PDA

View Full Version : Desktop Infected with TR/cryp.xpack.gen and Others



Rjhem
2008-11-11, 05:55
Ok,, I have been infected by the following, Tr/cryp.xpack.gen, rootkit.gen, av.dat - TR Dropper, files Brastk.exe , beep.sys, I have tried different process on desktop to remove, avira, spybot, adaware, trojan remover, etc, they would delete, and then when restarted it was back. Also red box with x in it at quick start. I took out the harddrive, and scaned it in an external drive with laptop, Maybe I have it out now. Just got back up and rescanned. So if some one can review the log file I would greatly appreaciate it. Trying not to reformat if possible.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:16 PM, on 11/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\palmOne\LifeDriveMgrTray.exe
C:\Program Files\palmOne\PalmOneLiveConnect.exe
C:\WINNT\system32\faxsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=explorer.exe
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINNT\system32\brastk.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LifeDrive™ Manager.lnk = C:\Program Files\palmOne\LifeDriveMgrTray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Web-Based Email Tools - http://email01.secureserver.net/Download.CAB
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166762007824
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167023014377
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOFHWEDNJ - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\BOFHWEDNJ.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: JEHTM - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\JEHTM.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10992 bytes

Blade81
2008-11-12, 08:19
Hi

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Rjhem
2008-11-14, 18:58
Ok, I have been out of town the last two days. So now have time to work on again. I got to the point of the combofix, when I clicked on it the first time I got a box that Said, Microsoft outlook, do you want to cancel the send/recieve option, yes no cancel. Then the software wanted acces through zone alarm , and wanted to do an update. I allowed all and shut down zone alarm, then combo fix deleted icon on desktop, I reinstalled now all i get is the outlook box and program runs bars as if opening no matter what answer I give program closes.

Awaiting your reply.

Thanks

Blade81
2008-11-14, 21:46
Hi

Could you try running ComboFix without installing recovery console, please?

Rjhem
2008-11-15, 00:55
Blade81, I uninstalled recovery, ran and get the same deal blue lines in box till the complete then box goes away and screen flickers, and thats it.

I tried in safe mode also. same thing, also disabled all start up programs that may interfear.

Next suggestions.

Blade81
2008-11-15, 01:06
Hi

Rename ComboFix.exe file -> ComboFxx.exe and try running this way renamed ComboFix again.

Rjhem
2008-11-15, 02:21
Blade81,

The program is running after name change but seems to be hung up at
C: 32788r22fwjfww\wowerr01 and C:3...\wowerr.dat

next?

Thanks

Rjhem
2008-11-15, 02:22
forgott it is saying. access is denied

Blade81
2008-11-15, 02:48
Hi

In which mode did you run renamed ComboFix? Please try in safe mode if you didn't try it yet.

Rjhem
2008-11-15, 02:51
Ran it as normal mode still running, how do I quit program safely?

Blade81
2008-11-15, 02:54
Hi

Open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, to see if ComboFix continues. If it doesn't then just close ComboFix down and try running it in safe mode.

Rjhem
2008-11-15, 03:08
Hi

Ok running in safe mode, and have box with - combofix has detected the presence of rootkit activity and needs to reboot the machine,

do i do so and back in safe mode?

thanks

Rjhem
2008-11-15, 04:09
Ok , Looking at the clock it is late your time zone,, so I am still getting the same access denied on the same files. In safe mode.

Thanks

Blade81
2008-11-15, 12:54
Hi

So, did you reboot into safe mode when ComboFix requested for restart?

Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Rjhem
2008-11-15, 18:15
Good day, Yes I rebooted in safe mode and it still hung at the same place and I aloso had some files at in the first batch that did not have permissions.

I then took out all the dir that comofix installed and reloaded the program, i did not do the update this time and had the same results.

I am now going to work on the new file and see what I get and will foward information back to you.

Thanks

Rjhem
2008-11-15, 19:05
Here is the log data.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-14 22:54:04
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBB880040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBB87C930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xBB887A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xBB880510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBB886870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBB889FD0]
SSDT 81434F1C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xBB880600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBB87CF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBB8886E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xBB888440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBB886580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBB8888B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBB87CD70]
SSDT 81434F08 ZwOpenProcess
SSDT 81434F0D ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBB888CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBB87FC00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xBB889080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBB880220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBB87D120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xBB888140]
SSDT 81434F17 ZwTerminateProcess
SSDT 81434F12 ZwWriteVirtualMemory

Code 813FD5F8 ZwClose
Code 813FD338 ZwCreateSection
Code 813FD1B8 ZwSetInformationFile
Code 81407D38 ZwSetSystemInformation
Code 813FD4B8 ZwWriteFile

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!NtClose 8044EAF4 5 Bytes JMP 813FD5FC
PAGE ntoskrnl.exe!ZwSetSystemInformation 804924AC 1 Byte [ E9 ]
PAGE ntoskrnl.exe!ZwSetSystemInformation + 2 804924AE 3 Bytes [ 58, F7, 00 ]
PAGE ntoskrnl.exe!IoCreateFile 8049F652 4 Bytes JMP 813FD73C
PAGE ntoskrnl.exe!NtSetInformationFile 804A93BA 5 Bytes JMP 813FD1BC
PAGE ntoskrnl.exe!NtWriteFile 804AB47E 5 Bytes JMP 813FD4BC
PAGE ntoskrnl.exe!NtCreateSection 804CB114 5 Bytes JMP 813FD33C
? srescan.sys The system cannot find the file specified. !
PAGE Fastfat.SYS BB049EB2 5 Bytes JMP 813FC01C

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BB884CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BB884E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BB8851C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BB885320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BB884CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BB8851C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BB885320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BB884E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BB884CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BB885320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BB8851C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [BB892330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [BB87D670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [BB87D5C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [BB87D770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [BB87D2D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1892] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \FileSystem\Fastfat \Fat Code 813FC018

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- EOF - GMER 1.0.14 ----

Blade81
2008-11-15, 20:01
Hi

Run ComboFix using these instructions:

1. Ensure that combofix.exe (or combofxx.exe) is on your desktop.
2. Make sure you save and close ALL open windows and programs that you are running in the taskbar as combofix will attempt to end all non-windows processes for a faster and more successful cleaning.

Click start > run > copy and paste (replace combofix.exe with combofxx.exe if combofix is renamed):

"%userprofile%\desktop\combofix.exe" /killall

Rjhem
2008-11-15, 21:30
Hi,

I ran the combofix again as instructed in regular mode and in safe mode, I still get the same results, it hangs up after process 50 on the same file, denied access

thanks

Blade81
2008-11-16, 10:38
Hi

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

What was the file that hangs the scan?

Rjhem
2008-11-16, 23:12
Blade81

Hi, I had run the malwarebytes program before I had sent in the file and or joined the forum on the 10th, I will paste that log and the one from todays scan.,

The files that will not run on combofix program is

" C: 32788r22fwjfww\wowerr01 and C:3...\wowerr.dat" It is after process 50. There are some other files that will not run at the beginning that all say access denied.


Thanks

Malwarebytes' Anti-Malware 1.30
Database version: 1381
Windows 5.0.2195 Service Pack 4

11/10/2008 11:52:43 PM
mbam-log-2008-11-10 (23-52-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109865
Time elapsed: 1 hour(s), 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\wini108013.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\TDSShnkg.dll (Rootkit.Agent) -> Quarantined and deleted successfully.




Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 5.0.2195 Service Pack 4

2008-11-16 14:59:16
mbam-log-2008-11-16 (14-59-16).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 124705
Time elapsed: 4 hour(s), 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Blade81
2008-11-17, 08:59
Hi

Could you see if there's any kind of log created in c:\ComboFix.txt file? Does any ComboFix?.txt file (? = some number) exist in c:\ComboFix (or c:\ComboFxx) folder?

Rjhem
2008-11-17, 16:39
This is the last attempt.

Thanks

08-11-12.02 - Mitch 2008-11-15 1:47:28.11 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.319 [GMT -6:00]
Running from: C:\Documents and Settings\Mitch\desktop\combofxx.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
/wow section - STAGE 50
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
SED: file run.sed line 1: unknown command: `"'
[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

[vfind, 5.2 2002-11-15]

Access is denied.

ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

/wow section - STAGE 50
Access is denied.

ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
/wow section - STAGE 50
Access is denied.

Blade81
2008-11-17, 18:41
Hi

Please go to http://www.bleepingcomputer.com/submit-malware.php?channel=4 address.

Fill 'Link to topic where this file was requested' -field with http://forums.spybot.info/showthread.php?t=36288

Then before clicking 'send file' -button browse to C:\ComboFix_error.dat file.

Click 'send file' and let me know when you've done it.

Rjhem
2008-11-17, 18:54
Blade81

the file is submitted

Thanks

Blade81
2008-11-17, 19:12
Thanks. I'll get back to you asap :)

Blade81
2008-11-18, 07:27
Hi

Delete following folders and then try running ComboFix again:
C:\32788R22FWJFW
C:\QooBox\LastRun

Rjhem
2008-11-25, 15:40
Hi, Sorry for the delay have been away from the desktop. I finally got this to run after deleting the files or folders, then changing the permissions after the file started running in safe mode. I was still getting denied access for permission.

But any how here is the log file.

ComboFix 08-11-24.01 - Administrator 2008-11-24 23:37:51.14 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.407 [GMT -6:00]
Running from: c:\documents and settings\Mitch\My Documents\Zip Programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-24 23:41 . 08-11-24 23:41 281 --a------ C:\temp00.dat
2008-11-24 23:36 . 08-11-24 23:36 <DIR> d-a------ C:\ComboFix
2008-11-24 23:36 . 08-11-24 23:36 0 --a------ C:\__tmp_rar_sfx_access_check_455044
2008-11-24 23:04 . 08-11-24 23:04 0 --a------ C:\__tmp_rar_sfx_access_check_333409
2008-11-24 22:48 . 08-11-24 22:48 0 --a------ C:\__tmp_rar_sfx_access_check_45026434
2008-11-24 22:44 . 08-11-24 22:44 0 --a------ C:\__tmp_rar_sfx_access_check_44826627
2008-11-20 09:27 . 08-11-20 09:27 <DIR> d-------- C:\MSI9da38.tmp
2008-11-18 09:12 . 08-11-18 09:12 <DIR> d-------- C:\MSIdeefa.tmp
2008-11-16 12:50 . 08-11-16 12:50 0 --a------ C:\25B.tmp
2008-11-16 12:50 . 08-11-16 12:50 0 --a------ C:\258.tmp
2008-11-16 12:50 . 08-11-16 12:50 0 --a------ C:\255.tmp
2008-11-16 12:38 . 08-11-16 12:41 0 --a------ C:\21D.tmp
2008-11-16 12:08 . 08-11-16 12:08 0 --a------ C:\7F.tmp
2008-11-16 11:49 . 08-11-17 20:51 <DIR> d-------- c:\winnt\system32\ActiveScan
2008-11-16 11:49 . 08-11-16 11:49 30,590 --a------ c:\winnt\system32\pavas.ico
2008-11-15 22:39 . 08-11-15 22:39 <DIR> d-------- c:\program files\Avira
2008-11-15 22:39 . 08-11-15 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-15 06:23 . 08-11-15 06:23 <DIR> d-------- c:\program files\Avira GmbH
2008-11-15 04:35 . 08-11-15 04:35 <DIR> d-------- C:\MSI1d880.tmp
2008-11-15 01:46 . 08-11-15 01:46 0 --a------ C:\__tmp_rar_sfx_access_check_298849
2008-11-15 01:44 . 08-11-15 01:44 0 --a------ C:\__tmp_rar_sfx_access_check_178907
2008-11-15 01:19 . 08-11-15 01:19 0 --a------ C:\__tmp_rar_sfx_access_check_498226
2008-11-15 01:17 . 08-11-15 01:17 0 --a------ C:\__tmp_rar_sfx_access_check_360278
2008-11-15 01:03 . 08-11-15 01:03 0 --a------ C:\__tmp_rar_sfx_access_check_483905
2008-11-15 00:45 . 08-11-15 00:45 0 --a------ C:\__tmp_rar_sfx_access_check_699065
2008-11-15 00:43 . 08-11-15 00:43 0 --a------ C:\__tmp_rar_sfx_access_check_624357
2008-11-15 00:23 . 08-11-15 00:23 0 --a------ C:\__tmp_rar_sfx_access_check_677914
2008-11-14 22:09 . 08-11-14 22:09 250 --a------ c:\winnt\gmer.ini
2008-11-14 17:58 . 08-11-14 17:58 0 --a------ C:\__tmp_rar_sfx_access_check_296306
2008-11-14 17:52 . 08-11-14 17:52 0 --a------ C:\__tmp_rar_sfx_access_check_944508
2008-11-14 17:52 . 08-11-14 17:52 0 --a------ C:\__tmp_rar_sfx_access_check_910288
2008-11-14 17:49 . 08-11-14 17:49 0 --a------ C:\__tmp_rar_sfx_access_check_724421
2008-11-14 17:45 . 08-11-14 17:45 0 --a------ C:\__tmp_rar_sfx_access_check_517454
2008-11-14 17:40 . 08-11-14 17:40 0 --a------ C:\__tmp_rar_sfx_access_check_201359
2008-11-14 17:21 . 08-11-24 23:16 59,760 --a------ C:\ComboFix_error.dat
2008-11-14 17:18 . 08-11-24 23:37 0 --a------ C:\test0123
2008-11-14 17:16 . 08-11-14 17:16 0 --a------ C:\__tmp_rar_sfx_access_check_1931357
2008-11-14 16:49 . 08-11-14 16:49 0 --a------ C:\__tmp_rar_sfx_access_check_293792
2008-11-14 16:43 . 08-11-24 22:52 1,199,212 ---h----- c:\winnt\ShellIconCache
2008-11-14 16:34 . 08-11-14 16:34 0 --a------ C:\__tmp_rar_sfx_access_check_326819
2008-11-14 11:52 . 08-11-14 11:52 0 --a------ C:\__tmp_rar_sfx_access_check_582547
2008-11-14 11:37 . 08-11-14 11:37 0 --a------ C:\__tmp_rar_sfx_access_check_842651
2008-11-14 11:33 . 08-11-14 11:33 0 --a------ C:\__tmp_rar_sfx_access_check_650956
2008-11-14 10:56 . 08-11-14 10:56 0 --a------ C:\__tmp_rar_sfx_access_check_9993409
2008-11-14 10:55 . 08-11-14 10:55 0 --a------ C:\__tmp_rar_sfx_access_check_9936457
2008-11-14 10:41 . 08-11-24 23:36 194 --a------ C:\Start_.cmd
2008-11-14 07:04 . 08-11-14 07:04 0 --a------ C:\__tmp_rar_sfx_access_check_282746
2008-11-14 07:03 . 08-11-14 07:03 0 --a------ C:\__tmp_rar_sfx_access_check_222129
2008-11-14 06:00 . 08-11-14 06:00 0 --a------ C:\__tmp_rar_sfx_access_check_400305
2008-11-14 05:59 . 08-11-14 05:59 0 --a------ C:\__tmp_rar_sfx_access_check_371053
2008-11-11 08:01 . 08-11-11 08:00 410,976 --a------ c:\winnt\system32\deploytk.dll
2008-11-11 08:00 . 08-11-11 08:00 <DIR> d-------- C:\MSI9f2aa.tmp
2008-11-11 08:00 . 08-11-11 08:00 <DIR> d-------- C:\MSI355dc.tmp
2008-11-11 07:57 . 08-11-11 08:00 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-11 07:52 . 08-11-11 07:52 <DIR> d-------- C:\MSI2ad4e.tmp
2008-11-10 19:56 . 08-11-10 19:56 <DIR> d-------- c:\documents and settings\Mitch\Application Data\Malwarebytes
2008-11-10 19:56 . 08-10-22 16:10 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-10 19:56 . 08-10-22 16:10 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-11-10 19:55 . 08-11-16 13:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 19:55 . 08-11-10 19:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-10 10:10 . 08-11-10 10:10 <DIR> d-------- c:\program files\Black List Software
2008-11-10 09:53 . 01-05-08 06:00 4,080 --a--c--- c:\winnt\system32\dllcache\beep.sys.vir
2008-11-09 22:56 . 08-11-10 20:08 81,984 --a------ c:\winnt\system32\bdod.bin
2008-11-09 22:48 . 08-11-24 23:47 335 --a------ c:\winnt\system32\vsconfig.xml
2008-11-09 22:22 . 08-11-16 08:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 19:23 . 08-11-10 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2008-11-09 19:22 . 08-11-10 21:06 <DIR> d-------- c:\program files\Common Files\Softwin
2008-11-09 18:38 . 08-11-09 18:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-09 16:02 . 08-11-09 16:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 22:31 . 08-11-16 13:22 <DIR> d-------- c:\program files\Trojan Remover
2008-11-08 16:48 . 08-11-10 11:01 527 --a------ c:\winnt\system32\TDSSupoj.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 01:50 --------- d---a-w c:\documents and settings\Mitch\Application Data\WeatherBug
2008-11-24 23:53 --------- d-----w c:\documents and settings\Darlene\Application Data\WeatherBug
2008-11-24 16:11 --------- d-----w c:\program files\palmOne
2008-11-20 15:32 --------- d-----w c:\program files\EarthLink TotalAccess
2008-11-20 15:27 --------- d-----w c:\program files\Common Files\EarthLink
2008-11-17 05:26 --------- d-----w c:\program files\Viewpoint
2008-11-17 05:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 19:21 --------- d-----w c:\program files\TomTom HOME 2
2008-11-16 19:01 --------- d-----w c:\program files\Lexmark 1200 Series
2008-11-16 18:54 --------- d-----w c:\program files\Google
2008-11-16 18:50 --------- d-----w c:\program files\Common Files\Command Software
2008-11-16 18:41 --------- d-----w c:\program files\7-Zip
2008-11-16 18:18 --------- d---a-w c:\documents and settings\All Users\Application Data\MailFrontier
2008-11-16 18:08 --------- d-----w c:\program files\Common Files\DataViz
2008-11-16 18:07 --------- d-----w c:\program files\Active Ports
2008-11-15 12:54 470,528 ----a-w c:\winnt\Internet Logs\xDB4.tmp
2008-11-15 12:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-15 07:55 1,556,288 ----a-w c:\winnt\Internet Logs\tvDebug.zip
2008-11-14 22:41 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 21:40 --------- d-----w c:\documents and settings\Jimmy\Application Data\WeatherBug
2008-11-12 14:49 --------- d-----w c:\program files\Documents To Go
2008-11-12 03:52 1,367,552 ----a-w c:\winnt\Internet Logs\xDB3.tmp
2008-11-11 16:12 1,373,696 ----a-w c:\winnt\Internet Logs\xDB2.tmp
2008-11-11 14:00 --------- d-----w c:\program files\Java
2008-11-11 01:56 --------- d-----w c:\program files\Trend Micro
2008-11-11 01:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-09 22:10 45,056 ----a-w c:\winnt\Internet Logs\xDB1.tmp
2008-11-09 22:06 --------- d-----w c:\program files\Lavasoft
2008-11-09 04:31 --------- d-----w c:\documents and settings\Mitch\Application Data\Simply Super Software
2008-10-16 20:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\winnt\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\winnt\system32\muweb.dll
2008-10-10 15:23 --------- d-----w c:\documents and settings\Default User\Application Data\Intuit
2008-10-09 00:23 --------- d-----w c:\program files\hp deskjet 950c series
2008-10-07 23:04 --------- d-----w c:\program files\OpenOffice.org 3
2008-10-07 18:04 1,901 ----a-w c:\winnt\panose.bin
2008-10-07 11:57 --------- d-----w c:\documents and settings\Mitch\Application Data\OpenOffice.org
2008-10-07 03:18 34,816 ----a-w c:\winnt\system32\Dlportio.dll
2008-10-07 03:18 3,584 ----a-w c:\winnt\Dlportio.sys
2008-10-07 03:18 27,460 ----a-w c:\winnt\system32\loaddrv.exe
2008-10-01 00:22 --------- d-----w c:\program files\Windows Live Safety Center
2008-09-30 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-09-30 22:43 1,286,152 ----a-w c:\winnt\system32\msxml4.dll
2008-09-30 21:48 20,623 ----a-w c:\winnt\system32\drivers\USB.INF
2008-09-30 21:16 93,360 ----a-w c:\winnt\system32\drivers\ndiswan.sys
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS
2008-09-08 08:14 1,121,280 ----a-w c:\winnt\system32\msxml3.dll
2008-09-03 15:19 124 ----a-w c:\documents and settings\Mitch\Application Data\ftpfile.dat
2007-05-30 03:12 92,064 ----a-w c:\documents and settings\Mitch\mqdmmdm.sys
2007-05-30 03:12 9,232 ----a-w c:\documents and settings\Mitch\mqdmmdfl.sys
2007-05-30 03:12 79,328 ----a-w c:\documents and settings\Mitch\mqdmserd.sys
2007-05-30 03:12 66,656 ----a-w c:\documents and settings\Mitch\mqdmbus.sys
2007-05-30 03:12 6,208 ----a-w c:\documents and settings\Mitch\mqdmcmnt.sys
2007-05-30 03:12 5,936 ----a-w c:\documents and settings\Mitch\mqdmwhnt.sys
2007-05-30 03:12 4,048 ----a-w c:\documents and settings\Mitch\mqdmcr.sys
2007-05-30 03:12 25,600 ----a-w c:\documents and settings\Mitch\usbsermptxp.sys
2007-05-30 03:12 22,768 ----a-w c:\documents and settings\Mitch\usbsermpt.sys
2006-12-22 03:59 271 ---h--w c:\program files\desktop.ini
2006-12-22 03:59 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2006-12-21 21:33 1,894 --sha-w c:\winnt\rreg32.dll
2006-12-21 21:33 5,482 --sha-w c:\winnt\utapi32.dll
2008-02-16 04:59 88 --sh--r c:\winnt\system32\8F2E2DE3A7.sys
2008-02-16 04:59 2,672 --sha-w c:\winnt\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Mitch\Start Menu\Programs\Startup\
LifeDriveT Manager.lnk - c:\program files\palmOne\LifeDriveMgrTray.exe [2005-04-21 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-24 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\winnt\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe"

