PDA

View Full Version : Please Help, Have "dropper.agent.dgo"



cdoggmack
2008-01-10, 16:57
I have followed the directions, started in safe mode, ran spybot, and nothing showed up. Ran AVG AS and found "dropper.agent.dgo. I remove and it returns every time I reboot. Please help!

Hijack Log:

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer6.0CAB/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ddr.local
O17 - HKLM\Software\..\Telephony: DomainName = ddr.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ddr.local
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)

--
End of file - 3483 bytes



Kasperskylog Report:

KASPERSKY ONLINE SCANNER REPORT
2008-01-10 08:14
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/01/2008
Kaspersky Anti-Virus database records: 505617
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
L:\
Q:\
T:\

Scan Statistics:
Total number of scanned objects: 207426
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:15:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\cshifflett\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cshifflett\Desktop\Torpark 2.0.0.2a\App\Tconfig.exe/data0004 Infected: not-a-virus:RiskTool.Win32.FWDisabler.a skipped
C:\Documents and Settings\cshifflett\Desktop\Torpark 2.0.0.2a\App\Tconfig.exe NSIS: infected - 1 skipped
C:\Documents and Settings\cshifflett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cshifflett\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cshifflett\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cshifflett\Local Settings\Temp\Perflib_Perfdata_148.dat Object is locked skipped
C:\Documents and Settings\cshifflett\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\cshifflett\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cshifflett\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cshifflett\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000059.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000106.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000107.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000201.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000205.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{32A45277-6A49-40FB-A3B4-83CFEC3C92A2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\ardCo01\ardCo011065.exe Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
L:\CG_DESC.TBL Object is locked skipped
L:\CG_DESC.TBX Object is locked skipped
L:\Projects\Engr\Able\55-69\10-05-06 Code of Development.doc Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-41\410047B.CRD Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-41\410047B.dwg Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-41\410047B.dwl Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-41\410047B.idx Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-57B\57B-31.dwg Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-57B\57B-31.dwl Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-61W\61W-03-14.dwg Object is locked skipped
L:\Projects\WORKSHT\ABLE\TM-61W\61W-03-14.dwl Object is locked skipped
L:\Projects\WORKSHT\file.txt Object is locked skipped
Q:\ARCH\PROJECTS\currently active\SOUTHERN DEVELOPMENT PROJECTS\70212 - BROOKWOOD 6\BROOKWOOD 6 site overlay.dwg Object is locked skipped
Q:\ARCH\PROJECTS\currently active\SOUTHERN DEVELOPMENT PROJECTS\70212 - BROOKWOOD 6\BROOKWOOD 6 site overlay.dwl Object is locked skipped
Q:\Marketing\Project Portfolio\Haden.pub Object is locked skipped
Q:\Marketing\Project Portfolio\Hollymead Town Center.pub Object is locked skipped
Q:\Marketing\WEB SITE AND BROCHURE MATERIALS\Web-site text.doc Object is locked skipped
Q:\Sketchuplic\sema1.net Object is locked skipped

Scan process completed.

Thanks alot,

CS

katana
2008-01-14, 20:49
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
===================================================================================

No Antivirus
I can see no indication of any Antivirus software.

Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Free AV list
AVG Free (http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff)
Avira AntiVir (http://www.free-av.com/)
Avast (http://www.avast.com/eng/products.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Antivirus is a MUST


Rename HJT
Please open your Hijack This folder (C:\Program Files\Trend Micro\HijackThis)
Right click on Hijackthis.exe
Select Rename
Rename Hijack This to showme.exe
Double click showme
Click on the Do a system scan and save a log file button.



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

cdoggmack
2008-01-14, 22:51
I did the HJT scan. And tried several time to run the combo fix scan. I keep coming up with error message: "The instruction
'0x00403cba' referenced memory at '0x009fc2f0' the memory could not be read." So I am not able to reply with combo fix scan results. By the way, a couple days after post I ran avg AS and found trojan.agent.aoy, among others. And thanks a lot for your help also.

Hi Jack Scan

Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer6.0CAB/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ddr.local
O17 - HKLM\Software\..\Telephony: DomainName = ddr.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ddr.local
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)

--
End of file - 4565 bytes

cdoggmack
2008-01-14, 22:55
Also one more thing. Incase its helpfull. I also ran "Vundofix.exe". I ran and rebooted a few times. Its said it removed a bunch of stuff, but I think it keeps coming back.
Thanks again.

katana
2008-01-14, 23:00
Please rename ComboFix.exe to Combo.exe and try to run it again.

If it still won't run please try to run it in safe mode.

To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F5 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.

