Page 1 of 9 12345 ... LastLast
Results 1 to 10 of 86

Thread: Please help- Worm in the system

  1. #1
    Member
    Join Date
    Nov 2007
    Posts
    75

    Unhappy Please help- Worm in the system

    The Log from anti-virus scan is extremely long.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:58:08 PM, on 11/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\IDriveE\IDriveE Service.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\IPFax\FaxMonitor.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Program Files\IDriveE\IDriveETray.exe
    C:\Program Files\IDriveE\IDriveEBackground.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.explore-int.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FaxMonitor] C:\Program Files\IPFax\FaxMonitor.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe -a
    O4 - HKCU\..\Run: [IDriveE Startup] "C:\Program Files\IDriveE\IDrvieEStartup.exe" Hide
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
    O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra 'Tools' menuitem: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://cid-c0bc9c0449e30208.skydriv...RichUpload.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program Files\IDriveE\IDriveE Service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 10866 bytes

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi exploreint

    Rename HijackThis.exe to exploreint.exe and post back a fresh HijackThis log, please
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Member
    Join Date
    Nov 2007
    Posts
    75

    Default

    OK Shaba, here is the new log, thanks

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:57:46 PM, on 11/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\aagrtasv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\IDriveE\IDriveE Service.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\IPFax\FaxMonitor.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\IDriveE\IDriveETray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\IDriveE\IDriveEBackground.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\exploreint.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.explore-int.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {079A4744-1229-4808-A3C0-CABA31B3391A} - (no file)
    O2 - BHO: (no name) - {11249857-77F9-47E4-B4F7-8C9F5123F5E0} - (no file)
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {69FDB1C2-D5C5-4A35-9658-EC7E65B3AD88} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {947FC556-6784-4E60-B23A-E36F1CFBAA15} - (no file)
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
    O2 - BHO: (no name) - {A9A51530-C28A-4ED8-AA26-A0AE6D4C0CE8} - (no file)
    O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - (no file)
    O2 - BHO: (no name) - {C715318A-4E2A-4D3B-9E03-1B182332ACF6} - (no file)
    O2 - BHO: (no name) - {D87A6D0B-505C-4329-B589-4598AEB24D04} - C:\WINDOWS\system32\geeda.dll
    O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
    O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FaxMonitor] C:\Program Files\IPFax\FaxMonitor.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe -a
    O4 - HKCU\..\Run: [IDriveE Startup] "C:\Program Files\IDriveE\IDrvieEStartup.exe" Hide
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
    O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra 'Tools' menuitem: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://cid-c0bc9c0449e30208.skydriv...RichUpload.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: ljjiged - C:\WINDOWS\
    O20 - Winlogon Notify: sxxhibml - C:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\aagrtasv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program Files\IDriveE\IDriveE Service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 12316 bytes

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    You have a keylogger so you should change all online passwords from known clean computer:

    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

    1. Run Spybot-S&D in Advanced Mode.
    2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    3. On the left hand side, Click on Tools
    4. Then click on the Resident Icon in the List
    5. Uncheck "Resident TeaTimer" and OK any prompts.
    6. Restart your computer.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    1. Download combofix from one of these links and save it to Desktop:
    Link1
    Link2
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Post:

    - a fresh HijackThis log
    - combofix report
    - vundofix report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Member
    Join Date
    Nov 2007
    Posts
    75

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:24:10 PM, on 11/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\aagrtasv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\IDriveE\IDriveE Service.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\IPFax\FaxMonitor.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IDriveE\IDriveETray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\IDriveE\IDriveEBackground.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\exploreint.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.explore-int.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {079A4744-1229-4808-A3C0-CABA31B3391A} - (no file)
    O2 - BHO: (no name) - {11249857-77F9-47E4-B4F7-8C9F5123F5E0} - (no file)
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {69FDB1C2-D5C5-4A35-9658-EC7E65B3AD88} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {85B62385-6804-4F20-AB74-D96C3359058A} - C:\WINDOWS\system32\geeda.dll (file missing)
    O2 - BHO: {eda58e97-d406-053b-0e34-4fc873d6cee8} - {8eec6d37-8cf4-43e0-b350-604d79e85ade} - C:\WINDOWS\system32\vnenmrna.dll
    O2 - BHO: (no name) - {947FC556-6784-4E60-B23A-E36F1CFBAA15} - (no file)
    O2 - BHO: (no name) - {A9A51530-C28A-4ED8-AA26-A0AE6D4C0CE8} - (no file)
    O2 - BHO: (no name) - {C715318A-4E2A-4D3B-9E03-1B182332ACF6} - (no file)
    O2 - BHO: (no name) - {D87A6D0B-505C-4329-B589-4598AEB24D04} - (no file)
    O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FaxMonitor] C:\Program Files\IPFax\FaxMonitor.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe -a
    O4 - HKCU\..\Run: [IDriveE Startup] "C:\Program Files\IDriveE\IDrvieEStartup.exe" Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
    O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra 'Tools' menuitem: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://cid-c0bc9c0449e30208.skydriv...RichUpload.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: ljjiged - C:\WINDOWS\
    O20 - Winlogon Notify: sxxhibml - C:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\aagrtasv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program Files\IDriveE\IDriveE Service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 12057 bytes


    VundoFix V6.6.2

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Java version is 1.5.0.11

    Scan started at 12:33:32 PM 11/19/2007

    Listing files found while scanning....