.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\winnt\Tasks\SyncBack Darlene Sync.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-13 c:\winnt\Tasks\SyncBack Mitch Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-12 c:\winnt\Tasks\SyncBack Palm Documents.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-08 c:\winnt\Tasks\SyncBack PeachTree Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Send to &Bluetooth Device... - c:\program files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\winnt\Downloaded Program Files\oscan81.ocx_x - c:\winnt\bdoscandellang.ini
c:\winnt\bdoscandel.exe
c:\winnt\Downloaded Program Files\live.ini
c:\winnt\Downloaded Program Files\scanoptions.tsi
c:\winnt\Downloaded Program Files\lang.ini
c:\winnt\Downloaded Program Files\ipsupd.dll
c:\winnt\Downloaded Program Files\bdupd.dll
c:\winnt\Downloaded Program Files\libfn.dll
c:\winnt\Downloaded Program Files\bdcore.dll
c:\winnt\Downloaded Program Files\oscan8.ocx
c:\winnt\Downloaded Program Files\CONFLICT.1\oscan81.ocx_x
c:\winnt\Downloaded Program Files\CONFLICT.1\live.ini
c:\winnt\Downloaded Program Files\CONFLICT.1\scanoptions.tsi
c:\winnt\Downloaded Program Files\CONFLICT.1\lang.ini
c:\winnt\Downloaded Program Files\CONFLICT.1\ipsupd.dll
c:\winnt\Downloaded Program Files\CONFLICT.1\bdupd.dll
c:\winnt\Downloaded Program Files\CONFLICT.1\libfn.dll
c:\winnt\Downloaded Program Files\CONFLICT.1\bdcore.dll
c:\winnt\Downloaded Program Files\CONFLICT.1\oscan8.ocx
O16 -: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
c:\winnt\Downloaded Program Files\CONFLICT.1\oscan8.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 07:25:39
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(220)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(260)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-11-25 7:33:22 - machine was rebooted [Mitch]
ComboFix-quarantined-files.txt 2008-11-25 13:33:12

Pre-Run: 2,165,829,632 bytes free
Post-Run: 2,084,270,080 bytes free

258 --- E O F --- 2008-11-09 09:00:48

Blade81
2008-11-25, 17:55
Hi

Please do following in normal mode if possible.


