PDA

View Full Version : Help, please (Vundo, etc.)



bardolator
2007-02-12, 07:27
I began having problems a few days ago with lots of full-page popup ads and slowdowns. I'm running ZoneAlarm Security Suite, and I had a Winconger infection a few months ago. I ran AdAware when it appeared some things had gotten past ZoneAlarm, and it found the Vundo virus and removed one instance of it, but another file could not be removed. An online search led me to you (hurrah!). I ran the Vundo fix, then Combofix, then used Justin's (?) checklist to increase security on my machine (though I had to enable scripts again because I admin a couple message boards). I have SpySweeper, but have it disabled because I bought ZA later. I'm submitting this because I'm guessing there's more I haven't gotten rid of yet, and because I'm concerned about some of the things I've read on here about identity theft via trojans, etc.

Sorry for all that background; just wanted to tell you what I'd done so far. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:20 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Updater.exe
C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29AFBA10-AB2A-449F-B153-1797FA4D9539} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\rgdjsxok.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ssqoopo.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [C34A87A1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\RunServices: [C34A87A1] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127528382562
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.sdhc.k12.fl.us/ClientDownloads/fcplugin.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Print Spooler Service (eeujbili) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
O23 - Service: HID Output Service (HODSrv) - Unknown owner - C:\WINDOWS\system32\hpsvc.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Panda Online Scan
Incident Status Location

Virus:W32/Sdbot.JEE.worm Disinfected Operating system
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Doc\Application Data\tizupd.bin[OINSetup.exe]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Doc\Cookies\doc@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Doc\Cookies\doc@advertising[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Doc\Cookies\doc@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Doc\Cookies\doc@bluestreak[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Doc\Cookies\doc@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Doc\Cookies\doc@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Doc\Cookies\doc@drivecleaner[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Doc\Cookies\doc@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Doc\Cookies\doc@overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Doc\Cookies\doc@realmedia[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Doc\Cookies\doc@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Doc\Cookies\doc@stats1.reliablestats[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Doc\Cookies\doc@systemdoctor[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Doc\Cookies\doc@trafficmp[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Doc\Cookies\doc@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Doc\Cookies\doc@www.drivecleaner[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Doc\Cookies\doc@www.systemdoctor[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Doc\Local Settings\Temp\Cookies\doc@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Doc\Local Settings\Temp\Cookies\doc@burstnet[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Doc\Local Settings\Temp\Cookies\doc@www.burstbeacon[2].txt
Adware:Adware/Trymedia Not disinfected C:\Downloads\WinBejSetup-dm[1].exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\sUBs\TSF\nircmd.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ahost.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\kbkvqelv.dll
Virus:Trj/Dropper.WF Disinfected C:\WINDOWS\system32\mbsg.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\mpwqbnhu.dll
Virus:W32/Oscarbot.KR.worm Disinfected C:\WINDOWS\system32\msnat.exe
Virus:W32/Nuwar.C.worm Disinfected C:\WINDOWS\system32\ntar.exe
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\perfkey.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\rfrxwbap.dll
Virus:Bck/Hacdef.GD Disinfected C:\WINDOWS\system32\rsmg.exe
Virus:Bck/Hacdef.GD Disinfected C:\WINDOWS\system32\rssb.exe


Do I need to post the ComboFix log, or is the above enough?

Thanks in advance! Hope I did this properly....

Rawe
2007-02-16, 19:17
Hello and welcome :)

Lets get started.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download AVG Anti-Spyware (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within AVG Anti-Spyware for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"

Close AVG Anti-Spyware, DO NOT run a scan just yet, we will shortly.

--------

Please download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Open the extracted SDFix folder and double-click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
Press any key and it will restart the PC.
When the PC reboots the tool will run again and complete the removal process -- when it displays Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please post back with the results in your next reply.


-------

Now, please reboot back into Safe Mode and do the following:
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post back with the AVG Anti-Spyware results aswell as the SDFix log. :bigthumb:

bardolator
2007-02-19, 16:01
Thanks. Do I need to disable my current anti-spyware/antivirus (ZoneAlarm) during the scan? If so, will this process require internet access during the scan?

Will do this this evening.

Rawe
2007-02-19, 20:06
Won't require any internet connections because you are doing the scans in Safe Mode where IS no connection available. You also don't need to disable anything. Simply go through all the instructions I gave step by step and post back with the logs when finished :)

bardolator
2007-02-22, 13:11
Hi. Sorry it took so long; had some other computer issues (my laptop adapter died).