    C:\windows\system32\adeeg.bak1
    C:\windows\system32\adeeg.bak2
    C:\windows\system32\adeeg.ini
    C:\windows\system32\byfeqxah.dll
    C:\windows\system32\geeda.dll
    C:\windows\system32\qomjgff.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\adeeg.bak1
    C:\windows\system32\adeeg.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\adeeg.bak2
    C:\windows\system32\adeeg.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\adeeg.ini
    C:\windows\system32\adeeg.ini Has been deleted!

    Attempting to delete C:\windows\system32\byfeqxah.dll
    C:\windows\system32\byfeqxah.dll Has been deleted!

    Attempting to delete C:\windows\system32\geeda.dll
    C:\windows\system32\geeda.dll Has been deleted!

    Attempting to delete C:\windows\system32\qomjgff.dll
    C:\windows\system32\qomjgff.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Unable to run Combofix get message that program expired as today is 11/19/2007

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Member
    Join Date
    Nov 2007
    Posts
    75

    Default

    Deckard's System Scanner v20071014.68
    Run by Q12 Alex on 2007-11-20 08:08:48
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 3 Restore Point(s) --
    3: 2007-11-20 14:08:54 UTC - RP3 - Deckard's System Scanner Restore Point
    2: 2007-11-20 13:39:12 UTC - RP2 - Microsoft OneCare Protection Checkpoint
    1: 2007-11-19 22:26:17 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Q12 Alex.exe) --------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:12:29 AM, on 11/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\IDriveE\IDriveE Service.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\IPFax\FaxMonitor.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\Fonts\svchost.exe
    C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IDriveE\IDriveETray.exe
    C:\Program Files\IDriveE\IDriveEBackground.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\aagrtasv.exe
    C:\Documents and Settings\Q12 Alex\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Q12 Alex.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...plore-int.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {079A4744-1229-4808-A3C0-CABA31B3391A} - (no file)
    O2 - BHO: (no name) - {11249857-77F9-47E4-B4F7-8C9F5123F5E0} - (no file)
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {69FDB1C2-D5C5-4A35-9658-EC7E65B3AD88} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {85B62385-6804-4F20-AB74-D96C3359058A} - C:\WINDOWS\system32\geeda.dll (file missing)
    O2 - BHO: {eda58e97-d406-053b-0e34-4fc873d6cee8} - {8eec6d37-8cf4-43e0-b350-604d79e85ade} - C:\WINDOWS\system32\vnenmrna.dll
    O2 - BHO: (no name) - {947FC556-6784-4E60-B23A-E36F1CFBAA15} - (no file)
    O2 - BHO: (no name) - {A9A51530-C28A-4ED8-AA26-A0AE6D4C0CE8} - (no file)
    O2 - BHO: (no name) - {C715318A-4E2A-4D3B-9E03-1B182332ACF6} - (no file)
    O2 - BHO: (no name) - {D87A6D0B-505C-4329-B589-4598AEB24D04} - (no file)
    O3 - Toolbar: CommuniKate Toolbar - {2AD46959-7EE4-47C3-B976-C0912755DE1F} - C:\Program Files\ucietb\ucietb.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FaxMonitor] C:\Program Files\IPFax\FaxMonitor.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe -a
    O4 - HKCU\..\Run: [IDriveE Startup] "C:\Program Files\IDriveE\IDrvieEStartup.exe" Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Spell Check Options... - res://C:\Program Files\ucietb\Speller.dll/RUNOPTIONS.HTM
    O8 - Extra context menu item: Spell Check this page... - res://C:\Program Files\ucietb\Speller.dll/RUNSPELLER.HTM
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra 'Tools' menuitem: CommuniKate Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\ucietb\ucietb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://cid-c0bc9c0449e30208.skydriv...RichUpload.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: ljjiged - C:\WINDOWS\
    O20 - Winlogon Notify: sxxhibml - C:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\aagrtasv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IDriveE Service - Pro Softnet Corporation - C:\Program Files\IDriveE\IDriveE Service.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 11926 bytes