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\temp00.dat
C:\__tmp_rar_sfx_access_check_455044
C:\__tmp_rar_sfx_access_check_333409
C:\__tmp_rar_sfx_access_check_45026434
C:\__tmp_rar_sfx_access_check_44826627
C:\25B.tmp
C:\258.tmp
C:\255.tmp
C:\21D.tmp
C:\7F.tmp
C:\__tmp_rar_sfx_access_check_298849
C:\__tmp_rar_sfx_access_check_178907
C:\__tmp_rar_sfx_access_check_498226
C:\__tmp_rar_sfx_access_check_360278
C:\__tmp_rar_sfx_access_check_483905
C:\__tmp_rar_sfx_access_check_699065
C:\__tmp_rar_sfx_access_check_624357
C:\__tmp_rar_sfx_access_check_677914
C:\__tmp_rar_sfx_access_check_296306
C:\__tmp_rar_sfx_access_check_944508
C:\__tmp_rar_sfx_access_check_910288
C:\__tmp_rar_sfx_access_check_724421
C:\__tmp_rar_sfx_access_check_517454
C:\__tmp_rar_sfx_access_check_201359
C:\test0123
C:\__tmp_rar_sfx_access_check_1931357
C:\__tmp_rar_sfx_access_check_293792
C:\__tmp_rar_sfx_access_check_326819
C:\__tmp_rar_sfx_access_check_582547
C:\__tmp_rar_sfx_access_check_842651
C:\__tmp_rar_sfx_access_check_650956
C:\__tmp_rar_sfx_access_check_9993409
C:\__tmp_rar_sfx_access_check_9936457
C:\Start_.cmd
C:\__tmp_rar_sfx_access_check_282746
C:\__tmp_rar_sfx_access_check_222129
C:\__tmp_rar_sfx_access_check_400305
C:\__tmp_rar_sfx_access_check_371053
c:\winnt\system32\dllcache\beep.sys.vir
c:\winnt\system32\TDSSupoj.dat

Folder::
C:\MSI9da38.tmp
C:\MSIdeefa.tmp
C:\MSI1d880.tmp
C:\MSI9f2aa.tmp
C:\MSI355dc.tmp
C:\MSI2ad4e.tmp



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Rjhem
2008-11-26, 04:43
Ok, It would not run in normal mode still, had to run in safe mode same procedure I used last time. When in normal mode it pings and address 208.43.120.24 and then want to do a update at address 209.85.176.99 to download combofix.download.exe. then if you run that it shuts down and does nothing. If I allow the ping but not the update it runs up to the 50 line and hangs at the same place. When in safe mode it will run. ?

Kapersky scan ran clean ,

Thanks

Following the logs

combofix.

ComboFix 08-11-24.03 - Administrator 2008-11-25 11:56:40.18 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.386 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\__tmp_rar_sfx_access_check_178907
C:\__tmp_rar_sfx_access_check_1931357
C:\__tmp_rar_sfx_access_check_201359
C:\__tmp_rar_sfx_access_check_222129
C:\__tmp_rar_sfx_access_check_282746
C:\__tmp_rar_sfx_access_check_293792
C:\__tmp_rar_sfx_access_check_296306
C:\__tmp_rar_sfx_access_check_298849
C:\__tmp_rar_sfx_access_check_326819
C:\__tmp_rar_sfx_access_check_333409
C:\__tmp_rar_sfx_access_check_360278
C:\__tmp_rar_sfx_access_check_371053
C:\__tmp_rar_sfx_access_check_400305
C:\__tmp_rar_sfx_access_check_44826627
C:\__tmp_rar_sfx_access_check_45026434
C:\__tmp_rar_sfx_access_check_455044
C:\__tmp_rar_sfx_access_check_483905
C:\__tmp_rar_sfx_access_check_498226
C:\__tmp_rar_sfx_access_check_517454
C:\__tmp_rar_sfx_access_check_582547
C:\__tmp_rar_sfx_access_check_624357
C:\__tmp_rar_sfx_access_check_650956
C:\__tmp_rar_sfx_access_check_677914
C:\__tmp_rar_sfx_access_check_699065
C:\__tmp_rar_sfx_access_check_724421
C:\__tmp_rar_sfx_access_check_842651
C:\__tmp_rar_sfx_access_check_910288
C:\__tmp_rar_sfx_access_check_944508
C:\__tmp_rar_sfx_access_check_9936457
C:\__tmp_rar_sfx_access_check_9993409
C:\21D.tmp
C:\255.tmp
C:\258.tmp
C:\25B.tmp
C:\7F.tmp
C:\Start_.cmd
C:\temp00.dat
C:\test0123
c:\winnt\system32\dllcache\beep.sys.vir
c:\winnt\system32\TDSSupoj.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Start_.cmd
C:\test0123
C:\MSI1d880.tmp . . . . failed to delete
C:\MSI9f2aa.tmp . . . . failed to delete
C:\MSIdeefa.tmp . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-25 11:58 . 08-11-25 11:58 267 --a------ C:\temp00.dat
2008-11-25 11:55 . 08-11-25 11:55 <DIR> d-a------ C:\ComboFix
2008-11-25 11:55 . 08-11-25 11:55 0 --a------ C:\__tmp_rar_sfx_access_check_1503692
2008-11-25 11:41 . 08-11-25 11:41 0 --a------ C:\__tmp_rar_sfx_access_check_668541
2008-11-25 11:16 . 08-11-25 11:16 0 --a------ C:\__tmp_rar_sfx_access_check_1288042
2008-11-25 10:37 . 08-11-25 10:37 0 --a------ C:\__tmp_rar_sfx_access_check_39215899
2008-11-25 10:36 . 08-11-25 10:36 0 --a------ C:\__tmp_rar_sfx_access_check_39128203
2008-11-25 10:32 . 08-11-25 10:32 0 --a------ C:\__tmp_rar_sfx_access_check_38891793
2008-11-25 10:23 . 08-11-25 10:23 0 --a------ C:\__tmp_rar_sfx_access_check_38395449
2008-11-25 10:23 . 08-11-25 10:23 0 --a------ C:\__tmp_rar_sfx_access_check_38349914
2008-11-25 10:19 . 08-11-25 10:19 0 --a------ C:\__tmp_rar_sfx_access_check_38135736
2008-11-18 09:12 . 08-11-18 09:12 <DIR> d-------- C:\MSIdeefa.tmp
2008-11-16 11:49 . 08-11-17 20:51 <DIR> d-------- c:\winnt\system32\ActiveScan
2008-11-16 11:49 . 08-11-16 11:49 30,590 --a------ c:\winnt\system32\pavas.ico
2008-11-15 22:39 . 08-11-15 22:39 <DIR> d-------- c:\program files\Avira
2008-11-15 22:39 . 08-11-15 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-15 06:23 . 08-11-15 06:23 <DIR> d-------- c:\program files\Avira GmbH
2008-11-15 04:35 . 08-11-15 04:35 <DIR> d-------- C:\MSI1d880.tmp
2008-11-14 22:09 . 08-11-14 22:09 250 --a------ c:\winnt\gmer.ini
2008-11-14 17:21 . 08-11-25 11:49 63,912 --a------ C:\ComboFix_error.dat
2008-11-14 16:43 . 08-11-25 11:06 1,195,100 ---h----- c:\winnt\ShellIconCache
2008-11-11 08:01 . 08-11-11 08:00 410,976 --a------ c:\winnt\system32\deploytk.dll
2008-11-11 08:00 . 08-11-11 08:00 <DIR> d-------- C:\MSI9f2aa.tmp
2008-11-11 07:57 . 08-11-11 08:00 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-10 19:56 . 08-11-10 19:56 <DIR> d-------- c:\documents and settings\Mitch\Application Data\Malwarebytes
2008-11-10 19:56 . 08-10-22 16:10 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-10 19:56 . 08-10-22 16:10 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-11-10 19:55 . 08-11-16 13:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 19:55 . 08-11-10 19:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-10 10:10 . 08-11-10 10:10 <DIR> d-------- c:\program files\Black List Software
2008-11-09 22:56 . 08-11-10 20:08 81,984 --a------ c:\winnt\system32\bdod.bin
2008-11-09 22:48 . 08-11-25 12:03 335 --a------ c:\winnt\system32\vsconfig.xml
2008-11-09 22:22 . 08-11-16 08:31 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 19:23 . 08-11-10 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2008-11-09 19:22 . 08-11-10 21:06 <DIR> d-------- c:\program files\Common Files\Softwin
2008-11-09 18:38 . 08-11-09 18:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-09 16:02 . 08-11-09 16:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 22:31 . 08-11-16 13:22 <DIR> d-------- c:\program files\Trojan Remover