Here we go:


SDFix: Version 1.67

Run by Administrator - Wed 02/21/2007 @ 11:22:39.00

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
eeujbili

Path:
"C:\WINDOWS\system32\hpsvc.exe"
C:\WINDOWS\system32\rsbmsc.exe /service

HODSrv Deleted
eeujbili Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\cjnr4r4574AFF4F.tmp - Deleted
C:\WINDOWS\system32\mlsdf8h1783399.exe - Deleted
C:\WINDOWS\Temp\nlkfev74A4FEDAE.tmp - Deleted
C:\WINDOWS\system32\sklrr7y9803493.exe - Deleted
C:\DOCUME~1\Doc\LOCALS~1\Temp\cjnr4r4574AFF4F.tmp - Deleted
C:\DOCUME~1\Doc\LOCALS~1\Temp\ICD1.tmp\jinstall.exe - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted


Folder C:\DOCUME~1\Doc\LOCALS~1\Temp\ICD1.tmp - Removed

ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1144814413\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1144814413\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1144814413\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1144814413\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\kdx\\khost.exe"="C:\\WINDOWS\\kdx\\khost.exe:*:Enabled:Delivery Manager"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\WGRADE7.DLL
C:\WRI7.SYS
C:\WINDOWS\uccspecb.sys
C:\Documents and Settings\Doc\Application Data\Microsoft\Office\Shortcut Bar\Off10F.tmp
C:\Documents and Settings\Doc\Application Data\Microsoft\Office\Shortcut Bar\Off10Fh.tmp
C:\Documents and Settings\Doc\Application Data\Microsoft\Office\Shortcut Bar\Off10Fs.tmp
C:\Documents and Settings\Doc\Desktop\THE PIRATE QUEEN\Lyrics\~WRL0001.tmp
C:\Documents and Settings\Doc\Desktop\THE PIRATE QUEEN\Lyrics\~WRL0003.tmp
C:\Program Files\InterActual\InterActual Player\iti139.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\81830fade50434252c160da6e86e315c\BITA7.tmp

Add/Remove Programs List:

Ad-Aware SE Personal
AOL Uninstaller (Choose which Products to Remove)
ATI Display Driver
Auto Gordian Knot 2.27
AVG Anti-Spyware 7.5
AviSynth 2.5
Bejeweled Deluxe 1.862
Data Fax SoftModem with SmartCP
Conexant AC-Link Audio
Creative Removable Disk Manager
Crossword Weaver 7.0
CursorXP
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
Diablo II
DivX Content Uploader
DVD Decrypter (Remove Only)
EVEREST Home Edition v2.20
FileZilla (remove only)
GradeQuick
HijackThis 1.99.1
HP Deskjet 3840 Series
HP Imaging Device Functions 5.0
HP Pavillion zv6000 User Guides
HP Solution Center & Imaging Support Tools 5.0
StuffIt Standard
Texas Instruments PCIxx21/x515 drivers.
InterActual Player
iriverter 0.16
C-Dilla Licence Management System
Macromedia Authorware Web Player
MailFrontier Desktop
Microsoft .NET Framework 1.1
iRiver Updater
Microsoft Money 2005
NoteTab Light (Remove only)
Nvu 1.0
Panda ActiveScan
RealPlayer
Adobe Flash Player 9 ActiveX
Skype 2.0
Synaptics Pointing Device Driver
Creative System Information
TaxCut Deluxe 2005
Thief Gold
Trillian
Viewpoint Media Player
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
XviD MPEG4 Video Codec (remove only)
ZoneAlarm Security Suite
Zuma Deluxe 1.0
Microsoft Office 2000 SR-1 Professional
Microsoft Office 2000 SR-1 Disc 2
UserGuides
iriver Music Manager
Sonic Data Module
Destinations
ATI Control Panel
HP Software Update
AutoUpdate
Sonic MyDVD Plus
Creative MediaSource
Sonic Update Manager
TrayApp
J2SE Runtime Environment 5.0 Update 7
LS_HSI
StuffIt Standard
HP Wireless Assistant 1.01 A3
iTunes
QuickTime
muvee autoProducer 4.0 - SE
WebReg
Spy Sweeper
DeviceFunctionQFolder
Windows Genuine Advantage v1.3.0254.0
Sonic Express Labeler
eSupportQFolder
Battlefield 1942
HP Photosmart Essential
DivX Codec
DivX Player
ePenInstallation
InterVideo WinDVD
TIxx21
Apple Software Update
HP Help and Support
DeviceManagementQFolder
Sonic Audio Module
Adobe Reader 6.0.1
Sonic Copy Module
DivX Converter
HP Deskjet 3840
DivX Web Player
BufferChm
Microsoft .NET Framework 1.1
Quick Launch Buttons 5.10 B3
Paint Shop Pro 7
HpSdpAppCoreApp
Creative Zen Vision M
SolutionCenter
Status
Olympus Digital Wave Player

Finished


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:58:32 AM 2/22/2007

+ Scan result:



C:\WINDOWS\system32\rsbmsc.exe -> Backdoor.Agent.adt : Cleaned.
C:\Documents and Settings\Doc\Local Settings\Temp\Cookies\doc@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Doc\Local Settings\Temp\Cookies\doc@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Doc\Cookies\doc@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


Ready for the next thing!

Rawe
2007-02-23, 20:06
Ok could you please post a fresh HijackThis log then :)

bardolator
2007-02-24, 00:53
Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 5:52:17 PM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Updater.exe
C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29AFBA10-AB2A-449F-B153-1797FA4D9539} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\rgdjsxok.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ssqoopo.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127528382562
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.sdhc.k12.fl.us/ClientDownloads/fcplugin.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Rawe
2007-02-24, 18:00
Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: (no name) - {29AFBA10-AB2A-449F-B153-1797FA4D9539} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\rgdjsxok.dll (file missing)
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ssqoopo.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

------

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

-------

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

bardolator
2007-02-26, 22:53
Please run a scan with HijackThis and check the following objects for removal

Done.