    -- File Associations -----------------------------------------------------------

    .bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
    .inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
    .ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
    .reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
    .txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70
    .vbs - VBSFile - DefaultIcon - C:\WINDOWS\system32\WScript.exe,2


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
    S3 z520bus (Sony Ericsson 520 driver (WDM)) - c:\windows\system32\drivers\z520bus.sys <Not Verified; MCCI; Sony Ericsson 520>
    S3 z520mdfl (Sony Ericsson 520 USB WMC Modem Filter) - c:\windows\system32\drivers\z520mdfl.sys <Not Verified; MCCI; Sony Ericsson 520 USB WMC Modem Filter Driver>
    S3 z520mdm (Sony Ericsson 520 USB WMC Modem Drivers) - c:\windows\system32\drivers\z520mdm.sys <Not Verified; MCCI; Sony Ericsson 520 USB WMC Modem>
    S3 z520mgmt (Sony Ericsson 520 USB WMC Device Management Drivers) - c:\windows\system32\drivers\z520mgmt.sys <Not Verified; MCCI; Sony Ericsson 520 USB WMC Device Management>
    S3 z520obex (Sony Ericsson 520 USB WMC OBEX Interface Drivers) - c:\windows\system32\drivers\z520obex.sys <Not Verified; MCCI; Sony Ericsson 520 USB WMC OBEX Interface>
    S3 z525bus (Sony Ericsson Z525 Driver driver (WDM)) - c:\windows\system32\drivers\z525bus.sys <Not Verified; MCCI; Sony Ericsson Z525 Driver>
    S3 z525mdfl (Sony Ericsson Z525 USB WMC Modem Filter) - c:\windows\system32\drivers\z525mdfl.sys <Not Verified; MCCI; Sony Ericsson Z525 USB WMC Modem Filter Driver>
    S3 z525mdm (Sony Ericsson Z525 USB WMC Modem Driver) - c:\windows\system32\drivers\z525mdm.sys <Not Verified; MCCI; Sony Ericsson Z525 USB WMC Data Modem>
    S3 z525mgmt (Sony Ericsson Z525 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\z525mgmt.sys <Not Verified; MCCI; Sony Ericsson Z525 USB WMC Device Management>
    S3 z525obex (Sony Ericsson Z525 USB WMC OBEX Interface) - c:\windows\system32\drivers\z525obex.sys <Not Verified; MCCI; Sony Ericsson Z525 USB WMC OBEX Interface>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
    R2 DomainService - c:\windows\system32\aagrtasv.exe /service <Not Verified; ; DDC>
    R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2007-11-19 11:45:20 428 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{811BD7B1-9924-40B5-9D71-1FA9F46DA408}.job
    2007-09-12 16:15:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    2007-05-09 10:47:51 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job

