Creator\PMUSERS.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\Firewall - Blocked Packets - 02-17-2008--10-16-07.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\FirewallService02-14-2008--22-53-23.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\Fw_Session.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\SafetyConsoleLog02-17-2008--10-16-03.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\ServiceModel02-17-2008--10-16-03.log Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Cheri\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped

C:\Documents and Settings\Cheri\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\temp\~DFCC21.tmp Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Cheri\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped

C:\Documents and Settings\Cheri\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Cheri\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\eddio\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\eddio\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\eddio\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\eddio\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped

C:\Documents and Settings\eddio\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Temp\fla67.tmp Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Temp\~DF7E85.tmp Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\eddio\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped

C:\Documents and Settings\eddio\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\eddio\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\CA\PPRT\logs\2008-02-14.csv Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7E078755-109B-4BB5-B05D-99796AD598CC}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\SYSTEM32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\MsDtc\Trace\DTCTRACE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Attached Files

outgoing.doc 167.5K 4 downloads

Back to top

#20 OFFLINE __RiP_ChAiN_

Advanced Member

Members
476 posts

Gender:Male
Location:U.S.A
Interests:Take a guess...

Posted 20 February 2008 - 09:21 PM

Hello eddio,

There's a tool that another HJT expert here pointed out to me, that will pinpoint what applications are tryng to gain outgoing access to the internet. The program can be downloaded from here: http://www.x32dev.com/connected/ The program won't work for my operating system, so I have no way of testing it myself, but I'm sure it'll be pretty self explantory once you download it. Then simply wait for the next outgoing attempts.

Back to top

Next

Back to Spyware Hell