------


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
I did this, but got the following error:

Debug Assertion Failed!
Program: C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
File: c:\program files\microsoft visual studio .net 2003\vc7\atlmfc\include\atlfile.h
line: 188

Expression: m_h!=0

For information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts.

(Press Retry to debug the application)

I then got a message that ATF was done cleaning (and had freed over 700 megs of space).

Hit "Retry" in an attempt to debug but got an error message saying LightScribe needed to close (I wasn't aware it was running, actually). I don't know whether this is something you need to know or not; sorry if not.


If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

I use MIE I know, I know)...now what?

Here's the Panda report:

Incident Status Location

Potentially unwanted tool:Application/Processor Not Disinfected C:\Documents and Settings\Doc\Desktop\Security\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\sUBs\TSF\nircmd.exe

bardolator
2007-02-27, 07:03
By the way, one other issue. ZoneAlarm (I now have 7.0) and Trillian (which I use as a shell for AIM) apparently don't like each other. Occasionally, I'll get an apologetic error message telling me that "TrueVector" has had to close. This will kick me off AIM, but not offline. Do you have any idea whether my computer is more vulnerable to attack when that happens? The little ZA icon changes to a red box with a yellow X in it, leading me to believe my entire security suite is compromised...but when I go into the program and try to "lock" internet access until it comes back up, the padlock won't engage.

I know that at least the last part of this is something I probably have to take up with ZoneAlarm, but I'm wondering whether this is how the viruses, etc., got in; if so, maybe ZA isn't doing its job. :(

Sorry to add so much--and thanks again for the help.

Rawe
2007-02-27, 11:35
Lets check another very helpful log for analysing....

Please download ComboScan (http://www.techsupportforum.com/sectools/Deckard/comboscan.exe) to your desktop.
Close all applications and windows.
Double-click on comboscan.exe to run it -- follow the prompts.
The scan may take a minute. When the scan is complete, a text file will open (ComboScan.txt), please copy & paste all of it's content here.
Extra note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your antivirus delete it. (In this case, it may be better to temporary disable your antivirus)

bardolator
2007-02-28, 02:13
Here we go. I was advised to set System Restore to "off" until I'm sure everything is clean as a whistle, so no virus, etc., can reinstall from a bad restore point. Hope that's correct.

Splitting ComboScan due to length:

ComboScan v20070226.18 run by Doc on 2007-02-27 at 18:51:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis (run as Doc.exe) --------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:52:17 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Updater.exe
C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\FirstClass\fcc32.exe
C:\Documents and Settings\Doc\Desktop\comboscan.exe
C:\HIJACK~1\Doc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144814413\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127528382562
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.sdhc.k12.fl.us/ClientDownloads/fcplugin.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) ------------------------------

backup-20070226-142905-176 O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\ssqoopo.dll (file missing)
backup-20070226-142905-397 O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\rgdjsxok.dll (file missing)
backup-20070226-142905-479 O2 - BHO: (no name) - {29AFBA10-AB2A-449F-B153-1797FA4D9539} - C:\WINDOWS\system32\jkhfc.dll (file missing)

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3R BCM43XX (Broadcom 802.11 Network Adapter Driver) - C:\WINDOWS\system32\drivers\BCMWL5.SYS
3S BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - D:\INSTAL~E\Core\BVRPMPR5.SYS (not found)
3S C-Dilla - C:\WINDOWS\system32\drivers\CDANT.SYS
3R CAMCAUD (Conexant AMC Audio) - C:\WINDOWS\system32\drivers\camc6aud.sys
3R CAMCHALA - C:\WINDOWS\system32\drivers\camc6hal.sys
3S Dot4 HPH09 - C:\WINDOWS\system32\drivers\hphid409.sys
3S Dot4Print HPH09 (Print Class Driver for IEEE-1284.4 HPH09) - C:\WINDOWS\system32\drivers\hphipr09.sys
3S Dot4Storage HPH09 (Storage Class Driver for IEEE-1284.4 (HPH09)) - C:\WINDOWS\system32\drivers\hphs2k09.sys
3S Dot4Usb HPH09 - C:\WINDOWS\system32\drivers\hphius09.sys
1R eabfiltr - C:\WINDOWS\system32\drivers\eabfiltr.sys
3S eabusb - C:\WINDOWS\system32\drivers\EabUsb.sys
3R GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWATI - C:\WINDOWS\system32\drivers\HSFHWATI.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
0R IFP800 (iriver Internet Audio Player IFP-800) - C:\WINDOWS\system32\drivers\Ifp800.sys
0S kl1 - C:\WINDOWS\system32\Drivers\kl1.sys (not found)
3R KLIF - C:\WINDOWS\system32\drivers\klif.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S Rasirda (WAN Miniport (IrDA)) - C:\WINDOWS\system32\drivers\rasirda.sys
3R RTL8023xp (Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver) - C:\WINDOWS\system32\drivers\Rtlnicxp.sys
3R sdbus - C:\WINDOWS\system32\drivers\sdbus.sys
3S SMCIRDA (SMC IrCC Miniport Device Driver) - C:\WINDOWS\system32\drivers\smcirda.sys
3S sony_ssm.sys - C:\DOCUME~1\Doc\LOCALS~1\Temp\sony_ssm.sys (not found)
0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys
0R SSI - C:\WINDOWS\system32\drivers\ssi.sys
3R SynTP (Synaptics TouchPad Driver) - C:\WINDOWS\system32\drivers\SynTP.sys
3R tifm21 - C:\WINDOWS\system32\drivers\tifm21.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3S VNUSB (VN Series Device) - C:\WINDOWS\system32\drivers\VNUSB.sys
1R vsdatant - C:\WINDOWS\system32\vsdatant.sys
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
1R WmiAcpi (Microsoft Windows Management Interface for ACPI) - C:\WINDOWS\system32\drivers\wmiacpi.sys
3S WpdUsb - C:\WINDOWS\system32\drivers\wpdusb.sys
4S WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R C-DillaSrv - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
2R Creative Service for CDROM Access - C:\WINDOWS\system32\CTsvcCDA.exe
3R hpqwmi (HP WMI Interface) - C:\Program Files\HPQ\SHARED\HPQWMI.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3R iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
2R LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
3S Pml Driver - C:\WINDOWS\system32\HPHipm09.exe
2R svcWRSSSDK (Webroot Spy Sweeper Engine) - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
2R UserAccess7 (SecuROM User Access Service (V7)) - C:\WINDOWS\system32\UAService7.exe
2S vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

bardolator
2007-02-28, 02:13
ComboScan, continued:

-- Scheduled Tasks --------------------------------------------------------------

2007-02-25 22:22:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-01-15 02:00:00 860 --a------ C:\WINDOWS\Tasks\wrSpySweeper20051023210910.job<WRSPYS~1.JOB>


-- Files created between 2007-01-27 and 2007-02-27 ------------------------------

2007-02-21 11:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-02-21 11:19:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer<APPLEC~1>
2007-02-21 11:19:20 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-21 11:17:36 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-02-21 10:59:00 0 d-------- C:\SDFix
2007-02-21 10:48:16 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-21 10:48:14 0 d-------- C:\Program Files\Grisoft
2007-02-16 17:33:15 512 --a------ C:\ScanSectorLog.dat<SCANSE~1.DAT>
2007-02-15 15:28:04 0 d-------- C:\Documents and Settings\Doc\Application Data\MailFrontier<MAILFR~1>
2007-02-15 15:21:28 89120 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-02-15 15:21:28 4261408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-02-15 15:15:06 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-12 00:11:02 0 d-------- C:\HijackThis<HIJACK~1>
2007-02-11 23:06:15 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-02-11 22:47:51 603 --a------ C:\Combo.bat
2007-02-11 21:59:17 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-11 20:06:29 0 d-------- C:\Program Files\Total Video Converter<TOTALV~1>
2007-02-09 17:17:42 0 d-------- C:\Documents and Settings\Doc\Application Data\Lavasoft
2007-02-09 17:17:17 0 d-------- C:\Program Files\Lavasoft


-- Find3M Report ----------------------------------------------------------------

2007-02-27 10:30:36 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-26 23:59:32 0 d-------- C:\Program Files\Trillian
2007-02-26 15:21:12 0 d-------- C:\Program Files\Winamp
2007-02-26 15:17:43 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-02-26 15:14:36 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-02-26 15:13:47 0 d-------- C:\Program Files\iTunes
2007-02-26 15:10:40 0 d-------- C:\Program Files\CursorXP
2007-02-26 15:09:26 0 d-------- C:\Program Files\Common Files\LightScribe<LIGHTS~1>
2007-02-24 09:43:18 104 --a------ C:\WINDOWS\popcinfo.dat
2007-02-09 16:52:20 0 d-------- C:\Program Files\Audacity
2007-01-31 06:24:57 0 d-------- C:\Documents and Settings\Doc\Application Data\AdobeUM
2007-01-30 22:36:12 320 --a------ C:\Program Files\User.ini
2007-01-30 22:36:12 424 --a------ C:\Program Files\GQFileHistory.ini<GQFILE~1.INI>
2007-01-30 22:36:12 58 --a------ C:\Program Files\gq.ini
2007-01-16 17:05:00 0 d-------- C:\Program Files\iriver
2007-01-16 17:05:00 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-14 18:25:05 0 d-------- C:\Program Files\Hp
2007-01-14 18:25:05 0 d-------- C:\Program Files\Common Files\HP
2007-01-08 14:29:40 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2006-12-28 16:38:04 0 d-------- C:\Program Files\Google
2006-12-28 16:36:49 0 d-------- C:\Documents and Settings\Doc\Application Data\Kontiki
2006-12-28 14:53:05 0 d-------- C:\Documents and Settings\Doc\Application Data\Azureus
2006-12-28 14:49:51 0 d-------- C:\Program Files\Azureus


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"CursorXP"="C:\\Program Files\\CursorXP\\CursorXP.exe"
"Aim6"=""
"Creative Detector"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HPHmon03"="C:\\WINDOWS\\system32\\hphmon03.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"iRiver Updater"="\\Updater.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1144814413\\ee\\AOLSoftware.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7F5A2699-38CD-4B98-B193-5916D6566B01}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de296110-431c-11da-bea8-0014a51584fd}]
Shell\AutoRun\command E:\setupSNK.exe


-- End of ComboScan: finished at 2007-02-27 at 18:52:45 -------------------------

bardolator
2007-02-28, 02:16
Ugh; splitting Supplementary material, as well:

ComboScan v20070226.18 run by Doc on 2007-02-27 at 18:51:00
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3200+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1022.48 MiB / 618.38 MiB
Pagefile Memory (total/avail): 2459.51 MiB / 2171.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1996.31 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 27.38 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.302.000 (Check Point, LTD.) Disabled
AV: ZoneAlarm Security Suite Antivirus v7.0.302.000 (Check Point, LTD.) Disabled


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Doc\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GRANIA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Doc
LOGONSERVER=\\GRANIA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_07\lib\ext\QTJava.zip
SDL_VIDEODRIVER=directx
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Doc\LOCALS~1\Temp
TMP=C:\DOCUME~1\Doc\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=GRANIA
USERNAME=Doc
USERPROFILE=C:\Documents and Settings\Doc
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ----------------------------------------------------------------

Doc (admin)
Administrator (admin)

bardolator
2007-02-28, 02:17
Supplementary stuff, continued:

-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Auto Gordian Knot 2.27 --> C:\Program Files\AutoGK\uninst.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Battlefield 1942 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9
Bejeweled Deluxe 1.862 --> C:\Program Files\PopCap Games\Bejeweled Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled Deluxe\Install.log"
C-Dilla Licence Management System --> C:\C_DILLA\setup\cdunin16.exe
Conexant AC-Link Audio --> CIAunwdm.exe
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Vision M --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}\SETUP.EXE" -l0x9 /remove
CursorXP --> C:\Program Files\CursorXP\CurXPUtil.exe -u
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3085103C\HXFSETUP.EXE -U -Icpl30855.inf
dBpowerAMP Mp4 Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
ePenInstallation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9156A46A-0F75-4D72-AF75-206BB82D0990}\setup.exe" -l0x9
EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
GradeQuick --> C:\WINDOWS\uninst.exe -f"c:\program files\DeIsL1.isu" -c"c:\program files\_ISREG32.DLL"
HijackThis 1.99.1 --> C:\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Deskjet 3840 --> msiexec /x{B1591C79-1C35-4E09-AA15-F7D6923AFB96}
HP Deskjet 3840 Series --> rundll32 hpzcon10.dll,VendorJettison HP Deskjet 3840 Series
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Pavillion zv6000 User Guides --> C:\PROGRA~1\HPQ\UNWISE.EXE C:\PROGRA~1\HPQ\INSTALL.LOG
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
hp photosmart printer series (Remove only) --> C:\Program Files\hp photosmart\printer\hphuni03.exe
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Wireless Assistant 1.01 A3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
iriverter 0.16 --> C:\Program Files\iriverter\uninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Macromedia Authorware Web Player --> C:\WINDOWS\system32\Macromed\AUTHORWA\UNWISE.EXE C:\WINDOWS\system32\Macromed\AUTHORWA\Install.log
MailFrontier Desktop --> C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\UNWISE.EXE C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\INSTMLF.LOG
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
muvee autoProducer 4.0 - SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe" -l0x9
NoteTab Light (Remove only) --> "C:\Program Files\NoteTab Light\unins000.exe"
Nvu 1.0 --> "C:\Program Files\Nvu\unins000.exe"
Olympus Digital Wave Player --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB91E774-867B-4567-ACE7-8144EF036068}\Setup.exe" -l0x9
Paint Shop Pro 7 --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pixie 3.1 (remove only) --> "C:\Program Files\Nattyware\Pixie\uninstall.exe"
Quick Launch Buttons 5.10 B3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Skype 2.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
StuffIt Standard --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{40ABF1E0-8B6F-4D32-B343-E19FA2F04B3C}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TaxCut Deluxe 2005 --> C:\PROGRA~1\TaxCut05\Program\removetc.exe
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{96C0E73B-8813-4F4A-9EA1-D407C27AA1A1} /l1033
Thief Gold --> C:\WINDOWS\IsUninst.exe -fC:\games\ThiefG\thiefalphaIIu.log
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
UserGuides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02E22217-0E96-4C3F-B831-83AA942B7715}\setup.exe" -l0x9
VideoLAN VLC media player 0.8.4a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG4 Video Codec (remove only) --> "C:\WINDOWS\system32\xvid-uninstall.exe"
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log"


-- End of ComboScan: finished at 2007-02-27 at 18:52:45 -------------------------

Rawe
2007-02-28, 12:42
Have you tried uninstalling then reinstalling ZoneAlarm at any point?

The malware infection you had might have done something to it.

I need some more logs :)
Open HiJackThis
Click on the tab "Misc Tools"
Click on "Open ADS Spy.."
Click on "Scan"
Click on "Save Log..."
Copy and past the list from the notebook onto your post.

Then lets have a check with BlackLight just in case

Download and save Blacklight (https://europe.f-secure.com/blacklight/try.shtml) to your desktop:
Double-click blbeta.exe.
Accept the agreement.
Click Scan.
Click Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply along with the ADS scan log from HijackThis. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there.

bardolator
2007-02-28, 15:29
I need some more logs :)
Open HiJackThis
Click on the tab "Misc Tools"
Click on "Open ADS Spy.."
Click on "Scan"
Click on "Save Log..."
Copy and past the list from the notebook onto your post.
I did this, but nothing came up in the window. I got a "scan complete" a split second after clicking "scan." Just to be sure, I added the "calculate checksum" option and did it again, with the same (lack of) results.

I recently upgraded to ZA 7; guess I'll have to download again.

Then lets have a check with BlackLight just in case


Download and save Blacklight (https://europe.f-secure.com/blacklight/try.shtml) to your desktop:
Double-click blbeta.exe.
Accept the agreement.
Click Scan.
Click Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply along with the ADS scan log from HijackThis. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there.
02/28/07 08:17:33 [Info]: BlackLight Engine 1.0.55 initialized
02/28/07 08:17:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/28/07 08:17:33 [Note]: 7019 4
02/28/07 08:17:33 [Note]: 7005 0
02/28/07 08:17:34 [Note]: 7006 0
02/28/07 08:17:37 [Note]: 7011 1712
02/28/07 08:17:37 [Note]: 7026 0
02/28/07 08:17:37 [Note]: 7026 0
02/28/07 08:17:46 [Note]: FSRAW library version 1.7.1021
02/28/07 08:28:32 [Note]: 2000 1012
02/28/07 08:28:32 [Note]: 2000 1012
02/28/07 08:28:32 [Note]: 7007 0

Rawe
2007-02-28, 20:10
Well, I don't see any definate baddies there anymore.

Lets see the following.....

Surf here: http://virustotal.com

In the blank field next to the "Browse" button, paste the following filepath and hit "Send File". Wait for the scanners to finish and copy & paste the results here:

C:\WINDOWS\popcinfo.dat

Then, do the same step for each of the following (one at-a-time):

C:\Program Files\WGRADE7.DLL
C:\WRI7.SYS
C:\WINDOWS\uccspecb.sys

Post back with the filescan results. :)

bardolator
2007-03-01, 04:06
C:\WINDOWS\popcinfo.dat

STATUS: FINISHEDComplete scanning result of "popcinfo.dat", received in VirusTotal at 03.01.2007, 02:36:41 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 02.28.2007 no virus found
Authentium 4.93.8 02.28.2007 no virus found
Avast 4.7.936.0 02.28.2007 no virus found
AVG 7.5.0.447 02.28.2007 no virus found
BitDefender 7.2 03.01.2007 no virus found
CAT-QuickHeal 9.00 02.28.2007 no virus found
ClamAV devel-20060426 03.01.2007 no virus found
DrWeb 4.33 02.28.2007 no virus found
eSafe 7.0.14.0 02.28.2007 no virus found
eTrust-Vet 30.6.3443 02.28.2007 no virus found
Ewido 4.0 02.28.2007 no virus found
FileAdvisor 1 03.01.2007 no virus found
Fortinet 2.85.0.0 02.28.2007 no virus found
F-Prot 4.3.1.45 02.28.2007 no virus found
F-Secure 6.70.13030.0 02.28.2007 no virus found
Ikarus T3.1.1.3 02.28.2007 no virus found
Kaspersky 4.0.2.24 03.01.2007 no virus found
McAfee 4973 02.28.2007 no virus found
Microsoft 1.2204 02.28.2007 no virus found
NOD32v2 2085 02.28.2007 no virus found
Norman 5.80.02 02.28.2007 no virus found
Panda 9.0.0.4 02.28.2007 no virus found
Prevx1 V2 03.01.2007 no virus found
Sophos 4.14.0 03.01.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 no virus found
Symantec 10 03.01.2007 no virus found
TheHacker 6.1.6.065 02.26.2007 no virus found
UNA 1.83 02.28.2007 no virus found
VBA32 3.11.2 02.28.2007 no virus found
VirusBuster 4.3.19:9 02.28.2007 no virus found


Aditional Information
File size: 104 bytes
MD5: 8eed9f4054bb8264a97938909726a08d
SHA1: 6f2acb939f57022958686f17a07b1943fdde924c

C:\Program Files\WGRADE7.DLL
STATUS: FINISHEDComplete scanning result of "WGRADE7.DLL", received in VirusTotal at 03.01.2007, 02:43:56 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 02.28.2007 no virus found
Authentium 4.93.8 02.28.2007 no virus found
Avast 4.7.936.0 02.28.2007 no virus found
AVG 7.5.0.447 02.28.2007 no virus found
BitDefender 7.2 03.01.2007 no virus found
CAT-QuickHeal 9.00 02.28.2007 no virus found
ClamAV devel-20060426 03.01.2007 no virus found
DrWeb 4.33 02.28.2007 no virus found
eSafe 7.0.14.0 02.28.2007 no virus found
eTrust-Vet 30.6.3443 02.28.2007 no virus found
Ewido 4.0 02.28.2007 no virus found
FileAdvisor 1 03.01.2007 no virus found
Fortinet 2.85.0.0 02.28.2007 no virus found
F-Prot 4.3.1.45 02.28.2007 no virus found
F-Secure 6.70.13030.0 02.28.2007 no virus found
Ikarus T3.1.1.3 02.28.2007 no virus found
Kaspersky 4.0.2.24 03.01.2007 no virus found
McAfee 4973 02.28.2007 no virus found
Microsoft 1.2204 02.28.2007 no virus found
NOD32v2 2085 02.28.2007 no virus found
Norman 5.80.02 02.28.2007 no virus found
Panda 9.0.0.4 02.28.2007 no virus found
Prevx1 V2 03.01.2007 no virus found
Sophos 4.14.0 03.01.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 no virus found
Symantec 10 03.01.2007 no virus found
TheHacker 6.1.6.065 02.26.2007 no virus found
UNA 1.83 02.28.2007 no virus found
VBA32 3.11.2 02.28.2007 no virus found
VirusBuster 4.3.19:9 02.28.2007 no virus found


Aditional Information

C:\WRI7.SYS
STATUS: FINISHEDComplete scanning result of "WRI7.SYS", received in VirusTotal at 03.01.2007, 02:51:01 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 02.28.2007 no virus found
Authentium 4.93.8 02.28.2007 no virus found
Avast 4.7.936.0 02.28.2007 no virus found
AVG 7.5.0.447 02.28.2007 no virus found
BitDefender 7.2 03.01.2007 no virus found
CAT-QuickHeal 9.00 02.28.2007 no virus found
ClamAV devel-20060426 03.01.2007 no virus found
DrWeb 4.33 02.28.2007 no virus found
eSafe 7.0.14.0 02.28.2007 no virus found
eTrust-Vet 30.6.3443 02.28.2007 no virus found
Ewido 4.0 02.28.2007 no virus found
FileAdvisor 1 03.01.2007 no virus found
Fortinet 2.85.0.0 02.28.2007 no virus found
F-Prot 4.3.1.45 02.28.2007 no virus found
F-Secure 6.70.13030.0 02.28.2007 no virus found
Ikarus T3.1.1.3 02.28.2007 no virus found
Kaspersky 4.0.2.24 03.01.2007 no virus found
McAfee 4973 02.28.2007 no virus found
Microsoft 1.2204 02.28.2007 no virus found
NOD32v2 2085 02.28.2007 no virus found
Norman 5.80.02 02.28.2007 no virus found
Panda 9.0.0.4 02.28.2007 no virus found
Prevx1 V2 03.01.2007 no virus found
Sophos 4.14.0 03.01.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 no virus found
Symantec 10 03.01.2007 no virus found
TheHacker 6.1.6.065 02.26.2007 no virus found
UNA 1.83 02.28.2007 no virus found
VBA32 3.11.2 02.28.2007 no virus found
VirusBuster 4.3.19:9 02.28.2007 no virus found


Aditional Information
File size: 25 bytes
MD5: 818422dbf6963be770c6be739ea1859c
SHA1: ee9e1b03438e3fef2a3b669cac8442c07e24cf7f

C:\WINDOWS\uccspecb.sys
STATUS: FINISHEDComplete scanning result of "uccspecb.sys", received in VirusTotal at 03.01.2007, 03:01:16 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 02.28.2007 no virus found
Authentium 4.93.8 02.28.2007 no virus found
Avast 4.7.936.0 02.28.2007 no virus found
AVG 7.5.0.447 02.28.2007 no virus found
BitDefender 7.2 03.01.2007 no virus found
CAT-QuickHeal 9.00 02.28.2007 no virus found
ClamAV devel-20060426 03.01.2007 no virus found
DrWeb 4.33 02.28.2007 no virus found
eSafe 7.0.14.0 02.28.2007 no virus found
eTrust-Vet 30.6.3443 02.28.2007 no virus found
Ewido 4.0 02.28.2007 no virus found
FileAdvisor 1 03.01.2007 no virus found
Fortinet 2.85.0.0 02.28.2007 no virus found
F-Prot 4.3.1.45 02.28.2007 no virus found
F-Secure 6.70.13030.0 02.28.2007 no virus found
Ikarus T3.1.1.3 02.28.2007 no virus found
Kaspersky 4.0.2.24 03.01.2007 no virus found
McAfee 4973 02.28.2007 no virus found
Microsoft 1.2204 02.28.2007 no virus found
NOD32v2 2085 02.28.2007 no virus found
Norman 5.80.02 02.28.2007 no virus found
Panda 9.0.0.4 02.28.2007 no virus found
Prevx1 V2 03.01.2007 no virus found
Sophos 4.14.0 03.01.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 no virus found
Symantec 10 03.01.2007 no virus found
TheHacker 6.1.6.065 02.26.2007 no virus found
UNA 1.83 02.28.2007 no virus found
VBA32 3.11.2 02.28.2007 no virus found
VirusBuster 4.3.19:9 02.28.2007 no virus found


Aditional Information
File size: 4 bytes
MD5: 7d4f6d5d207c9a1a4958bc74f0ed565c

Rawe
2007-03-01, 16:28
Please navigate to, and delete the following file:

C:\WINDOWS\uccspecb.sys

Empty recycle bin.

------

Please go to UploadMalware (http://www.uploadmalware.com/) to upload some files for for analysis..
Enter your username from this forum
Copy and paste the link to this thread
Paste the following 2 filepaths in to 2 boxes:
C:\Program Files\WGRADE7.DLL
C:\WRI7.SYS
In the comments, please mention that I asked you to upload these files.
Click on Send File.


-------

Let me know when you have done this and also please describe all your current issues with the PC.... :)

bardolator
2007-03-02, 01:00
Removed the one file and uploaded the others, as requested.

Issues...let's see. Well, my computer has slowed down some, but that's to be expected until I get my external drive up and running again (incidentally, do I need to look for anything in particular, virus-wise, on the hard drive? I haven't used it in months--since well before this Vundo infestation--and I think it's all documents, graphics, and media files...but I know that those can hide baddies as well).

As I mentioned before, I have some problems with ZoneAlarm crashing occasionally.

One weird thing: sometimes, if my laptop has been in hibernation and I bring it back out, it appears to have gone online but it refuses to load anything. I don't know how I discovered this, but if I open another program and then reload the page, the page will usually load. It's as though my computer has to be "distracted" by another process or program so that MIE will function properly, or something. It's very odd.

I've been thinking of switching to Firefox; would you recommend this? I've heard it's much more stable than MIE, but I've also heard there are some issues with it. In addition to general websurfing, I do email and a lot of work on several forums, two of which I admin. I backup the database on those two forums; is there any chance those files could have become corrupted due to the problems on my computer? Also, is it likely I may have transferred malware via file transfers (usually Word documents to my school computer)?

Thanks so much for your continued help!

bardolator
2007-03-02, 13:10
Also: I still have the programs you had me install on my computer. I know that running two versions of a program (particularly anti-spyware) can cause problems, but I don't want to take anything off until I know my machine is clean. Suggestions for what to do with ZoneAlarm? I have over a year left on my license, but if there's a better program for one thing or the other, I suppose could always disable that part of the security suite.

bardolator
2007-03-02, 16:50
I wish I could edit my posts; it's embarrassing to keep adding things. :sad:

Just read this:

If you see such as this:
"To play the video you have to install the latest Codec" Stop.... be aware, don't start clicking your way to infection.
I'm fairly certain I did this before all the Vundo mess started. :red: Don't know whether that's new info. you need or not.

Rawe
2007-03-02, 19:44
Well your earlier malware infestation might have conflicted with ZoneAlarm, you should really try uninstalling then reinstalling it and see if the problem still continues. Or maybe ZoneAlarm has a 'Repair' option instead of uninstalling and reinstalling, might have corrupted an file or something.

As for the browser issue, I do recommend switching to Firefox. Sure, you can troubleshoot with IE 7 too, but Firefox is better and most likely it won't have the same issues. :) Most important is you to use the browser you like the most.

And the other hard drive, well, if you do use it, regular checkups are always recommended too. I don't think your Word documents or forum backups would get corrupted by the malware but of course there's always a risk; you could back the forums up again.


I still have the programs you had me install on my computer. I know that running two versions of a program (particularly anti-spyware) can cause problems, but I don't want to take anything off until I know my machine is clean.
Well, you should use 1 active firewall, 1 active anti-virus, one or two active anti-spyware protections (most of the common anti-spyware programs do not interfere with each other or the antivirus/firewall apps.)

For example I currently have SpySweeper with active shields, SpyBot with immunization, anti-virus/firewall aswell as SpywareBlaster. I don't like to keep active shields with many programs at the same time. Using TeaTimer MIGHT get confusing as I have SpySweeper with active shields.

------

You should also update Java.....
Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.

Now please install the Java Runtime Environment (JRE) 6 manually..
Note to reboot the computer after updating:

http://java.sun.com/javase/downloads/index.jsp (http://java.sun.com/javase/downloads/index.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

Rawe
2007-03-02, 19:56
Also those issues might well be because of your ZoneAlarm if it is version 7.

For example, you can read the user reviews here.

http://reviews.cnet.com/ZoneAlarm_Internet_Security_Suite_7/4864-3667_7-32309439.html?messageSiteID=7&messageID=2374627&cval=2374627&ctype=msgid

Looks like crashes are popular around the app. If you are able to, you could revert back to v. 6.5.

bardolator
2007-03-05, 12:53
The Java installer site is down for maintenance. ;-) Will install, run one final sweep, and post here when I have (didn't hear back after I did the malware upload; I guess that means it looks okay?).

Rawe
2007-03-07, 15:48
Let me know about your issues, have you taken a look at zonealarm?

Java site is up. It does seem your logs are clean of malware. :)

tashi
2007-03-20, 22:30
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you Rawe.