  8. #8
    Member
    Join Date
    Nov 2007
    Posts
    75

    Default

    -- Files created between 2007-10-20 and 2007-11-20 -----------------------------

    2007-11-19 11:57:12 81984 --a------ C:\WINDOWS\system32\vnenmrna.dll
    2007-11-19 11:54:30 85056 --a------ C:\WINDOWS\system32\xpxxiotl.dll
    2007-11-19 11:45:28 71232 --a------ C:\WINDOWS\system32\xnlcxsws.exe <Not Verified; ; DDC>
    2007-11-18 19:58:41 81984 --a------ C:\WINDOWS\system32\xqqyhsgd.dll
    2007-11-18 19:56:08 71232 --a------ C:\WINDOWS\system32\cwfvbmow.exe <Not Verified; ; DDC>
    2007-11-16 09:24:25 85056 --a------ C:\WINDOWS\system32\gmptwebs.dll
    2007-11-16 09:19:24 81984 --a------ C:\WINDOWS\system32\mqnbdqki.dll
    2007-11-16 09:13:24 71232 --a------ C:\WINDOWS\system32\aagrtasv.exe <Not Verified; ; DDC>
    2007-11-15 09:56:10 0 d-------- C:\Program Files\Trend Micro
    2007-11-15 09:39:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-15 09:39:26 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-14 16:35:05 79424 --a------ C:\WINDOWS\system32\jdguoefo.dll
    2007-11-14 16:32:05 85056 --a------ C:\WINDOWS\system32\urylakwj.dll
    2007-11-14 16:29:05 71232 --a------ C:\WINDOWS\system32\hyqephhe.exe <Not Verified; ; DDC>
    2007-11-14 11:24:35 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
    2007-11-14 11:24:35 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
    2007-11-14 11:24:35 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
    2007-11-14 11:24:34 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
    2007-11-14 11:24:34 75264 --a------ C:\WINDOWS\system32\unacev2.dll
    2007-11-14 11:24:31 0 d-------- C:\Program Files\Trojan Remover
    2007-11-14 11:24:31 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Simply Super Software
    2007-11-14 11:24:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
    2007-11-13 15:21:39 80448 --a------ C:\WINDOWS\system32\bfyrmtia.dll
    2007-11-13 15:15:13 71232 --a------ C:\WINDOWS\system32\txyfdrfh.exe <Not Verified; ; DDC>
    2007-11-13 15:03:34 80448 --a------ C:\WINDOWS\system32\ispitfqf.dll
    2007-11-13 15:00:34 144480 --a------ C:\WINDOWS\system32\cxvvupkt.dll
    2007-11-13 14:57:34 85056 --a------ C:\WINDOWS\system32\achhginx.dll
    2007-11-13 09:49:00 0 d-------- C:\85cbd9eeac5a5e9f990e3392b9c9
    2007-11-13 09:48:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-13 09:27:58 0 d-------- C:\WinPE
    2007-11-13 09:22:57 0 d-------- C:\Program Files\Windows Imaging
    2007-11-13 09:16:10 0 d-------- C:\Program Files\Windows AIK
    2007-11-13 09:12:11 0 d-------- C:\Program Files\MSXML 6.0
    2007-11-12 15:03:53 144480 --a------ C:\WINDOWS\system32\hlqqcshi.dll
    2007-11-12 14:57:52 81472 --a------ C:\WINDOWS\system32\wyejgweb.dll
    2007-11-12 10:52:01 0 d-------- C:\Program Files\Lavasoft
    2007-11-12 10:51:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-11-12 10:51:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-11 14:15:59 128 --a------ C:\winlogon.exe
    2007-11-11 13:55:14 79936 --a------ C:\WINDOWS\system32\kivjyxcr.dll
    2007-11-11 13:46:51 71232 --a------ C:\WINDOWS\system32\mkhcnafs.exe <Not Verified; ; DDC>
    2007-11-10 13:18:28 81472 --a------ C:\WINDOWS\system32\qskokyxb.dll
    2007-11-10 13:07:07 71232 --a------ C:\WINDOWS\system32\xirmbjeu.exe <Not Verified; ; DDC>
    2007-11-09 13:05:57 77888 --a------ C:\WINDOWS\system32\fqameehf.dll
    2007-11-09 12:54:25 71232 --a------ C:\WINDOWS\system32\wkpelmdl.exe <Not Verified; ; DDC>
    2007-11-08 12:13:36 71232 --a------ C:\WINDOWS\system32\tjxptdle.exe <Not Verified; ; DDC>
    2007-11-07 12:19:00 86080 --a------ C:\WINDOWS\system32\rkfkpdno.dll
    2007-11-07 12:16:00 79936 --a------ C:\WINDOWS\system32\erwundcg.dll
    2007-11-07 11:57:22 82 --a------ C:\n.bat
    2007-11-07 11:57:12 0 --a------ C:\z.dat
    2007-11-07 11:57:04 133120 --a------ C:\z.exe
    2007-11-02 23:15:00 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
    2007-11-02 23:09:55 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2007-11-02 22:28:51 0 d-------- C:\Program Files\Microsoft Windows OneCare Live
    2007-11-01 13:01:22 0 d-------- C:\WINDOWS\pss
    2007-10-27 14:26:26 66 --a------ C:\WINDOWS\system32\RegisterIDriveEDll.bat
    2007-10-27 14:26:26 733184 --a------ C:\WINDOWS\system32\IDriveEService.dll <Not Verified; Pro Soft Net Corporation; IDrive-E>
    2007-10-27 14:26:25 55808 --a------ C:\WINDOWS\system32\zlib1.dll <Not Verified; ; zlib>
    2007-10-27 14:26:25 135168 --a------ C:\WINDOWS\system32\LogMail.dll <Not Verified; Pro-Softnet Corporation; IBackup For Windows>