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 16:56 2,966,771 ----a-w c:\winnt\Internet Logs\tvDebug.zip
2008-11-25 15:47 --------- d-----w c:\program files\Quicken Legal Business Pro 2007
2008-11-25 01:50 --------- d---a-w c:\documents and settings\Mitch\Application Data\WeatherBug
2008-11-24 23:53 --------- d-----w c:\documents and settings\Darlene\Application Data\WeatherBug
2008-11-24 16:11 --------- d-----w c:\program files\palmOne
2008-11-20 15:32 --------- d-----w c:\program files\EarthLink TotalAccess
2008-11-20 15:27 --------- d-----w c:\program files\Common Files\EarthLink
2008-11-17 05:26 --------- d-----w c:\program files\Viewpoint
2008-11-17 05:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 19:21 --------- d-----w c:\program files\TomTom HOME 2
2008-11-16 19:01 --------- d-----w c:\program files\Lexmark 1200 Series
2008-11-16 18:54 --------- d-----w c:\program files\Google
2008-11-16 18:50 --------- d-----w c:\program files\Common Files\Command Software
2008-11-16 18:41 --------- d-----w c:\program files\7-Zip
2008-11-16 18:18 --------- d---a-w c:\documents and settings\All Users\Application Data\MailFrontier
2008-11-16 18:08 --------- d-----w c:\program files\Common Files\DataViz
2008-11-16 18:07 --------- d-----w c:\program files\Active Ports
2008-11-15 12:54 470,528 ----a-w c:\winnt\Internet Logs\xDB4.tmp
2008-11-15 12:23 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-14 22:41 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 21:40 --------- d-----w c:\documents and settings\Jimmy\Application Data\WeatherBug
2008-11-12 14:49 --------- d-----w c:\program files\Documents To Go
2008-11-12 03:52 1,367,552 ----a-w c:\winnt\Internet Logs\xDB3.tmp
2008-11-11 16:12 1,373,696 ----a-w c:\winnt\Internet Logs\xDB2.tmp
2008-11-11 14:00 --------- d-----w c:\program files\Java
2008-11-11 01:56 --------- d-----w c:\program files\Trend Micro
2008-11-11 01:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-09 22:10 45,056 ----a-w c:\winnt\Internet Logs\xDB1.tmp
2008-11-09 22:06 --------- d-----w c:\program files\Lavasoft
2008-11-09 04:31 --------- d-----w c:\documents and settings\Mitch\Application Data\Simply Super Software
2008-10-16 20:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\winnt\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\winnt\system32\muweb.dll
2008-10-10 15:23 --------- d-----w c:\documents and settings\Default User\Application Data\Intuit
2008-10-09 00:23 --------- d-----w c:\program files\hp deskjet 950c series
2008-10-07 23:04 --------- d-----w c:\program files\OpenOffice.org 3
2008-10-07 18:04 1,901 ----a-w c:\winnt\panose.bin
2008-10-07 11:57 --------- d-----w c:\documents and settings\Mitch\Application Data\OpenOffice.org
2008-10-07 03:18 34,816 ----a-w c:\winnt\system32\Dlportio.dll
2008-10-07 03:18 3,584 ----a-w c:\winnt\Dlportio.sys
2008-10-07 03:18 27,460 ----a-w c:\winnt\system32\loaddrv.exe
2008-10-01 00:22 --------- d-----w c:\program files\Windows Live Safety Center
2008-09-30 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-09-30 22:43 1,286,152 ----a-w c:\winnt\system32\msxml4.dll
2008-09-30 21:48 20,623 ----a-w c:\winnt\system32\drivers\USB.INF
2008-09-30 21:16 93,360 ----a-w c:\winnt\system32\drivers\ndiswan.sys
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS
2008-09-08 08:14 1,121,280 ----a-w c:\winnt\system32\msxml3.dll
2008-09-03 15:19 124 ----a-w c:\documents and settings\Mitch\Application Data\ftpfile.dat
2007-05-30 03:12 92,064 ----a-w c:\documents and settings\Mitch\mqdmmdm.sys
2007-05-30 03:12 9,232 ----a-w c:\documents and settings\Mitch\mqdmmdfl.sys
2007-05-30 03:12 79,328 ----a-w c:\documents and settings\Mitch\mqdmserd.sys
2007-05-30 03:12 66,656 ----a-w c:\documents and settings\Mitch\mqdmbus.sys
2007-05-30 03:12 6,208 ----a-w c:\documents and settings\Mitch\mqdmcmnt.sys
2007-05-30 03:12 5,936 ----a-w c:\documents and settings\Mitch\mqdmwhnt.sys
2007-05-30 03:12 4,048 ----a-w c:\documents and settings\Mitch\mqdmcr.sys
2007-05-30 03:12 25,600 ----a-w c:\documents and settings\Mitch\usbsermptxp.sys
2007-05-30 03:12 22,768 ----a-w c:\documents and settings\Mitch\usbsermpt.sys
2006-12-22 03:59 271 ---h--w c:\program files\desktop.ini
2006-12-22 03:59 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2006-12-21 21:33 1,894 --sha-w c:\winnt\rreg32.dll
2006-12-21 21:33 5,482 --sha-w c:\winnt\utapi32.dll
2008-02-16 04:59 88 --sh--r c:\winnt\system32\8F2E2DE3A7.sys
2008-02-16 04:59 2,672 --sha-w c:\winnt\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [08-10-23 12:34 1336560]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [08-09-26 07:50 206184]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [06-04-07 15:02 1343488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-17 20:10 68856]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [05-09-01 16:24 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 18:51 39792]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01-11-07 10:45 196608]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [06-07-12 23:22 57344]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [08-11-08 22:32 968072]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [08-07-09 08:05 919016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-06-12 14:28 266497]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 c:\winnt\system32\mobsync.exe]

c:\documents and settings\Mitch\Start Menu\Programs\Startup\
LifeDriveT Manager.lnk - c:\program files\palmOne\LifeDriveMgrTray.exe [2005-04-21 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-24 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\winnt\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeachtreePrefetcher.exe]
-ra------ 07-05-16 11:12 32768 c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 03-06-19 13:05 111376 c:\winnt\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe"

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2006-12-27 28224]
R2 DLPORTIO;DLPORTIO;\??\c:\winnt\DLPORTIO.sys [2008-10-06 3584]
R2 EarthLinkMonitor;EarthLink Monitor Service;"c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe" [2005-01-26 65604]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\winnt\system32\srvany.exe [2007-07-27 13864]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2006-12-21 61712]
S2 CoachCap;Concord EyeQ Duo 2000 USB Video Capture V1.00;c:\winnt\system32\drivers\CoachCap.sys [2002-03-03 93068]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\winnt\system32\DRIVERS\ADSFilter.sys []
S3 BT2KNDFL;Bluetooth LAN Access Server Driver - Filter;c:\winnt\system32\DRIVERS\bt2kndfl.sys [2007-05-29 3879]
S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S3 ITFYXQFNUTBQRQ;ITFYXQFNUTBQRQ;c:\docume~1\Mitch\LOCALS~1\Temp\ITFYXQFNUTBQRQ.exe []
S3 KGHLVNHB;KGHLVNHB;c:\docume~1\Mitch\LOCALS~1\Temp\KGHLVNHB.exe []
S3 LKMQYXVEFVO;LKMQYXVEFVO;c:\docume~1\Mitch\LOCALS~1\Temp\LKMQYXVEFVO.exe []
S3 OTPSFGQGFAP;OTPSFGQGFAP;c:\docume~1\Mitch\LOCALS~1\Temp\OTPSFGQGFAP.exe []
S3 SetupSys;Conexant Setup API;c:\winnt\system32\drivers\SetupSys.sys [2006-12-29 8811]
S3 TRUQPOC;TRUQPOC;c:\docume~1\Mitch\LOCALS~1\Temp\TRUQPOC.exe []
S3 VHXZWYH;VHXZWYH;c:\docume~1\Mitch\LOCALS~1\Temp\VHXZWYH.exe []
S3 VXLKSF;VXLKSF;c:\docume~1\Mitch\LOCALS~1\Temp\VXLKSF.exe []
S3 YJVZM;YJVZM;c:\docume~1\Mitch\LOCALS~1\Temp\YJVZM.exe []
S4 BOFHWEDNJ;BOFHWEDNJ;c:\docume~1\Mitch\LOCALS~1\Temp\BOFHWEDNJ.exe []
S4 JEHTM;JEHTM;c:\docume~1\Mitch\LOCALS~1\Temp\JEHTM.exe []
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\winnt\Tasks\SyncBack Darlene Sync.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-13 c:\winnt\Tasks\SyncBack Mitch Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-12 c:\winnt\Tasks\SyncBack Palm Documents.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]