Please reboot to your normal account before accessing the internet

cdoggmack
2008-01-14, 23:15
I renamed it. And tried it and safe mode. I got the same results. It acts like its running, says "preparing to run" and then that same error message pops up.

katana
2008-01-14, 23:17
Please do the following,

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

cdoggmack
2008-01-14, 23:31
Deckard's System Scanner v20071014.68
Run by cshifflett on 2008-01-14 16:24:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-01-14 21:24:27 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-01-11 14:32:44 UTC - RP5 - System Checkpoint
4: 2008-01-10 13:27:09 UTC - RP4 - Last known good configuration
3: 2008-01-10 13:27:08 UTC - RP3 - Software Distribution Service 3.0
2: 2008-01-10 13:27:08 UTC - RP2 - Last known good configuration


-- First Restore Point --
1: 2008-01-10 13:27:08 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as cshifflett.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25, on 2008-01-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\cshifflett\Desktop\dss.exe
C:\DOCUME~1\CSHIFF~1\Desktop\cshifflett.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C1043F3D-6310-44A7-9E6F-3345B064816F} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer6.0CAB/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ddr.local
O17 - HKLM\Software\..\Telephony: DomainName = ddr.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ddr.local
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)

--
End of file - 4238 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\CSHIFF~1\Desktop\backups\) ------------

backup-20080109-024007-503 O2 - BHO: (no name) - {B3824A73-2DB8-4A40-964C-2F45F2229888} - C:\WINDOWS\system32\mllml.dll
backup-20080109-024007-835 O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
backup-20080109-101139-354 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
backup-20080109-101139-692 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080109-101139-783 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080109-101824-234 O20 - Winlogon Notify: ssqnkkh - ssqnkkh.dll (file missing)
backup-20080109-101824-235 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20080109-101824-793 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080109-101836-692 O2 - BHO: (no name) - {7FC6CC83-F29E-4D76-A43A-54BC988C1EF3} - (no file)
backup-20080109-101836-959 O2 - BHO: (no name) - {A613CF12-4893-4074-97F1-9082BF0FC212} - C:\WINDOWS\system32\mllml.dll
backup-20080109-101846-123 O2 - BHO: (no name) - {A613CF12-4893-4074-97F1-9082BF0FC212} - C:\WINDOWS\system32\mllml.dll
backup-20080109-101852-675 O2 - BHO: (no name) - {A613CF12-4893-4074-97F1-9082BF0FC212} - C:\WINDOWS\system32\mllml.dll
backup-20080109-101906-726 O2 - BHO: (no name) - {A613CF12-4893-4074-97F1-9082BF0FC212} - C:\WINDOWS\system32\mllml.dll
backup-20080109-104252-625 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20080109-104313-325 O2 - BHO: (no name) - {8D5B6382-888E-40C6-AA66-40D6395A935F} - C:\WINDOWS\system32\mllml.dll
backup-20080109-104746-966 O2 - BHO: (no name) - {B3824A73-2DB8-4A40-964C-2F45F2229888} - C:\WINDOWS\system32\mllml.dll
backup-20080109-161102-323 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080109-161102-355 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20080109-161102-533 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
backup-20080109-161102-544 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080109-161102-705 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
backup-20080109-161102-719 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
backup-20080109-161751-857 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S2 Avg7UpdSvc (AVG7 Update Service) - c:\progra~1\grisoft\avg7\avgupsvc.exe (file missing)
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-12-14 and 2008-01-14 -----------------------------

2008-01-14 16:23:30 0 d-------- T:\Deckard
2008-01-14 15:30:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-14 15:29:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-01-14 15:29:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\pdf995
2008-01-14 15:25:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-01-14 13:14:26 0 d-------- C:\WINDOWS\pss
2008-01-14 11:32:59 0 dr-h----- C:\Documents and Settings\cshifflett\Recent
2008-01-09 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 16:46:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-09 16:40:27 0 d-------- C:\Program Files\Trend Micro
2008-01-09 09:07:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-08 17:13:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-01-08 17:08:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 14:54:58 0 d-------- C:\Documents and Settings\cshifflett\Application Data\Grisoft
2008-01-08 12:57:27 0 d-------- C:\Program Files\Temporary
2008-01-08 12:57:27 0 d-------- C:\Program Files\Dot1XCfg
2008-01-08 12:54:01 0 d-------- C:\WINDOWS\system32\s?mbols
2008-01-08 12:54:01 0 d-------- C:\Program Files\Outerinfo
2008-01-08 12:53:54 0 d-------- C:\Program Files\?ppPatch
2008-01-08 12:53:53 0 d-------- C:\WINDOWS\system32\ardCo01


-- Find3M Report ---------------------------------------------------------------

2008-01-14 15:22:32 0 d-------- C:\Program Files\CGSurvey for AutoCAD
2008-01-08 15:29:58 0 d-------- C:\Program Files\?ppPatch
2008-01-08 15:17:43 0 d-------- C:\Program Files\PeerGuardian2
2008-01-08 14:54:38 0 d-------- C:\Program Files\spyscan
2008-01-08 13:15:24 0 d-------- C:\Documents and Settings\cshifflett\Application Data\AVG7
2008-01-08 13:13:22 0 d-------- C:\Program Files\Common Files
2007-12-21 14:41:35 0 d-------- C:\Documents and Settings\cshifflett\Application Data\Adobe
2007-12-18 14:39:06 0 d-------- C:\Program Files\Bodog Poker
2007-12-04 14:28:45 0 d-------- C:\Documents and Settings\cshifflett\Application Data\CyberLink
2007-11-21 08:47:27 0 d-------- C:\Program Files\Ares
2007-11-07 09:41:09 2207 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1043F3D-6310-44A7-9E6F-3345B064816F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-10 09:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 08:18:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-12-18 15:33:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mllml

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4162866786-3495019102-652876556-1146\Scripts\Logon\0\0]
"Script"=ddr.bat




-- Hosts -----------------------------------------------------------------------

192.168.2.2 fs1.ddr.local # domain controller
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com