    -- Find3M Report ---------------------------------------------------------------

    2007-11-19 16:28:36 0 d-------- C:\Program Files\IDriveE
    2007-11-19 16:28:00 0 d-------- C:\Program Files\Plaxo
    2007-11-19 11:50:07 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\American Airlines DealFinder
    2007-11-12 10:51:09 0 d-------- C:\Program Files\Common Files
    2007-11-10 13:16:51 0 d--h----- C:\Program Files\InstallShield Installation Information
    2007-10-27 22:07:15 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Vso
    2007-10-27 22:07:15 33 --a------ C:\Documents and Settings\Q12 Alex\Application Data\pcouffin.log
    2007-10-27 22:07:12 7887 --a------ C:\Documents and Settings\Q12 Alex\Application Data\pcouffin.cat
    2007-10-27 22:07:11 47360 --a------ C:\Documents and Settings\Q12 Alex\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
    2007-10-27 22:07:11 1144 --a------ C:\Documents and Settings\Q12 Alex\Application Data\pcouffin.inf
    2007-10-27 22:05:27 0 d-------- C:\Program Files\Picasa2
    2007-10-27 13:29:32 0 d-------- C:\Program Files\Java
    2007-10-22 11:37:17 256 --a------ C:\WINDOWS\system32\pool.bin
    2007-10-19 13:51:51 0 d-------- C:\Program Files\Common Files\Research In Motion
    2007-10-14 11:08:56 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Roxio
    2007-10-13 20:34:39 0 d-------- C:\Program Files\Common Files\Sonic Shared
    2007-10-13 20:33:21 0 d-------- C:\Program Files\Common Files\Roxio Shared
    2007-10-13 20:33:01 0 d-------- C:\Program Files\Roxio
    2007-10-13 20:32:27 0 d-------- C:\Program Files\Common Files\InstallShield
    2007-10-13 20:28:30 0 d-------- C:\Program Files\Research In Motion
    2007-10-13 16:06:34 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Teleca
    2007-10-13 16:06:29 0 d-------- C:\Program Files\Sony Ericsson
    2007-10-13 16:06:11 0 d-------- C:\Program Files\Common Files\Teleca Shared
    2007-10-08 21:33:53 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Blackberry Desktop
    2007-10-08 21:28:57 0 d-------- C:\Documents and Settings\Q12 Alex\Application Data\Research In Motion
    2007-09-30 13:58:34 0 d-------- C:\Program Files\iTunes
    2007-09-30 13:57:58 0 d-------- C:\Program Files\iPod
    2007-09-26 19:29:00 31 --ah----- C:\WINDOWS\uccspecc.sys
    2007-09-26 19:28:55 0 d-------- C:\Program Files\Coupons


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{079A4744-1229-4808-A3C0-CABA31B3391A}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11249857-77F9-47E4-B4F7-8C9F5123F5E0}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69FDB1C2-D5C5-4A35-9658-EC7E65B3AD88}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85B62385-6804-4F20-AB74-D96C3359058A}]
    C:\WINDOWS\system32\geeda.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8eec6d37-8cf4-43e0-b350-604d79e85ade}]
    11/19/2007 11:57 AM 81984 --a------ C:\WINDOWS\system32\vnenmrna.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{947FC556-6784-4E60-B23A-E36F1CFBAA15}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9A51530-C28A-4ED8-AA26-A0AE6D4C0CE8}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C715318A-4E2A-4D3B-9E03-1B182332ACF6}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D87A6D0B-505C-4329-B589-4598AEB24D04}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 01:56 PM]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [08/23/2006 04:14 PM]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [11/01/2006 12:48 PM]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 05:44 PM]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 05:41 PM]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 05:45 PM]
    "SigmatelSysTrayApp"="stsystra.exe" [03/24/2006 05:30 PM C:\WINDOWS\stsystra.exe]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/08/2006 12:48 PM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
    "FaxMonitor"="C:\Program Files\IPFax\FaxMonitor.exe" [01/21/2002 02:45 PM]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/06/2006 10:51 AM]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
    "American Airlines DealFinder"="C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" [09/03/2007 01:55 PM]
    "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [07/25/2007 03:02 PM]
    "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [07/25/2007 03:06 PM]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 01:42 PM]
    "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [04/23/2007 10:43 AM]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
    "OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [10/31/2007 01:18 PM]
    "Host Process"="C:\WINDOWS\Fonts\svchost.exe" [01/10/2007 11:15 AM]
    "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [11/11/2007 01:42 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate"="C:\Program Files\Plaxo\3.3.0.39\PlaxoHelper_en_us.exe" [08/28/2007 09:04 AM]
    "IDriveE Startup"="C:\Program Files\IDriveE\IDrvieEStartup.exe" [09/25/2007 10:57 AM]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjiged]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sxxhibml]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeda.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RoxLiveShare9"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ




    -- Hosts -----------------------------------------------------------------------

    127.0.0.1 babe.the-killer.bz
    127.0.0.1 www.babe.the-killer.bz
    127.0.0.1 babe.k-lined.com
    127.0.0.1 www.babe.k-lined.com
    127.0.0.1 did.i-used.cc
    127.0.0.1 www.did.i-used.cc
    127.0.0.1 coolwwwsearch.com
    127.0.0.1 www.coolwwwsearch.com
    127.0.0.1 coolwebsearch.com
    127.0.0.1 www.coolwebsearch.com

    7457 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2007-11-20 08:13:05 ------------