2008-11-08 c:\winnt\Tasks\SyncBack PeachTree Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [08-08-12 11:00 ]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 12:03:55
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(220)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(260)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2008-11-25 12:11:35 - machine was rebooted [Mitch]
ComboFix-quarantined-files.txt 2008-11-25 18:11:21

Pre-Run: 2,073,460,736 bytes free
Post-Run: 2,065,510,400 bytes free

267 --- E O F --- 2008-11-09 09:00:48





HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:31 PM, on 11/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\palmOne\LifeDriveMgrTray.exe
C:\Program Files\palmOne\PalmOneLiveConnect.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: LifeDrive™ Manager.lnk = C:\Program Files\palmOne\LifeDriveMgrTray.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166762007824
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167023014377
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ITFYXQFNUTBQRQ - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\ITFYXQFNUTBQRQ.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: KGHLVNHB - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\KGHLVNHB.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LKMQYXVEFVO - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\LKMQYXVEFVO.exe (file missing)
O23 - Service: OTPSFGQGFAP - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\OTPSFGQGFAP.exe (file missing)
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
O23 - Service: TRUQPOC - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\TRUQPOC.exe (file missing)
O23 - Service: VHXZWYH - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\VHXZWYH.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VXLKSF - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\VXLKSF.exe (file missing)
O23 - Service: YJVZM - Unknown owner - C:\DOCUME~1\Mitch\LOCALS~1\Temp\YJVZM.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11012 bytes

Blade81
2008-11-26, 10:47
Hi

Rename ComboFix.exe -> ComboFxx.exe and try running it again.

Have you run Rootkit Revealer or any other tool not meantioned in my previous reply?

Rjhem
2008-11-30, 03:35
Hi,

Combofix will still not run in regular mode.

I had used or ran avira rootkit tool but i dont think i fixed any thing with it. I believe it was before trying this route.

Thanks

Blade81
2008-11-30, 18:49
Hi

Locate if present the following file & delete it:

C:\windows\ntbtlog.txt

Restart the computer
Just before the OS loading screen starts hit F8 as if going to safe mode.
From the advanced boot menu choose "enable boot logging" then hit enter.
Post the following file:

C:\windows\ntbtlog.txt

Rjhem
2008-11-30, 22:27
Service Pack 411 30 2008 14:11:05.500
Loaded driver \WINNT\System32\ntoskrnl.exe
Loaded driver \WINNT\System32\hal.dll
Loaded driver \WINNT\System32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINNT\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINNT\System32\DRIVERS\PCIIDEX.SYS
Loaded driver intelide.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver Diskperf.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINNT\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver srescan.sys
Loaded driver SONYPVM1.SYS
Loaded driver Mup.sys
Loaded driver iomdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\i81xnt5.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSF_DP.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\el90xbc5.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\Drivers\Cdr4_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\DRIVERS\uhcd.sys
Loaded driver \SystemRoot\system32\drivers\smwdm.sys
Loaded driver \SystemRoot\system32\DRIVERS\btkrnl.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\parallel.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\btaudio.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\Drivers\EFS.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Did not load driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AvgAsCln.sys
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Did not load driver \SystemRoot\System32\Drivers\sglfb.SYS
Did not load driver \SystemRoot\System32\Drivers\tga.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\vsdatant.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Did not load driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys
Loaded driver \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\WINNT\system32\drivers\btserial.sys
Did not load driver \SystemRoot\system32\drivers\CoachCap.sys
Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\DRIVERS\css-dvp.sys
Loaded driver \??\C:\WINNT\DLPORTIO.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Blade81
2008-11-30, 23:36
Hi again,

Download DDS (http://www.techsupportforum.com/sectools/sUBs/dds) and save it to your desktop.

Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS.txt will open.
* Click Yes at the next prompt for Optional Scan.
* Save both reports to your desktop.

Post back the contents of DDS.txt and Attach.txt

Rjhem
2008-12-01, 06:25
DDS (Version 1.0) - NTFSx86
Run by Mitch at 22:14:09.81 on Sun 2008-11-30
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510.247 [GMT -6:00]

============== Running Processes ===============

C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\faxsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\lexpps.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\palmOne\LifeDriveMgrTray.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\palmOne\PalmOneLiveConnect.exe
C:\Documents and Settings\Mitch\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - c:\program files\earthlink totalaccess\ElnIE.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\winnt\system32\msdxm.ocx
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ccleaner] "c:\program files\ccleaner\ccleaner.exe" /AUTO
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [E6TaskPanel] "c:\program files\earthlink totalaccess\TaskPanl.exe" -winstart
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
StartupFolder: c:\docume~1\mitch\startm~1\programs\startup\lifedr~1.lnk - c:\program files\palmone\LifeDriveMgrTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\iogear\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Send to &Bluetooth Device... - c:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\earthlink totalaccess\accelerator\prplsf.dll
LSP: %SystemRoot%\system32\msafd.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\winnt\system32\msdxm.ocx
SSODL: Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} - c:\winnt\system32\NETSHELL.dll
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SONYPVM1.SYS [2006-12-27 28224]
R2 DLPORTIO;DLPORTIO;\??\c:\winnt\DLPORTIO.sys [2008-10-6 3584]
R2 EarthLinkMonitor;EarthLink Monitor Service;"c:\program files\earthlink totalaccess\wengine\wmonitor.exe" [2005-1-26 65604]
R2 Iprip;RIP Listener;c:\winnt\system32\svchost.exe -k netsvcs [2001-5-8 7952]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\winnt\system32\srvany.exe [2007-7-27 13864]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2006-12-21 61712]
S1 sglfb;sglfb; []
S1 tga;tga; []
S2 CoachCap;Concord EyeQ Duo 2000 USB Video Capture V1.00;c:\winnt\system32\drivers\CoachCap.sys [2002-3-3 93068]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\winnt\system32\drivers\ADSFilter.sys []
S3 BT2KNDFL;Bluetooth LAN Access Server Driver - Filter;c:\winnt\system32\drivers\bt2kndfl.sys [2007-5-29 3879]
S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\drivers\BW2NDIS5.sys [2004-11-1 17536]
S3 ITFYXQFNUTBQRQ;ITFYXQFNUTBQRQ;c:\docume~1\mitch\locals~1\temp\ITFYXQFNUTBQRQ.exe []
S3 KGHLVNHB;KGHLVNHB;c:\docume~1\mitch\locals~1\temp\KGHLVNHB.exe []
S3 LKMQYXVEFVO;LKMQYXVEFVO;c:\docume~1\mitch\locals~1\temp\LKMQYXVEFVO.exe []
S3 OTPSFGQGFAP;OTPSFGQGFAP;c:\docume~1\mitch\locals~1\temp\OTPSFGQGFAP.exe []
S3 SetupSys;Conexant Setup API;c:\winnt\system32\drivers\SetupSys.sys [2006-12-29 8811]
S3 TRUQPOC;TRUQPOC;c:\docume~1\mitch\locals~1\temp\TRUQPOC.exe []
S3 VHXZWYH;VHXZWYH;c:\docume~1\mitch\locals~1\temp\VHXZWYH.exe []
S3 VXLKSF;VXLKSF;c:\docume~1\mitch\locals~1\temp\VXLKSF.exe []
S3 YJVZM;YJVZM;c:\docume~1\mitch\locals~1\temp\YJVZM.exe []
S4 aic116x;aic116x; []
S4 ami0nt;ami0nt; []
S4 BOFHWEDNJ;BOFHWEDNJ;c:\docume~1\mitch\locals~1\temp\BOFHWEDNJ.exe []
S4 cpqarry2;cpqarry2; []
S4 cpqfcalm;cpqfcalm; []
S4 cpqfws2e;cpqfws2e; []
S4 deckzpsx;deckzpsx; []
S4 Fd16_700;Fd16_700; []
S4 fireport;fireport; []
S4 flashpnt;flashpnt; []
S4 ipsraidn;ipsraidn; []
S4 JEHTM;JEHTM;c:\docume~1\mitch\locals~1\temp\JEHTM.exe []
S4 lp6nds35;lp6nds35; []
S4 Ncrc710;Ncrc710; []
S4 ql2100;ql2100; []
S4 ultra66;ultra66; []

