PDA

View Full Version : Explorer.exe does not run on startup, but will boot to safe mode.



Smitherd
2007-12-18, 20:55
This PC suddenly stopped loading Explorer on normal startup, but it will run it fine on Safe Mode. It is listed in the Startup panel, but it does not run.

I ran SB:S&D and removed several malware programs, as well as Smitfraud.C and Virtumonde, and it still does not work.

I'm pretty knowledgeable with PC's and Macs both, but this is currently beyond me. Any help is appreciated.

EMachines T3958 - Celeron D 340 processor - 80gb hard drive - 512mb of RAM. Windows XP Home installed.

Rorschach112
2007-12-19, 11:55
Hello

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Smitherd
2007-12-19, 16:52
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.93GHz
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 502.73 MiB / 239.73 MiB
Pagefile Memory (total/avail): 1227.29 MiB / 1013.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.42 MiB

C: is Fixed (NTFS) - 70.94 GiB total, 63.68 GiB free.
D: is Fixed (FAT32) - 3.59 GiB total, 1.63 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHA0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 70.94 GiB - C:
\PARTITION1 - Unknown - 3.59 GiB - D:

\\.\PHYSICALDRIVE1 - USB Flash Memory USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 243.98 MiB - J:

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE5 - eM Bay Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-177D7829E7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-177D7829E7
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-177D7829E7
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2x1/4x1 USB Peripheral Switch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3752427-9AAA-4B1C-B428-01723E0E9FFA}\SETUP.EXE"
Abacast Client --> C:\PROGRA~1\Abacast\UNWISE.EXE C:\PROGRA~1\Abacast\client.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Dell Printer Software Uninstall --> C:\Program Files\Dell_HostCD\Install\Uninstall.exe
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hammond Atlas of the World --> C:\WINDOWS\IsUninst.exe -fC:\Hammond\Uninst.isu
HijackThis 2.0.2 --> "C:\Documents and Settings\Owner\My Documents\HiJackThis\HijackThis.exe" /uninstall
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2) --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
oobeFlagNetscape0 --> MsiExec.exe /X{D95877BE-0165-42EC-B558-727F9F41372C}
PC Study Bible (remove only) --> C:\Program Files\Common Files\pcsbclean.exe /uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
School of Tomorrow Management System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD31B272-1842-4671-9FB7-6DB04571B7F1}\setup.exe" -l0x9 -removeonly
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
WBDS --> C:\WINDOWS\uninst.exe -f"C:\Program Files\School of Tomorrow\WBDS\DeIsL2.isu" -cC:\PROGRA~1\SCHOOL~1\WBDS\_ISREG32.DLL
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\Framework\wxfw.cpl,4
WinAble --> "C:\Program Files\WinAble\winable.exe" -uninstall
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinTouch --> C:\Documents and Settings\Owner\Application Data\WinTouch\WTUninstaller.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type277989 / Error
Event Submitted/Written: 12/19/2007 09:47:22 AM
Event ID/Source: 413 / ESENT
Event Description:
wuauclt (2244) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1022.

Event Record #/Type277988 / Error
Event Submitted/Written: 12/19/2007 09:47:22 AM
Event ID/Source: 486 / ESENT
Event Description:
wuauclt (2244) An attempt to move the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" to "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb00039.log" failed with system error 183 (0x000000b7): "Cannot create a file when that file already exists. ". The move file operation will fail with error -1022 (0xfffffc02).

Event Record #/Type277984 / Error
Event Submitted/Written: 12/19/2007 09:47:22 AM
Event ID/Source: 413 / ESENT
Event Description:
wuauclt (2076) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1022.

Event Record #/Type277983 / Error
Event Submitted/Written: 12/19/2007 09:47:22 AM
Event ID/Source: 486 / ESENT
Event Description:
wuauclt (2076) An attempt to move the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" to "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb00039.log" failed with system error 183 (0x000000b7): "Cannot create a file when that file already exists. ". The move file operation will fail with error -1022 (0xfffffc02).

Event Record #/Type277979 / Error
Event Submitted/Written: 12/19/2007 09:47:21 AM
Event ID/Source: 413 / ESENT
Event Description:
wuauclt (1368) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1022.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7869 / Error
Event Submitted/Written: 12/19/2007 09:46:15 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
abp480n5
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
amsint
asc
asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Event Record #/Type7847 / Error
Event Submitted/Written: 12/19/2007 09:42:56 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
abp480n5
adpu160m
agp440
agpCPQ
Aha154x
aic78u2
aic78xx
AliIde
alim1541
amdagp
amsint
asc
asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Event Record #/Type7843 / Error
Event Submitted/Written: 12/18/2007 02:10:57 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type7842 / Error
Event Submitted/Written: 12/18/2007 02:07:51 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type7841 / Error
Event Submitted/Written: 12/18/2007 02:06:14 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2007-12-19 09:49:33 ------------

Smitherd
2007-12-19, 16:55
Deckard's System Scanner v20071014.68
Run by Owner on 20071219 09:46:15
Computer in Normal Mode.
--------------------

-- System Restore --

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-12-19 14:46:17 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:20 AM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\Cyb2k.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\TEMP\winlogan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\QdrPack\QdrPack10.exe
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\mnthgt.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\dss.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winsto.exe
C:\WINDOWS\b103.exe
C:\DOCUME~1\Owner\MYDOCU~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10/100:1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2608807E-ACA9-4C43-868E-12C6DE7321FB} - C:\WINDOWS\system32\pmnlj.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)
O2 - BHO: (no name) - {44D3BCE6-5DCD-4B8C-9BAD-29166C6EE499} - C:\Program Files\Messenger\meqobaj4444.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O2 - BHO: (no name) - {C6F1D1B2-8AA0-4CFB-9C17-6D9BD3438FB3} - C:\Program Files\Messenger\meqobaj83122.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\ddcaxww.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\Owner\LOCALS~1\Temp\winsto.exe
O4 - HKCU\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\mnthgt.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\RunServices: [explorer] C:\WINDOWS\explorer.exe
O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Rescue System] C:\WINDOWS\TEMP\winsto.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://aceweb.schooloftomorrow.com/store/downloads/setup.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O20 - Winlogon Notify: ddcaxww - C:\WINDOWS\SYSTEM32\ddcaxww.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtelejidib.html

--
End of file - 7942 bytes

-- File Associations --

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --

R0 Afj51 - c:\windows\system32\drivers\afj51.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Not Verified; America Online, Inc.; Wan Miniport (ATW)>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --

All services whitelisted.


-- Device Manager: Disabled --

No disabled devices found.


-- Scheduled Tasks --

2007-12-12 09:00:00 386 --a------ C:\WINDOWS\Tasks\rpc.job
2005-09-20 13:41:33 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job


-- Files created between 2007-11-19 and 2007-12-19 --

2007-12-18 13:56:45 21760 --a------ C:\WINDOWS\Afj51.sys
2007-12-18 12:23:04 0 d-------- C:\Program Files\WinAble
2007-12-18 12:23:04 0 d-------- C:\Program Files\Temporary
2007-12-18 12:18:06 0 d-------- C:\Documents and Settings\Owner\Application Data\WinTouch
2007-12-18 12:18:04 0 d-------- C:\Program Files\InetGet2
2007-12-18 09:55:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-12-18 09:54:43 21760 --a------ C:\WINDOWS\system32\drivers\Afj51.sys
2007-12-18 09:54:14 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-12-18 09:54:12 20480 --a------ C:\WINDOWS\system32\update241.exe
2007-12-18 09:54:05 59904 --a------ C:\WINDOWS\system32\update288.exe
2007-12-18 09:53:43 17408 --a------ C:\WINDOWS\system32\update228.exe
2007-12-18 09:53:05 0 d-------- C:\Program Files\Helper
2007-12-18 09:51:56 54218 --a------ C:\WINDOWS\system32\xpdx.sys
2007-12-18 09:51:19 58368 --a------ C:\WINDOWS\system32\update266.exe
2007-12-18 09:49:57 10000 --a------ C:\WINDOWS\system32\Frjkfl4g.dll
2007-12-18 09:49:33 36651 --ah----- C:\wsusupd.exe
2007-12-18 09:49:30 36651 --a------ C:\WINDOWS\system32\update275.exe
2007-12-18 09:49:26 10000 --a------ C:\WINDOWS\system32\Lfj95jg.dll
2007-12-18 09:48:56 6144 --a------ C:\WINDOWS\ieupdr.exe
2007-12-18 09:48:43 6144 -----n--- C:\WINDOWS\system32\_svchost.exe
2007-12-18 09:48:43 6144 --a------ C:\Documents and Settings\Owner\ie_updates3r.exe
2007-12-18 09:25:10 6797 --ahs---- C:\WINDOWS\system32\jlnmp.ini2
2007-12-18 09:25:03 332896 --a------ C:\WINDOWS\system32\pmnlj.dll
2007-12-18 09:23:29 0 d-------- C:\Program Files\QdrPack
2007-12-18 09:23:29 0 d-------- C:\Program Files\QdrDrive
2007-12-18 09:23:28 0 d-------- C:\Program Files\ISM
2007-12-18 09:20:19 39936 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-12-18 09:20:18 135168 --a------ C:\WINDOWS\tk58.exe
2007-12-18 09:20:16 169147 --a------ C:\WINDOWS\TTC-4444.exe
2007-12-18 09:20:13 39936 --a------ C:\WINDOWS\mrofinu572.exe
2007-12-18 09:20:08 0 d--hs---- C:\WINDOWS\IA
2007-12-18 09:20:05 171520 --a------ C:\WINDOWS\system32\gygrhbr.dll
2007-12-18 09:20:01 0 d-------- C:\WINDOWS\system32\shel9
2007-12-18 09:20:01 0 d-------- C:\WINDOWS\system32\oc9
2007-12-18 09:20:01 0 d-------- C:\WINDOWS\system32\ex1
2007-12-18 09:20:01 0 d-------- C:\WINDOWS\system32\abc2
2007-12-18 09:19:55 40448 --a------ C:\WINDOWS\system32\ddcaxww.dll
2007-12-18 09:19:54 0 d-------- C:\WINDOWS\system32\ineWc01
2007-12-04 09:42:40 299008 --a------ C:\WINDOWS\b148.exe


-- Find3M Report --
2007-12-18 12:19:48 10 --a------ C:\Program Files\.autoreg
2007-12-18 10:51:15 0 d-------- C:\Program Files\Blink
2007-12-18 09:20:18 0 d-------- C:\Program Files\Messenger
2007-12-11 11:30:15 12626 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-10-25 08:24:20 53760 --a------ C:\WINDOWS\b122.exe


-- Registry Dump --

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2608807E-ACA9-4C43-868E-12C6DE7321FB}]
12/18/2007 09:25 AM 332896 --a------ C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36645342-9475-2663-166A-466739207346}]
C:\WINDOWS\system32\ipv6mops.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D3BCE6-5DCD-4B8C-9BAD-29166C6EE499}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Messenger\meqobaj4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]
10/27/2007 03:54 PM 192512 --a------ C:\Program Files\QdrDrive\QdrDrive8.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
12/18/2007 09:49 AM 10000 --a------ C:\WINDOWS\system32\Lfj95jg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
12/18/2007 09:49 AM 10000 --a------ C:\WINDOWS\system32\Frjkfl4g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6F1D1B2-8AA0-4CFB-9C17-6D9BD3438FB3}]
08/02/2007 08:43 AM 282624 --a------ C:\Program Files\Messenger\meqobaj83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
12/18/2007 09:19 AM 40448 --a------ C:\WINDOWS\system32\ddcaxww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/29/2004 07:13 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/29/2004 07:13 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 03:42 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [10/18/2004 05:05 PM]
"@"="" []
"C2K"="C:\WINDOWS\Cyb2k.exe" [09/08/2004 01:04 PM]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [12/18/2007 09:20 AM]
"kdfgj9odjkg904gffdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [12/18/2007 09:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 12:04 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/02/2007 09:06 AM]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" []
"QdrPack10"="C:\Program Files\QdrPack\QdrPack10.exe" [11/30/2007 06:45 AM]
"Windows Rescue System"="C:\DOCUME~1\Owner\LOCALS~1\Temp\winsto.exe" []
"kdfgj9odjkg904gffdftdf"="C:\WINDOWS\TEMP\winlogan.exe" [12/18/2007 09:50 AM]
"WinTouch"="C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe" [12/18/2007 12:19 PM]
"SfKg6w"="C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\mnthgt.exe" [12/18/2007 12:19 PM]
"WinAble"="C:\Program Files\WinAble\winable.exe" [12/18/2007 12:23 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"explorer"=C:\WINDOWS\explorer.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kdfgj9odjkg904gffdftdf"=C:\WINDOWS\TEMP\winlogan.exe
"Windows Rescue System"=C:\WINDOWS\TEMP\winsto.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [1/19/2005 3:34:10 PM]
F1U201.401.lnk - C:\Program Files\Belkin\F1U201.401\usbshare.exe [2/16/2006 1:46:56 PM]
Microsoft Office.lnk.disabled [4/11/2006 9:24:19 AM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\rtelejidib.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\Lfj95jg.dll [12/18/2007 09:49 AM 10000]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\system32\Frjkfl4g.dll [12/18/2007 09:49 AM 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\ddcaxww.dll [12/18/2007 09:19 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\csfdll]
C:\WINDOWS\Media\smartwarxyu.dll 12/18/2007 09:54 AM 52224 C:\WINDOWS\Media\smartwarxyu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaxww]
ddcaxww.dll 12/18/2007 09:19 AM 40448 C:\WINDOWS\system32\ddcaxww.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe"
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
"HostManager"=C:\Program Files\Common Files\AOL\1131033547\ee\AOLHostManager.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"WindowsHive"=C:\WINDOWS\system32\rpcc.exe
"ShareSearcher"=C:\wsusupd.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34d50fa7-2a17-11da-9477-806d6172696f}]
AutoRun\command- D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{424fd04a-56f1-11dc-955e-001111a6e9ef}]
AutoRun\command- J:\PortableVault.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d38e3527-aaa3-11d9-8f68-806d6172696f}]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-19 09:49:33 --