  9. #9
    Member
    Join Date
    Nov 2007
    Posts
    75

    Default

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Genuine Intel(R) CPU T2250 @ 1.73GHz
    CPU 1: Genuine Intel(R) CPU T2250 @ 1.73GHz
    Percentage of Memory in Use: 40%
    Physical Memory (total/avail): 1526.37 MiB / 910.72 MiB
    Pagefile Memory (total/avail): 3422.56 MiB / 2948.53 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1925.51 MiB

    C: is Fixed (NTFS) - 49.79 GiB total, 18.38 GiB free.
    D: is CDROM (CDFS)
    M: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - SAMSUNG HM060HI - 54.49 GiB - 3 partitions
    \PARTITION0 - Unknown - 47.03 MiB
    \PARTITION1 (bootable) - Installable File System - 49.79 GiB - C:
    \PARTITION2 - Unknown - 4.64 GiB



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is disabled.

    FirstRunDisabled is set.

    FW: Windows Live OneCare Firewall v1.0.0 (Microsoft Corporation)
    AV: Windows Live OneCare v1.0.0 (Microsoft Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"="C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
    "C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"="C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\WINDOWS\\system32\\rclrxyws.exe"="C:\\WINDOWS\\system32\\rcl"
    "C:\\WINDOWS\\system32\\hslynsus.exe"="C:\\WINDOWS\\system32\\hsl"
    "C:\\WINDOWS\\system32\\cmrscpjh.exe"="C:\\WINDOWS\\system32\\cmr"
    "C:\\WINDOWS\\system32\\hyqephhe.exe"="C:\\WINDOWS\\system32\\hyq"
    "C:\\WINDOWS\\system32\\aagrtasv.exe"="C:\\WINDOWS\\system32\\aag"


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Q12 Alex\Application Data
    CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=LAPTOP
    ComSpec=C:\WINDOWS\system32\cmd.exe
    DEFAULT_CA_NR=CA18
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Q12 Alex
    LOGONSERVER=\\LAPTOP
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Windows Imaging
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0e08
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
    RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Q12ALE~1\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Q12ALE~1\LOCALS~1\Temp
    USERDOMAIN=LAPTOP
    USERNAME=Q12 Alex
    USERPROFILE=C:\Documents and Settings\Q12 Alex
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    Q12 Alex (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
    --> C:\WINDOWS\UNNMP.exe /UNINSTALL
    --> MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
    --> MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
    --> MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
    --> MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
    --> MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
    --> MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
    --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
    --> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7875FD9-6ADB-4D4B-A756-3A2306A3D5E1}\setup.exe" -l0x9 anything
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
    Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
    American Airlines DealFinder (remove only) --> "C:\Program Files\American Airlines DealFinder\Uninstall.exe" -R
    Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
    Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
    BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /i{0725C68F-FD3A-4476-BDA0-C002C7FE307C}
    BlackBerry Desktop Software 4.2.2 --> MsiExec.exe /I{0725C68F-FD3A-4476-BDA0-C002C7FE307C}
    BlackBerry v4.2.1 for the 8100 Series Wireless Handheld --> MsiExec.exe /X{C9416263-0E35-41C9-91C0-32100F0D3448}
    Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
    CommuniKate 2.0 Video Conferencing --> MsiExec.exe /X{BE35F900-AA44-4655-88FC-C872AF2AF384}
    Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
    Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
    DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
    Dell Resource CD --> MsiExec.exe /X{2764CA82-DFB9-4498-AF85-719340BF5305}
    Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
    DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
    GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
    GTOneCare --> MsiExec.exe /X{EE7C954E-2356-491D-9188-D1852ADF41FE}
    High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    IDrive-E version 2.0.7 October 19 2007 --> "C:\Program Files\IDriveE\unins000.exe"
    Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
    IPFax --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAC19E84-F3D2-4437-A104-8DB80E36973C}\setup.exe"
    iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
    J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
    J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
    J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
    Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
    Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
    Logitech QuickCam --> MsiExec.exe /X{364EC092-93CF-4DDC-9D7A-7278452028E0}
    Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
    Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft English TTS Engine --> MsiExec.exe /I{94824ADD-8F26-43D2-84DB-22E11F377E5E}
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
    Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    Microsoft Protection Service --> MsiExec.exe /I{62514E51-0E57-41B8-968C-43BB55694CC6}
    Microsoft Streets & Trips 2007 --> MsiExec.exe /I{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Windows Live OneCare Resources v2.0.2500.10 --> MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
    Microsoft Windows OneCare Live AntiSpyware and AntiVirus --> MsiExec.exe /I{CB8410EA-A3D5-47F2-8653-D4EEA4BF8D4C}
    Microsoft Windows OneCare Live v2.0.2392.4 Idcrl Install --> MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
    Microsoft Windows OneCare Live v2.0.2500.10 --> MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
    Mozilla Firefox (2.0.0.9) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
    MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
    MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
    Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
    Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
    Plaxo Toolbar for Outlook and Outlook Express --> C:\Program Files\Plaxo\3.3.0.39\uninstall_en_us.exe
    PowerDVD 5.9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
    PX Engine --> MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
    Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
    QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
    QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    Roxio Media Manager --> MsiExec.exe /X{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
    Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
    Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
    Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
    SyncToy --> MsiExec.exe /I{B5688129-7595-4E5B-9990-CEF981A31264}
    Trojan Remover 6.6.4 --> "C:\Program Files\Trojan Remover\unins000.exe"
    TTS Wrapper --> MsiExec.exe /I{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}
    ucietb --> MsiExec.exe /I{14B8E594-40F1-45AF-975F-33301144C6D1}
    Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
    Windows Automated Installation Kit --> MsiExec.exe /I{31E8F586-4EF7-4500-844D-BA8756474FF1}
    Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimsptsk_469677EEC4F8D39ABD61046D242B2A1651DE8AEF\rimsptsk.inf
    Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimmptsk_EA24AF82DAB6BA6CF6FB1A3004EE91F51D3FDCF9\rimmptsk.inf
    Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rixdptsk_30B42BE4DA4D11DB80E5D3DD10180621BA0A53DD\rixdptsk.inf
    Windows Live OneCare --> "C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
    Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type9221 / Warning
    Event Submitted/Written: 11/19/2007 04:28:44 PM
    Event ID/Source: 1001 / MsiInstaller
    Event Description:
    Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