7841 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-14 16:26:10 ------------

cdoggmack
2008-01-14, 23:32
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1022.07 MiB / 682.54 MiB
Pagefile Memory (total/avail): 2460.7 MiB / 2211.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.9 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.44 GiB total, 60.01 GiB free.
D: is CDROM (No Media)
L: is Network (NTFS)
Q: is Network (NTFS)
T: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST380819AS - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 74.44 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 0.5.516 v0.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\avgagent.exe"="C:\\WINDOWS\\avgagent.exe:*:Enabled:avgagent.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:AVG Control Center"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cshifflett\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CSHIFFLETT_PC
ComSpec=C:\WINDOWS\system32\cmd.exe
EPSERVTCP=@192.168.2.3
FP_NO_HOST_CHECK=NO
HOMEDRIVE=T:
HOMEPATH=\
HOMESHARE=\\fs1\users$\cshifflett
LOGONSERVER=\\FS1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ZipGenius 6\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CSHIFF~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CSHIFF~1\LOCALS~1\Temp
USERDNSDOMAIN=DDR.LOCAL
USERDOMAIN=DDR
USERNAME=cshifflett
USERPROFILE=C:\Documents and Settings\cshifflett
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)
Administrator (admin)
cshifflett (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk 2006 OE Hotfix --> C:\Program Files\Common Files\Autodesk Shared\OEHotfix.2006.exe -u
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bodog Poker Version 2.13.1.13 --> "C:\Program Files\Bodog Poker\unins000.exe"
Broadcom Advanced Control Suite --> MsiExec.exe /I{058B32E2-6310-4359-B2D4-1988390C3B83}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CGSurvey for AutoCAD --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B8F250EE-81EC-4ECA-90A6-E28AEC8AAD20}
CGSurvey for AutoCAD --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BB592A57-74BD-4567-A6D7-E03B51A8D34C}
Dot1XCfg --> "C:\Program Files\Dot1XCfg\Dot1XCfg.exe" -uninstall
DWG TrueView 2007 --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
Eagle Point --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A02A2C67-9079-11D3-80EB-00C04F2CB01C}\setup.exe" Uninstall
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
RW-240 PLOTCLIENT HDI/ADI --> MsiExec.exe /X{F7818E74-3D89-4478-9577-A8FD4E78D417}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZipGenius 6 (6.0.2.1060) --> "C:\Program Files\ZipGenius 6\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3797 / Error
Event Submitted/Written: 01/14/2008 04:25:56 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type3796 / Warning
Event Submitted/Written: 01/14/2008 04:08:15 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type3795 / Warning
Event Submitted/Written: 01/14/2008 04:08:15 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type3791 / Warning
Event Submitted/Written: 01/14/2008 03:29:51 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'HandWritingFiles' failed during request for component '{E6BFD503-3A35-4B78-BAB5-9570EDDEF81C}'

Event Record #/Type3790 / Warning
Event Submitted/Written: 01/14/2008 03:29:51 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'CiceroFiles', component '{D3146E44-B39F-4D61-93CD-07241D982881}' failed. The resource 'C:\WINDOWS\system32\CTFMON.EXE' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13240 / Error
Event Submitted/Written: 01/14/2008 04:09:36 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Avg7Core
Avg7RsXP

Event Record #/Type13239 / Error
Event Submitted/Written: 01/14/2008 04:09:36 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVG7 Update Service service failed to start due to the following error:
%%3

Event Record #/Type13238 / Error
Event Submitted/Written: 01/14/2008 04:09:36 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVG7 Alert Manager Server service failed to start due to the following error:
%%3

Event Record #/Type13231 / Error
Event Submitted/Written: 01/14/2008 04:07:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type13230 / Error
Event Submitted/Written: 01/14/2008 04:07:07 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-01-14 16:26:10 ------------

katana
2008-01-14, 23:36
Please delete the copy of ComboFix that you have, and download a fresh copy from this link.
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

If you still get an error message then do not close any windows or do anything for at least 10 minutes.

ComboFix "should" still produce a report.

cdoggmack
2008-01-14, 23:43
Okay, Im going to get back to you tomorrow. I have class tonight. Hopefully we can resolve this then. Thanks a lot again. Ill DEF. be posting back with the new combo fix, FIRST THING tommorow.

cdoggmack
2008-01-15, 15:20
ComboFix 08-01-15.2 - cshifflett 2008-01-14 16:43:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\cshifflett\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos1.tmp
C:\pos10.tmp
C:\pos100.tmp
C:\pos101.tmp
C:\pos102.tmp
C:\pos103.tmp
C:\pos104.tmp
C:\pos105.tmp
C:\pos106.tmp
C:\pos107.tmp
C:\pos108.tmp
C:\pos109.tmp
C:\pos10A.tmp
C:\pos10B.tmp
C:\pos10C.tmp
C:\pos10D.tmp
C:\pos10E.tmp
C:\pos10F.tmp
C:\pos11.tmp
C:\pos110.tmp
C:\pos111.tmp
C:\pos112.tmp
C:\pos113.tmp
C:\pos114.tmp
C:\pos115.tmp
C:\pos116.tmp
C:\pos117.tmp
C:\pos118.tmp
C:\pos119.tmp
C:\pos11A.tmp
C:\pos11B.tmp
C:\pos11C.tmp
C:\pos11D.tmp
C:\pos11E.tmp
C:\pos11F.tmp
C:\pos12.tmp
C:\pos120.tmp
C:\pos121.tmp
C:\pos122.tmp
C:\pos123.tmp
C:\pos124.tmp
C:\pos125.tmp
C:\pos126.tmp
C:\pos127.tmp
C:\pos128.tmp
C:\pos129.tmp
C:\pos12A.tmp
C:\pos12B.tmp
C:\pos12C.tmp
C:\pos12D.tmp
C:\pos12E.tmp
C:\pos12F.tmp
C:\pos13.tmp
C:\pos130.tmp
C:\pos131.tmp
C:\pos132.tmp
C:\pos133.tmp
C:\pos134.tmp
C:\pos135.tmp
C:\pos136.tmp
C:\pos137.tmp
C:\pos138.tmp
C:\pos139.tmp
C:\pos13A.tmp
C:\pos13B.tmp
C:\pos13C.tmp
C:\pos13D.tmp
C:\pos13E.tmp
C:\pos13F.tmp
C:\pos14.tmp
C:\pos140.tmp
C:\pos141.tmp
C:\pos142.tmp
C:\pos143.tmp
C:\pos144.tmp
C:\pos145.tmp
C:\pos146.tmp
C:\pos147.tmp
C:\pos148.tmp
C:\pos149.tmp
C:\pos14A.tmp
C:\pos14B.tmp
C:\pos14C.tmp
C:\pos14D.tmp
C:\pos14E.tmp
C:\pos14F.tmp
C:\pos15.tmp
C:\pos150.tmp
C:\pos151.tmp
C:\pos152.tmp
C:\pos153.tmp
C:\pos154.tmp
C:\pos155.tmp
C:\pos156.tmp
C:\pos157.tmp
C:\pos158.tmp
C:\pos159.tmp
C:\pos15A.tmp
C:\pos15B.tmp
C:\pos15C.tmp
C:\pos15D.tmp
C:\pos15E.tmp
C:\pos15F.tmp
C:\pos16.tmp
C:\pos160.tmp
C:\pos161.tmp
C:\pos162.tmp
C:\pos163.tmp
C:\pos164.tmp
C:\pos165.tmp
C:\pos166.tmp
C:\pos167.tmp
C:\pos168.tmp
C:\pos169.tmp
C:\pos16A.tmp
C:\pos16B.tmp
C:\pos16C.tmp
C:\pos16D.tmp
C:\pos16E.tmp
C:\pos16F.tmp
C:\pos17.tmp
C:\pos170.tmp
C:\pos171.tmp
C:\pos172.tmp
C:\pos173.tmp
C:\pos174.tmp
C:\pos175.tmp
C:\pos176.tmp
C:\pos177.tmp
C:\pos178.tmp
C:\pos179.tmp
C:\pos17A.tmp
C:\pos17B.tmp
C:\pos17C.tmp
C:\pos17D.tmp
C:\pos17E.tmp
C:\pos17F.tmp
C:\pos18.tmp
C:\pos180.tmp
C:\pos181.tmp
C:\pos182.tmp
C:\pos183.tmp
C:\pos184.tmp
C:\pos185.tmp
C:\pos186.tmp
C:\pos187.tmp
C:\pos188.tmp
C:\pos189.tmp
C:\pos18A.tmp
C:\pos18B.tmp
C:\pos18C.tmp
C:\pos18D.tmp
C:\pos18E.tmp
C:\pos18F.tmp
C:\pos19.tmp
C:\pos190.tmp
C:\pos191.tmp
C:\pos192.tmp
C:\pos193.tmp
C:\pos194.tmp
C:\pos195.tmp
C:\pos196.tmp
C:\pos197.tmp
C:\pos198.tmp
C:\pos199.tmp
C:\pos19A.tmp
C:\pos19B.tmp
C:\pos19C.tmp
C:\pos19D.tmp
C:\pos19E.tmp
C:\pos19F.tmp
C:\pos1A.tmp
C:\pos1A0.tmp
C:\pos1A1.tmp
C:\pos1A2.tmp
C:\pos1A3.tmp
C:\pos1A4.tmp
C:\pos1A5.tmp
C:\pos1A6.tmp
C:\pos1A7.tmp
C:\pos1A8.tmp
C:\pos1A9.tmp
C:\pos1AA.tmp
C:\pos1AB.tmp
C:\pos1AC.tmp
C:\pos1AD.tmp
C:\pos1AE.tmp
C:\pos1AF.tmp
C:\pos1B.tmp
C:\pos1B0.tmp
C:\pos1B1.tmp
C:\pos1B2.tmp
C:\pos1B3.tmp
C:\pos1B4.tmp
C:\pos1B5.tmp
C:\pos1B6.tmp
C:\pos1B7.tmp
C:\pos1B8.tmp
C:\pos1B9.tmp
C:\pos1BA.tmp
C:\pos1BB.tmp
C:\pos1BC.tmp
C:\pos1BD.tmp
C:\pos1BE.tmp
C:\pos1BF.tmp
C:\pos1C.tmp
C:\pos1C0.tmp
C:\pos1C1.tmp
C:\pos1C2.tmp
C:\pos1C3.tmp
C:\pos1C4.tmp
C:\pos1C5.tmp
C:\pos1C6.tmp
C:\pos1C7.tmp
C:\pos1C8.tmp
C:\pos1C9.tmp
C:\pos1CA.tmp
C:\pos1CB.tmp
C:\pos1CC.tmp
C:\pos1CD.tmp
C:\pos1CE.tmp
C:\pos1CF.tmp
C:\pos1D.tmp
C:\pos1D0.tmp
C:\pos1D1.tmp
C:\pos1D2.tmp
C:\pos1D3.tmp
C:\pos1D4.tmp
C:\pos1D5.tmp
C:\pos1D6.tmp
C:\pos1D7.tmp
C:\pos1D8.tmp
C:\pos1D9.tmp
C:\pos1DA.tmp
C:\pos1DB.tmp
C:\pos1DC.tmp
C:\pos1DD.tmp
C:\pos1DE.tmp
C:\pos1DF.tmp
C:\pos1E.tmp
C:\pos1E0.tmp
C:\pos1E1.tmp
C:\pos1E2.tmp
C:\pos1E3.tmp
C:\pos1E4.tmp
C:\pos1E5.tmp
C:\pos1E6.tmp
C:\pos1E7.tmp
C:\pos1E8.tmp
C:\pos1E9.tmp
C:\pos1EA.tmp
C:\pos1EB.tmp
C:\pos1EC.tmp
C:\pos1ED.tmp
C:\pos1EE.tmp
C:\pos1EF.tmp
C:\pos1F.tmp
C:\pos1F0.tmp
C:\pos1F1.tmp
C:\pos1F2.tmp
C:\pos1F3.tmp
C:\pos1F4.tmp
C:\pos1F5.tmp
C:\pos1F6.tmp
C:\pos1F7.tmp
C:\pos1F8.tmp
C:\pos1F9.tmp
C:\pos1FA.tmp
C:\pos1FB.tmp
C:\pos1FC.tmp
C:\pos1FD.tmp
C:\pos1FE.tmp
C:\pos1FF.tmp
C:\pos2.tmp
C:\pos20.tmp
C:\pos200.tmp
C:\pos201.tmp
C:\pos202.tmp
C:\pos203.tmp
C:\pos204.tmp
C:\pos205.tmp
C:\pos206.tmp
C:\pos207.tmp
C:\pos208.tmp
C:\pos209.tmp
C:\pos20A.tmp
C:\pos20B.tmp
C:\pos20C.tmp
C:\pos20D.tmp
C:\pos20E.tmp
C:\pos20F.tmp
C:\pos21.tmp
C:\pos210.tmp
C:\pos211.tmp
C:\pos212.tmp
C:\pos213.tmp
C:\pos214.tmp
C:\pos215.tmp
C:\pos216.tmp
C:\pos217.tmp
C:\pos218.tmp
C:\pos219.tmp
C:\pos21A.tmp
C:\pos21B.tmp
C:\pos21C.tmp
C:\pos21D.tmp
C:\pos21E.tmp
C:\pos21F.tmp
C:\pos22.tmp
C:\pos220.tmp
C:\pos221.tmp
C:\pos222.tmp
C:\pos223.tmp
C:\pos224.tmp
C:\pos225.tmp
C:\pos226.tmp
C:\pos227.tmp
C:\pos228.tmp
C:\pos229.tmp
C:\pos22A.tmp
C:\pos22B.tmp
C:\pos22C.tmp
C:\pos22D.tmp
C:\pos22E.tmp
C:\pos22F.tmp
C:\pos23.tmp
C:\pos230.tmp
C:\pos231.tmp
C:\pos232.tmp
C:\pos233.tmp
C:\pos234.tmp
C:\pos235.tmp
C:\pos236.tmp
C:\pos237.tmp
C:\pos238.tmp
C:\pos239.tmp
C:\pos23A.tmp
C:\pos23B.tmp
C:\pos23C.tmp
C:\pos23D.tmp
C:\pos23E.tmp
C:\pos23F.tmp
C:\pos24.tmp
C:\pos240.tmp
C:\pos241.tmp
C:\pos242.tmp
C:\pos243.tmp
C:\pos244.tmp
C:\pos245.tmp
C:\pos246.tmp
C:\pos247.tmp
C:\pos248.tmp
C:\pos249.tmp
C:\pos24A.tmp
C:\pos24B.tmp
C:\pos24C.tmp
C:\pos24D.tmp
C:\pos24E.tmp
C:\pos24F.tmp
C:\pos25.tmp
C:\pos250.tmp
C:\pos251.tmp
C:\pos252.tmp
C:\pos253.tmp
C:\pos254.tmp
C:\pos255.tmp
C:\pos256.tmp
C:\pos257.tmp
C:\pos258.tmp
C:\pos259.tmp
C:\pos25A.tmp
C:\pos25B.tmp
C:\pos25C.tmp
C:\pos25D.tmp
C:\pos25E.tmp
C:\pos25F.tmp
C:\pos26.tmp
C:\pos260.tmp
C:\pos261.tmp
C:\pos262.tmp
C:\pos263.tmp
C:\pos264.tmp
C:\pos265.tmp
C:\pos266.tmp
C:\pos267.tmp
C:\pos268.tmp
C:\pos269.tmp
C:\pos26A.tmp
C:\pos26B.tmp
C:\pos26C.tmp
C:\pos26D.tmp
C:\pos26E.tmp
C:\pos26F.tmp
C:\pos27.tmp
C:\pos270.tmp
C:\pos271.tmp
C:\pos272.tmp
C:\pos273.tmp
C:\pos274.tmp
C:\pos275.tmp
C:\pos276.tmp
C:\pos277.tmp
C:\pos278.tmp
C:\pos279.tmp
C:\pos27A.tmp
C:\pos27B.tmp
C:\pos27C.tmp
C:\pos27D.tmp
C:\pos27E.tmp
C:\pos27F.tmp
C:\pos28.tmp
C:\pos280.tmp
C:\pos281.tmp
C:\pos282.tmp
C:\pos283.tmp
C:\pos284.tmp
C:\pos285.tmp
C:\pos286.tmp
C:\pos287.tmp
C:\pos288.tmp
C:\pos289.tmp
C:\pos28A.tmp
C:\pos28B.tmp
C:\pos28C.tmp
C:\pos28D.tmp
C:\pos28E.tmp
C:\pos28F.tmp
C:\pos29.tmp
C:\pos290.tmp
C:\pos291.tmp
C:\pos292.tmp
C:\pos293.tmp
C:\pos294.tmp
C:\pos295.tmp
C:\pos296.tmp
C:\pos297.tmp
C:\pos298.tmp
C:\pos299.tmp
C:\pos29A.tmp
C:\pos29B.tmp
C:\pos29C.tmp
C:\pos29D.tmp
C:\pos29E.tmp
C:\pos29F.tmp
C:\pos2A.tmp
C:\pos2A0.tmp
C:\pos2A1.tmp
C:\pos2A2.tmp
C:\pos2A3.tmp
C:\pos2A4.tmp
C:\pos2A5.tmp
C:\pos2A6.tmp
C:\pos2A7.tmp
C:\pos2A8.tmp
C:\pos2A9.tmp
C:\pos2AA.tmp
C:\pos2AB.tmp
C:\pos2AC.tmp
C:\pos2AD.tmp
C:\pos2AE.tmp
C:\pos2AF.tmp
C:\pos2B.tmp
C:\pos2B0.tmp
C:\pos2B1.tmp
C:\pos2B2.tmp
C:\pos2B3.tmp
C:\pos2B4.tmp
C:\pos2B5.tmp
C:\pos2B6.tmp
C:\pos2B7.tmp
C:\pos2B8.tmp
C:\pos2B9.tmp
C:\pos2BA.tmp
C:\pos2BB.tmp
C:\pos2BC.tmp
C:\pos2BD.tmp
C:\pos2BE.tmp
C:\pos2BF.tmp
C:\pos2C.tmp
C:\pos2C0.tmp
C:\pos2C1.tmp
C:\pos2C2.tmp
C:\pos2C3.tmp
C:\pos2C4.tmp
C:\pos2C5.tmp
C:\pos2C6.tmp
C:\pos2C7.tmp
C:\pos2C8.tmp
C:\pos2C9.tmp
C:\pos2CA.tmp
C:\pos2CB.tmp
C:\pos2CC.tmp
C:\pos2CD.tmp
C:\pos2CE.tmp
C:\pos2CF.tmp
C:\pos2D.tmp
C:\pos2D0.tmp
C:\pos2D1.tmp
C:\pos2D2.tmp
C:\pos2D3.tmp
C:\pos2D4.tmp
C:\pos2D5.tmp
C:\pos2D6.tmp
C:\pos2D7.tmp
C:\pos2D8.tmp
C:\pos2D9.tmp
C:\pos2DA.tmp
C:\pos2DB.tmp
C:\pos2DC.tmp
C:\pos2DD.tmp
C:\pos2DE.tmp
C:\pos2DF.tmp
C:\pos2E.tmp
C:\pos2E0.tmp
C:\pos2E1.tmp
C:\pos2E2.tmp
C:\pos2E3.tmp
C:\pos2E4.tmp
C:\pos2E5.tmp
C:\pos2E6.tmp
C:\pos2E7.tmp
C:\pos2E8.tmp
C:\pos2E9.tmp
C:\pos2EA.tmp
C:\pos2EB.tmp
C:\pos2EC.tmp
C:\pos2ED.tmp
C:\pos2EE.tmp
C:\pos2EF.tmp
C:\pos2F.tmp
C:\pos2F0.tmp
C:\pos2F1.tmp
C:\pos2F2.tmp
C:\pos2F3.tmp
C:\pos2F4.tmp
C:\pos2F5.tmp
C:\pos2F6.tmp
C:\pos2F7.tmp
C:\pos2F8.tmp
C:\pos2F9.tmp
C:\pos2FA.tmp
C:\pos2FB.tmp
C:\pos2FC.tmp
C:\pos2FD.tmp
C:\pos2FE.tmp
C:\pos2FF.tmp
C:\pos3.tmp
C:\pos30.tmp
C:\pos300.tmp
C:\pos301.tmp
C:\pos302.tmp
C:\pos303.tmp
C:\pos304.tmp
C:\pos305.tmp
C:\pos306.tmp
C:\pos307.tmp
C:\pos308.tmp
C:\pos309.tmp
C:\pos30A.tmp
C:\pos30B.tmp
C:\pos30C.tmp
C:\pos30D.tmp
C:\pos30E.tmp
C:\pos30F.tmp
C:\pos31.tmp
C:\pos310.tmp
C:\pos311.tmp
C:\pos312.tmp
C:\pos313.tmp
C:\pos314.tmp
C:\pos315.tmp
C:\pos316.tmp
C:\pos317.tmp
C:\pos318.tmp
C:\pos319.tmp
C:\pos31A.tmp
C:\pos31B.tmp
C:\pos31C.tmp
C:\pos31D.tmp
C:\pos31E.tmp
C:\pos31F.tmp
C:\pos32.tmp
C:\pos320.tmp
C:\pos321.tmp
C:\pos322.tmp
C:\pos323.tmp
C:\pos324.tmp
C:\pos325.tmp
C:\pos326.tmp
C:\pos327.tmp
C:\pos328.tmp
C:\pos329.tmp
C:\pos32A.tmp
C:\pos32B.tmp
C:\pos32C.tmp
C:\pos32D.tmp
C:\pos32E.tmp
C:\pos32F.tmp
C:\pos33.tmp
C:\pos330.tmp
C:\pos331.tmp
C:\pos332.tmp
C:\pos333.tmp
C:\pos334.tmp
C:\pos335.tmp
C:\pos336.tmp
C:\pos337.tmp
C:\pos338.tmp
C:\pos339.tmp
C:\pos33A.tmp
C:\pos33B.tmp
C:\pos33C.tmp
C:\pos33D.tmp
C:\pos33E.tmp
C:\pos33F.tmp
C:\pos34.tmp
C:\pos340.tmp
C:\pos341.tmp
C:\pos342.tmp
C:\pos343.tmp
C:\pos344.tmp
C:\pos345.tmp
C:\pos35.tmp
C:\pos36.tmp
C:\pos37.tmp
C:\pos38.tmp
C:\pos39.tmp
C:\pos3A.tmp
C:\pos3B.tmp
C:\pos3C.tmp
C:\pos3D.tmp
C:\pos3E.tmp
C:\pos3F.tmp
C:\pos4.tmp
C:\pos40.tmp
C:\pos41.tmp
C:\pos42.tmp
C:\pos43.tmp
C:\pos44.tmp
C:\pos45.tmp
C:\pos46.tmp
C:\pos47.tmp
C:\pos48.tmp
C:\pos49.tmp
C:\pos4A.tmp
C:\pos4B.tmp
C:\pos4C.tmp
C:\pos4D.tmp
C:\pos4E.tmp
C:\pos4F.tmp
C:\pos5.tmp
C:\pos50.tmp
C:\pos51.tmp
C:\pos52.tmp
C:\pos53.tmp
C:\pos54.tmp
C:\pos55.tmp
C:\pos56.tmp
C:\pos57.tmp
C:\pos58.tmp
C:\pos59.tmp
C:\pos5A.tmp
C:\pos5B.tmp
C:\pos5C.tmp
C:\pos5D.tmp
C:\pos5E.tmp
C:\pos5F.tmp
C:\pos6.tmp
C:\pos60.tmp
C:\pos61.tmp
C:\pos62.tmp
C:\pos63.tmp
C:\pos64.tmp
C:\pos65.tmp
C:\pos66.tmp
C:\pos67.tmp
C:\pos68.tmp
C:\pos69.tmp
C:\pos6A.tmp
C:\pos6B.tmp
C:\pos6C.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos7.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\Program Files\outerinfo
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\?ppPatch\
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 15:29 . 2008-01-14 15:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\pdf995
2008-01-14 15:25 . 2008-01-14 15:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-01-14 11:35 . 2008-01-14 11:35 1,238,674 --a------ C:\MGtools.exe
2008-01-14 10:15 . 2008-01-14 11:07 <DIR> d-------- C:\VundoFix Backups
2008-01-09 16:46 . 2008-01-09 16:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-09 16:46 . 2008-01-09 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 16:40 . 2008-01-09 16:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 10:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 09:07 . 2008-01-09 09:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-08 17:08 . 2008-01-08 17:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 14:54 . 2008-01-08 14:54 <DIR> d-------- C:\Documents and Settings\cshifflett\Application Data\Grisoft
2008-01-08 14:54 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-08 12:57 . 2008-01-08 13:50 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-08 12:53 . 2008-01-08 12:53 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-08 12:53 . 2008-01-08 12:53 <DIR> d-------- C:\Temp\cEeer12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 21:43 --------- d-----w C:\Program Files\CGSurvey for AutoCAD
2008-01-14 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-14 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 20:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-01-08 19:54 --------- d-----w C:\Program Files\spyscan
2008-01-08 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 18:15 --------- d-----w C:\Documents and Settings\cshifflett\Application Data\AVG7
2007-12-18 19:39 --------- d-----w C:\Program Files\Bodog Poker
2007-12-04 19:28 --------- d-----w C:\Documents and Settings\cshifflett\Application Data\CyberLink
2007-11-21 13:47 --------- d-----w C:\Program Files\Ares
2007-11-05 17:40 12,247,804 ------w C:\AVG7QT.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1043F3D-6310-44A7-9E6F-3345B064816F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-10 09:49 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 08:18:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-12-18 15:33:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4162866786-3495019102-652876556-1146\Scripts\Logon\0\0]
"Script"=ddr.bat


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 16:48:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 16:50:13 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-01-14 21:50:11
.
2008-01-09 06:47:30 --- E O F ---

katana
2008-01-15, 16:03
Do you know what ddr.bat relates to ?
Do you logon to a domain ?

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\WINDOWS\mrofinu572.exe.tmp
Folder::
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

Save this as CFScript.txt and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

cdoggmack
2008-01-15, 21:23
ComboFix 08-01-15.4 - cshifflett 2008-01-15 9:40:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -5:00]
Running from: C:\Documents and Settings\cshifflett\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\cshifflett\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 09:40 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 15:29 . 2008-01-14 15:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\pdf995
2008-01-14 15:25 . 2008-01-14 15:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Autodesk
2008-01-14 11:35 . 2008-01-14 11:35 1,238,674 --a------ C:\MGtools.exe
2008-01-14 10:15 . 2008-01-14 11:07 <DIR> d-------- C:\VundoFix Backups
2008-01-09 16:46 . 2008-01-09 16:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-09 16:46 . 2008-01-09 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 16:40 . 2008-01-09 16:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 09:07 . 2008-01-09 09:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-08 17:08 . 2008-01-08 17:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-08 14:54 . 2008-01-08 14:54 <DIR> d-------- C:\Documents and Settings\cshifflett\Application Data\Grisoft
2008-01-08 14:54 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-08 12:57 . 2008-01-08 13:50 <DIR> d-------- C:\Program Files\Dot1XCfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:24 --------- d-----w C:\Program Files\CGSurvey for AutoCAD
2008-01-14 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-14 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 20:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-01-08 19:54 --------- d-----w C:\Program Files\spyscan
2008-01-08 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-08 18:15 --------- d-----w C:\Documents and Settings\cshifflett\Application Data\AVG7
2007-12-18 19:39 --------- d-----w C:\Program Files\Bodog Poker
2007-12-04 19:28 --------- d-----w C:\Documents and Settings\cshifflett\Application Data\CyberLink
2007-11-21 13:47 --------- d-----w C:\Program Files\Ares
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-11-05 17:40 12,247,804 ------w C:\AVG7QT.DAT
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-14_16.50.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 21:43:01 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 14:40:19 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 21:43:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 14:40:19 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 21:43:02 1,421,312 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 14:40:19 1,421,312 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-14 21:43:02 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 14:40:19 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 21:43:02 5,742,592 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-15 14:40:20 5,742,592 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-14 21:43:02 200,704 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 14:40:20 200,704 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1043F3D-6310-44A7-9E6F-3345B064816F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-01-10 09:49 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 08:18:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-12-18 15:33:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4162866786-3495019102-652876556-1146\Scripts\Logon\0\0]
"Script"=ddr.bat


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 09:42:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 9:42:19
ComboFix-quarantined-files.txt 2008-01-15 14:42:17
ComboFix2.txt 2008-01-14 21:50:13
.
2008-01-09 06:47:30 --- E O F ---

cdoggmack
2008-01-15, 21:24
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-01-15 14:20:35
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 0.5.516 0.5.516 Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.atdmt.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.tribalfusion.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[ad.yieldmanager.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[stat.onestat.com/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[stat.onestat.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Application Data\Mozilla\Firefox\Profiles\7mofd1v7.default\cookies.txt[.realmedia.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\cshifflett\Cookies\cshifflett@adrevolver[1].txt
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix\nircmd.cfexe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\cshifflett\Desktop\ComboFix.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\cshifflett\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0000808.com
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0000783.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000019.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000032.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000126.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000139.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000186.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000199.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0000783.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000349.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000349.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000350.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000350.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000352.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000560.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000573.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000574.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000574.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000602.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000615.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000625.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000625.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000644.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000673.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000687.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000689.exe[nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000689.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000707.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000720.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0000779.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0000756.com
02632769 Generic Trojan Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\v8\taldrvr11.exe.vir
02632769 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0000723.exe
02883092 Application/FWDisabler HackTools No 0 No No C:\Documents and Settings\cshifflett\Desktop\Torpark 2.0.0.2a\App\Tconfig.exe[²ÜÇ\firewall-disabler.dll]
02884499 Spyware/Virtumonde Spyware No 1 Yes No C:\VundoFix Backups\fqsisyho.exe.bad
02884499 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000348.exe
02887793 Trj/Downloader.RSV Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\ardCo01\ardCo011065.exe.vir
02887793 Trj/Downloader.RSV Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0000789.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

katana
2008-01-15, 22:15
Those logs look fine, how are things running now ?

Do you know what ddr.bat relates to ?
Do you logon to a domain ?

cdoggmack
2008-01-15, 23:14
Yea, I log in to a domain. That is where the DDR comes from.... The total scan said it found a trojan, and spyware at a medium threat. No big deal though?

katana
2008-01-15, 23:48
The files that were found are already in quarantine, :D:


Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Please delete C:\VundoFix Backups
You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
All the programs in this list have a free version.
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Ad-Aware 2007 Free (http://www.lavasoftusa.com/products/ad_aware_free.php) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep


Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

cdoggmack
2008-01-16, 15:43
Thanks alot. I appreciate your help. My computer is running great, I ran avg as this morning after booting up and no problems found!