=============== Created Last 30 ================

2008-11-30 22:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4d8.dat
2008-11-30 22:10 <DIR> --d-h--- c:\winnt\PIF
2008-11-28 20:49 16,384 a------t c:\winnt\system32\Perflib_Perfdata_450.dat
2008-11-28 10:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_43c.dat
2008-11-28 10:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_974.dat
2008-11-27 10:01 75,248 a------- c:\winnt\zllsputility.exe
2008-11-27 09:59 1,086,952 a------- c:\winnt\system32\zpeng24.dll
2008-11-27 09:59 <DIR> --d----- c:\winnt\system32\ZoneLabs
2008-11-27 09:59 <DIR> --d----- c:\program files\Zone Labs
2008-11-27 09:59 352,918 a------- c:\winnt\system32\vsconfig.xml
2008-11-26 21:31 <DIR> --d----- c:\program files\Avira
2008-11-26 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-11-26 19:58 452 a------- C:\temp00.dat
2008-11-26 19:54 236,816 a------- c:\winnt\system32\CF21814.exe
2008-11-26 19:54 <DIR> --d----- C:\ComboFxx
2008-11-26 19:53 0 a------- C:\__tmp_rar_sfx_access_check_3969177
2008-11-26 19:50 0 a------- C:\test0123
2008-11-26 19:49 194 a------- C:\Start_.cmd
2008-11-26 19:49 0 a------- C:\__tmp_rar_sfx_access_check_3702784
2008-11-26 19:47 0 a------- C:\__tmp_rar_sfx_access_check_3595960
2008-11-26 19:46 0 a------- C:\__tmp_rar_sfx_access_check_3532629
2008-11-26 10:22 0 a------- C:\__tmp_rar_sfx_access_check_248136
2008-11-26 09:46 0 a------- C:\__tmp_rar_sfx_access_check_1275143
2008-11-26 09:38 0 a------- C:\__tmp_rar_sfx_access_check_790025
2008-11-26 09:37 0 a------- C:\__tmp_rar_sfx_access_check_739152
2008-11-26 09:33 0 a------- C:\__tmp_rar_sfx_access_check_477486
2008-11-26 09:32 0 a------- C:\__tmp_rar_sfx_access_check_436087
2008-11-26 09:31 0 a------- C:\__tmp_rar_sfx_access_check_372345
2008-11-26 09:22 0 a------- C:\~GLHTTP1.TMP
2008-11-26 09:19 197,976 a----r-- c:\winnt\cpnprt2.cid
2008-11-25 11:55 0 a------- C:\__tmp_rar_sfx_access_check_1503692
2008-11-25 11:41 0 a------- C:\__tmp_rar_sfx_access_check_668541
2008-11-25 11:16 0 a------- C:\__tmp_rar_sfx_access_check_1288042
2008-11-25 10:38 161,792 a------- c:\winnt\SWREG.exe
2008-11-25 10:38 98,816 a------- c:\winnt\sed.exe
2008-11-25 10:37 0 a------- C:\__tmp_rar_sfx_access_check_39215899
2008-11-25 10:36 0 a------- C:\__tmp_rar_sfx_access_check_39128203
2008-11-25 10:32 0 a------- C:\__tmp_rar_sfx_access_check_38891793
2008-11-25 10:23 0 a------- C:\__tmp_rar_sfx_access_check_38395449
2008-11-25 10:23 0 a------- C:\__tmp_rar_sfx_access_check_38349914
2008-11-25 10:19 0 a------- C:\__tmp_rar_sfx_access_check_38135736
2008-11-18 09:12 <DIR> --d----- C:\MSIdeefa.tmp
2008-11-16 11:49 30,590 a------- c:\winnt\system32\pavas.ico
2008-11-16 11:49 <DIR> --d----- c:\winnt\system32\ActiveScan
2008-11-15 06:23 <DIR> --d----- c:\program files\Avira GmbH
2008-11-15 04:35 <DIR> --d----- C:\MSI1d880.tmp
2008-11-14 22:09 250 a------- c:\winnt\gmer.ini
2008-11-14 17:21 105,738 a------- C:\ComboFix_error.dat
2008-11-14 16:43 1,196,468 ----h--- c:\winnt\ShellIconCache
2008-11-11 08:01 410,976 a------- c:\winnt\system32\deploytk.dll
2008-11-11 08:00 <DIR> --d----- C:\MSI9f2aa.tmp
2008-11-11 07:57 73,728 a------- c:\winnt\system32\javacpl.cpl
2008-11-10 19:56 <DIR> --d----- c:\docume~1\mitch\applic~1\Malwarebytes
2008-11-10 19:56 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2008-11-10 19:56 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2008-11-10 19:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-10 19:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 10:10 <DIR> --d----- c:\program files\Black List Software
2008-11-09 22:56 81,984 a------- c:\winnt\system32\bdod.bin
2008-11-09 19:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2008-11-09 19:22 <DIR> --d----- c:\program files\common files\Softwin
2008-11-09 18:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-11-09 16:02 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-08 22:31 <DIR> --d----- c:\program files\Trojan Remover

==================== Find3M ====================

2008-11-30 22:07 <DIR> a-d----- c:\docume~1\mitch\applic~1\WeatherBug
2008-11-27 10:32 4,212 ----h--- c:\winnt\system32\zllictbl.dat
2008-11-26 09:22 <DIR> --d----- c:\program files\Yahoo!
2008-11-26 09:19 <DIR> --d----- c:\program files\Coupons
2008-11-25 09:47 <DIR> --d----- c:\program files\Quicken Legal Business Pro 2007
2008-11-24 10:11 <DIR> --d----- c:\program files\palmOne
2008-11-20 09:32 <DIR> --d----- c:\program files\EarthLink TotalAccess
2008-11-20 09:27 <DIR> --d----- c:\program files\common files\EarthLink
2008-11-16 23:26 <DIR> --d----- c:\program files\Viewpoint
2008-11-16 23:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-16 13:21 <DIR> --d----- c:\program files\TomTom HOME 2
2008-11-16 13:01 <DIR> --d----- c:\program files\Lexmark 1200 Series
2008-11-16 12:50 <DIR> --d----- c:\program files\common files\Command Software
2008-11-16 12:08 <DIR> --d----- c:\program files\common files\DataViz
2008-11-16 12:07 <DIR> --d----- c:\program files\Active Ports
2008-11-14 16:41 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-12 08:49 <DIR> --d----- c:\program files\Documents To Go
2008-11-10 19:56 <DIR> --d----- c:\program files\Trend Micro
2008-11-10 19:35 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-10 08:46 <DIR> a-d-h--- c:\program files\WindowsUpdate
2008-11-09 16:06 <DIR> --d----- c:\program files\Lavasoft
2008-11-08 22:31 <DIR> --d----- c:\docume~1\mitch\applic~1\Simply Super Software
2008-10-16 14:06 268,648 a------- c:\winnt\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\winnt\system32\muweb.dll
2008-10-08 18:23 <DIR> --d----- c:\program files\hp deskjet 950c series
2008-10-07 17:04 <DIR> --d----- c:\program files\OpenOffice.org 3
2008-10-07 12:04 1,901 a------- c:\winnt\panose.bin
2008-10-07 06:01 1,636 a------- c:\winnt\system32\d3d9caps.dat
2008-10-07 05:57 <DIR> --d----- c:\docume~1\mitch\applic~1\OpenOffice.org
2008-10-06 21:18 34,816 a------- c:\winnt\system32\Dlportio.dll
2008-10-06 21:18 27,460 a------- c:\winnt\system32\loaddrv.exe
2008-10-06 21:18 3,584 a------- c:\winnt\Dlportio.sys
2008-09-30 17:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2008-09-30 16:43 1,286,152 a------- c:\winnt\system32\msxml4.dll
2008-09-14 23:13 1,644,432 a------- c:\winnt\system32\WIN32K.SYS
2008-09-08 02:14 1,121,280 a------- c:\winnt\system32\msxml3.dll
2008-09-02 10:34 <DIR> --d----- c:\docume~1\mitch\applic~1\CoffeeCup Software
2008-07-10 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-06-25 16:29 <DIR> --d----- c:\docume~1\mitch\applic~1\LimeWire
2008-04-21 07:22 <DIR> --d----- c:\docume~1\mitch\applic~1\MySpace
2008-02-19 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TomTom
2008-02-19 19:22 <DIR> --d----- c:\docume~1\mitch\applic~1\TomTom
2007-12-15 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2007-10-05 14:45 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2007-10-02 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2007-09-27 22:53 <DIR> --d----- c:\docume~1\mitch\applic~1\Viewpoint
2007-08-26 15:17 <DIR> --d----- c:\docume~1\mitch\applic~1\Nvu
2007-08-16 20:36 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\BVRP Software
2007-07-31 20:17 <DIR> --d----- c:\docume~1\mitch\applic~1\Peachtree
2007-06-14 21:59 <DIR> a-d----- c:\docume~1\mitch\applic~1\Earthlink
2007-05-29 20:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avanquest Software
2007-02-02 13:52 <DIR> a-d----- c:\docume~1\mitch\applic~1\RecordPad
2007-02-02 13:52 <DIR> a-d----- c:\docume~1\mitch\applic~1\NCH Swift Sound
2007-02-02 13:52 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\NCH Swift Sound
2007-01-10 13:06 <DIR> a-d----- c:\docume~1\mitch\applic~1\Nova Development
2007-01-10 13:05 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Nova Development
2007-01-05 09:28 <DIR> a-d----- c:\docume~1\mitch\applic~1\TrojanHunter
2006-12-27 13:01 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-12-27 13:00 <DIR> a-d----- c:\docume~1\mitch\applic~1\Intuit
2006-12-25 01:54 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\Visual Networks
2006-12-24 18:47 <DIR> a-d----- c:\docume~1\alluse~1\applic~1\DataViz
2006-12-24 16:10 <DIR> a-d----- c:\docume~1\mitch\applic~1\ScamBlocker
2006-12-24 14:11 <DIR> a-d----- c:\docume~1\mitch\applic~1\HotSync
2006-12-21 15:33 1,894 a--sh--- c:\winnt\rreg32.dll
2006-12-21 15:33 5,482 a--sh--- c:\winnt\utapi32.dll
2002-07-31 18:55 104 ---sh--- c:\winnt\WSYS049.SYS
2008-02-15 22:59 88 ---shr-- c:\winnt\system32\8F2E2DE3A7.sys
2008-02-15 22:59 2,672 a--sh--- c:\winnt\system32\KGyGaAvL.sys

============= FINISH: 22:15:51.86 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 2008-11-30 8:11:05 AM (14 hours ago)

Motherboard: Dell Computer Corporation | | OptiPlex GX150
Processor: Intel Celeron processor | Microprocessor | 1096/100mhz
BIOS: Default System BIOS | Phoenix ROM BIOS PLUS Version 1.10 A09 | A09 |

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 19 GiB total, 1.904 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 186 GiB total, 172.932 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.57
ABBYY FineReader 5.0 Sprint
Access Drivers
Active Disk
Active Ports
Ad-Aware
Adobe Acrobat 6.0.1 Professional - English, Français, Deutsch
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe PageMaker 7.0
Adobe Reader 7.0.5
Adobe Reader 8.1.1
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader for Palm OS, 3.05
Adobe Shockwave Player
AnswerWorks 5.0 English Runtime
ArcSoft Camera Suite
Assassin SE
Authentium
Avanquest update
AVG Anti-Spyware 7.5
Avira AntiVir Personal - Free Antivirus
Avira RootKit Detection
CCleaner (remove only)
CoffeeCup HTML Editor 2008
CoffeeCup Visual Site Designer Software
CoffeeCup Web Form Builder - Registered
Concord EyeQ Duo 2000 Digital Camera
Concord EyeQ Duo 2000 Memory Browser TWAIN Driver V1.00
Coupon Printer for Windows
Deal Info
Dell ResourceCD
Documents To Go
DSound GT Player Express
DTCLookup
EarthLink Accelerator
EarthLink Common Authentication
EarthLink FastLane
EarthLink MailBox
EarthLink Software
EarthLink Wireless High Speed
Easy MP3 Sound Recorder 2.01
Express Burn
Express Rip
HijackThis 2.0.2
Hotfix for MDAC 2.80 (KB911562)
Hotfix for MDAC 2.80 (KB927779)
Hotfix for Microsoft .NET Framework 2.0 Service Pack 1 (KB947748)
hp deskjet 950c series
hp deskjet 950c series (Remove only)
IOGEAR Bluetooth Software
IomegaWare 4.0.2
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
Java(TM) 6 Update 10
Java(TM) 6 Update 7
Kaspersky Online Scanner
Lernout & Hauspie TruVoice for Microsoft Agent
Lexmark 1200 Series
Malwarebytes' Anti-Malware
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB947742)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MapPoint North America 2004
Microsoft Office 2000 SR-1 Professional
Microsoft XML Parser
Motorola Driver Installation 3.4.0
Motorola Phone Tools
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nvu 1.0
palmOne
Panda ActiveScan
Peachtree Accounting 2008
Peachtree Pro Accounting 2008
PeachTree Signature Ready Forms
Pervasive Software PSQL v9.1 Client
Pervasive System Analyzer v9.1
Photo Explosion Special Edition
Quicken 2008
Quicken Legal Business Pro 2007
Quicken WillMaker Plus 2005
RecordPad Sound Recorder
Remington Shoot!
Security Update for DirectX 9 (KB941568)
Security Update for DirectX 9 (KB951698)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 7.1 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
SoftV92 Data Fax Modem
Sony USB Driver
SoundMAXWDM
Spybot - Search & Destroy
SyncBack
TomTom HOME
TotalAccess Core Applications
Trojan Remover 6.7.3
Update Rollup 1 for Windows 2000 SP4
VC_MergeModuleToMSI
WavePad Uninstall
WeatherBug
WebFldrs
Windows 2000 Hotfix - KB818801
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925454
Windows 2000 Hotfix - KB925486
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926247
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931768
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB932168
Windows 2000 Hotfix - KB933566
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937143
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB942615
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB944533
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB947864
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB948881
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950759
Windows 2000 Hotfix - KB950760
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB953838
Windows 2000 Hotfix - KB953839
Windows 2000 Hotfix - KB954211
Windows 2000 Hotfix - KB955069
Windows 2000 Hotfix - KB956390
Windows 2000 Hotfix - KB956391
Windows 2000 Hotfix - KB957095
Windows 2000 Hotfix - KB957097
Windows 2000 Hotfix - KB958644
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Live OneCare safety scanner
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages ===================


==== End Of File ===========================

Blade81
2008-12-01, 17:41
Hi

Since ComboFix works ok in safe mode but not in normal mode I want to make sure you have disabled all protection software before you've tried to run ComboFix. If that's the case and you're logged in with administrator privileges defrag harddrive and run scandisk (instructions (http://www.duxcw.com/faq/win/2kscandisk.htm)) to make sure hard drive is ok.

Blade81
2008-12-08, 18:58
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.