    Event Record #/Type9220 / Warning
    Event Submitted/Written: 11/19/2007 04:28:44 PM
    Event ID/Source: 1004 / MsiInstaller
    Event Description:
    Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\QuickCam10\DesktopShortcutKey' does not exist.

    Event Record #/Type9219 / Warning
    Event Submitted/Written: 11/19/2007 04:28:44 PM
    Event ID/Source: 1001 / MsiInstaller
    Event Description:
    Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

    Event Record #/Type9218 / Warning
    Event Submitted/Written: 11/19/2007 04:28:44 PM
    Event ID/Source: 1004 / MsiInstaller
    Event Description:
    Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\QuickCam10\DesktopShortcutKey' does not exist.

    Event Record #/Type9217 / Warning
    Event Submitted/Written: 11/19/2007 04:28:44 PM
    Event ID/Source: 1001 / MsiInstaller
    Event Description:
    Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam' failed during request for component '{3BBB8098-03C8-48DC-AA83-9B2159E12E0D}'



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type16938 / Error
    Event Submitted/Written: 11/20/2007 07:39:12 AM
    Event ID/Source: 7031 / Service Control Manager
    Event Description:
    The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

    Event Record #/Type16935 / Warning
    Event Submitted/Written: 11/20/2007 07:39:06 AM
    Event ID/Source: 1006 / OneCareMP
    Event Description:
    %NT AUTHORITY29 scan has detected spyware or other potentially unwanted software.

    For more information please see the following:
    %NT AUTHORITY295

    Scan ID: {41FF1A1F-FBBA-4D32-AF34-7A2B1DABB7DB}

    Scan Type: %NT AUTHORITY02

    Scan Parameters: %NT AUTHORITY09

    User: NT AUTHORITY\SYSTEM

    Name: %NT AUTHORITY291

    ID: %NT AUTHORITY292

    Severity: 1.5.1941.05

    Category: 1.5.1941.06

    Path Found: %NT AUTHORITY296

    Detection Type: 1.5.1941.02

    Event Record #/Type16927 / Error
    Event Submitted/Written: 11/19/2007 04:28:22 PM
    Event ID/Source: 4321 / NetBT
    Event Description:
    The name "WORKGROUP :1d" could not be registered on the Interface with IP address 10.0.0.2.
    The machine with the IP address 10.0.0.3 did not allow the name to be claimed by
    this machine.

    Event Record #/Type16920 / Warning
    Event Submitted/Written: 11/19/2007 04:27:22 PM
    Event ID/Source: 3004 / OneCareMP
    Event Description:
    %29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %29 can't undo changes that you allow.

    For more information please see the following:
    %295

    Scan ID: {D5FB00A4-D5B7-43BF-8437-84A262385D22}

    Agent: %43

    User: \

    Name: %291

    ID: %292

    Severity: 1.5.1941.05

    Category: 1.5.1941.06

    Path Found: %296

    Alert Type: %298

    Process Name:

    Detection Type: 1.5.1941.02

    Status: 1.5.1941.00

    Event Record #/Type16919 / Warning
    Event Submitted/Written: 11/19/2007 04:27:22 PM
    Event ID/Source: 3004 / OneCareMP
    Event Description:
    %NT AUTHORITY29 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %NT AUTHORITY29 can't undo changes that you allow.

    For more information please see the following:
    %NT AUTHORITY295

    Scan ID: {2463DEFA-B9A2-40BE-A2A4-5C21B0E94C2F}

    Agent: %NT AUTHORITY43

    User: NT AUTHORITY\SYSTEM

    Name: %NT AUTHORITY291

    ID: %NT AUTHORITY292

    Severity: 1.5.1941.05

    Category: 1.5.1941.06

    Path Found: %NT AUTHORITY296

    Alert Type: %NT AUTHORITY298

    Process Name:

    Detection Type: 1.5.1941.02

    Status: 1.5.1941.00



    -- End of Deckard's System Scanner: finished at 2007-11-20 08:13:05 ------------

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi

    Open HijackThis, click do a system scan only and checkmark these:

    O2 - BHO: (no name) - {079A4744-1229-4808-A3C0-CABA31B3391A} - (no file)
    O2 - BHO: (no name) - {11249857-77F9-47E4-B4F7-8C9F5123F5E0} - (no file)
    O2 - BHO: (no name) - {69FDB1C2-D5C5-4A35-9658-EC7E65B3AD88} - (no file)
    O2 - BHO: (no name) - {85B62385-6804-4F20-AB74-D96C3359058A} - C:\WINDOWS\system32\geeda.dll (file missing)
    O2 - BHO: {eda58e97-d406-053b-0e34-4fc873d6cee8} - {8eec6d37-8cf4-43e0-b350-604d79e85ade} - C:\WINDOWS\system32\vnenmrna.dll
    O2 - BHO: (no name) - {947FC556-6784-4E60-B23A-E36F1CFBAA15} - (no file)
    O2 - BHO: (no name) - {A9A51530-C28A-4ED8-AA26-A0AE6D4C0CE8} - (no file)
    O2 - BHO: (no name) - {C715318A-4E2A-4D3B-9E03-1B182332ACF6} - (no file)
    O2 - BHO: (no name) - {D87A6D0B-505C-4329-B589-4598AEB24D04} - (no file)
    O20 - Winlogon Notify: ljjiged - C:\WINDOWS\
    O20 - Winlogon Notify: sxxhibml - C:\WINDOWS\


    Close all windows including browser and press fix checked.

    First we'll need to backup registry:

    Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

    Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\rclrxyws.exe"=-
    "C:\\WINDOWS\\system32\\hslynsus.exe"=-
    "C:\\WINDOWS\\system32\\cmrscpjh.exe"=-
    "C:\\WINDOWS\\system32\\hyqephhe.exe"=-
    "C:\\WINDOWS\\system32\\aagrtasv.exe"=-

    It should look like this ->

    Doubleclick fix.reg, press Yes and ok.

    (In case you are unsure how to create a reg file, take a look here with screenshots.)

    Please download the Killbox.
    Save it to the desktop.

    Please run Killbox.

    Select "Delete on Reboot" and "All files"

    Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\system32\vnenmrna.dll
    C:\WINDOWS\system32\xpxxiotl.dll
    C:\WINDOWS\system32\xnlcxsws.exe
    C:\WINDOWS\system32\xqqyhsgd.dll
    C:\WINDOWS\system32\cwfvbmow.exe
    C:\WINDOWS\system32\gmptwebs.dll
    C:\WINDOWS\system32\mqnbdqki.dll
    C:\WINDOWS\system32\aagrtasv.exe
    C:\WINDOWS\system32\jdguoefo.dll
    C:\WINDOWS\system32\urylakwj.dll
    C:\WINDOWS\system32\hyqephhe.exe
    C:\WINDOWS\system32\bfyrmtia.dll
    C:\WINDOWS\system32\txyfdrfh.exe
    C:\WINDOWS\system32\ispitfqf.dll
    C:\WINDOWS\system32\cxvvupkt.dll
    C:\WINDOWS\system32\achhginx.dll
    C:\winlogon.exe
    C:\WINDOWS\system32\kivjyxcr.dll
    C:\WINDOWS\system32\mkhcnafs.exe
    C:\WINDOWS\system32\qskokyxb.dll
    C:\WINDOWS\system32\xirmbjeu.exe
    C:\WINDOWS\system32\fqameehf.dll
    C:\WINDOWS\system32\wkpelmdl.exe
    C:\WINDOWS\system32\tjxptdle.exe
    C:\WINDOWS\system32\rkfkpdno.dll
    C:\WINDOWS\system32\erwundcg.dll
    C:\n.bat
    C:\z.dat
    C:\z.exe

    Go to the File menu, and choose "Paste from Clipboard".

    Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

    If your computer does not restart automatically, please restart it manually.

    Re-run dss

    Post dss log (main.txt only)
    Last edited by Shaba; 2007-11-20 at 17:21.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •