[Resolved] Svchost.exe - Suggest A Fix PC Support Forums

Welcome Guest ( Log In | Register )

Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking

2 Pages

1 2 >

[Resolved] Svchost.exe, can only get online in safe mode

Options

newromecity	Mar 13 2009, 12:11 PM Post #1
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	I've got that dreaded SVCHOST.EXE problem. The one where you get application errors that read "the instructions at referenced memory cannot be read" as soon as I start up my laptop. However, my SVCHOST problem has done something that I have not seen it do to others while I researched on this. It has prevented me from connecting to the internet. The only way I can connect is while in Safe Mode. While not in safe mode, when I try to connect my Local Area Connection, it will say LAN can not be found. And it won't allow me to set up a new internet connection either. I have scanned my PC with Synmantec and have come up with nothing. Using the program "Absolute Startup", I have been able to determine the source of my problem while experimenting with the services on startup. When I disable "svchost.exe -k netsvcs", also known as Remote Access (Auto) Connection Manager I stop receiving the application errors, however I still can not connect online because obviously, these services are needed by Windows 2000 to operate and go online. I've also disabled Automatic Windows Updates because that's often been cited as the source of this headache, but that hasn't solved anything either. I got this problem originally from opening an .exe file that I shouldn't have opened. Here is my hijackthis file, any help or suggestions is greatly appreciated. This is taken during normal boot, if my safe mode log is needed too, just ask. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:46:51 PM, on 3/13/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\netdde.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\system32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\cisvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\msiexec.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\locator.exe C:\WINNT\system32\rsvp.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\WINNT\system32\WLTRAY.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Common Files\AOL\1179892421\ee\aolsoftware.exe C:\program files\common files\aol\1179892421\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1179892421\ee\aolsoftware.exe C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\Run: [Internat.exe] internat.exe (User 'ASPNET') O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AirFortress® Client.lnk = ? O4 - Global Startup: FMTP.lnk = C:\WINNT\Support_Files\ifmem.bat O4 - Global Startup: FMTPprinter.lnk = C:\WINNT\Support_Files\printer.bat O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NFServer - Unknown owner - C:\Program Files\Fortress\AirFortress® Client\NFServer.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe -- End of file - 10679 bytes

Ironbender	Mar 13 2009, 02:33 PM Post #2
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	Hi newromecity, welcome to SAF SVCHOST is a legit Windows file, unless it resides in a wrong folder. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Go to your Control Panel, add-remove programs. and uninstall ViewPoint. Download FixWareout from http://www.4shared.com/file/40178743/91522...areout.html?s=1 Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they are still there: O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\Run: [Internat.exe] internat.exe (User 'ASPNET') O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 At the end of the fix, you may need to restart your computer again. Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log. Should you have problems connecting to the internet after the fix, follow these instrutions. <Start -> Control Panel Network Connections. Right-click on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties. Doubleclick on the Internet Protocol (TCP/IP) item and select the button that says "Obtain DNS servers automatically". Click OK twice, and restart your computer. If HJT does not start, click and run it. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake (some entries may no longer be there, though).: O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\Run: [Internat.exe] internat.exe (User 'ASPNET') O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.88,85.255.112.236 Click on Fix Checked when finished and exit HijackThis Post the FixWareout report along with a fresh HJT log. Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 13 2009, 07:17 PM Post #3
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	Thanks for the help Chris. Below are both the new hijack file and fixwareout report. A couple of notes, while in regular boot, I could not access the Control panel to reset the network connection, I had to go into Safe Mode to do so. In regular boot, I got the following messages... "Cannot find the file (null) or one of its components. Make sure the path and filename are correct and that all required libraries are available." and also "Access to specified device, path or file is denied." Also, the desktop is not visible. I was able to access Hijack this though because I have it under programs in the Start Menu. Everything else though, I have to do under Safe Mode. The SVCHOST.EXE application error continues to pop up, and I also noticed that the processes take up 100% CPU Usage, eating up all my memory. Username "Administrator" - 03/13/2009 21:15:07 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "Dell Wireless Manager UI"="C:\\WINNT\\system32\\WLTRAY" "IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless" "Synchronization Manager"="mobsync.exe /logon" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:54:03 PM, on 3/13/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\netdde.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\system32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\cisvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\msiexec.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\locator.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wltrysvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\bcmwltry.exe C:\WINNT\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\WINNT\system32\WLTRAY.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINNT\system32\mobsync.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Fortress\AirFortress® Client\NFRemote.exe C:\Program Files\Common Files\AOL\1179892421\ee\aolsoftware.exe C:\program files\common files\aol\1179892421\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe c:\program files\common files\aol\1179892421\ee\aolsoftware.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Hcheck.exe C:\WINNT\system32\cidaemon.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINNT\system32\WLTRAY O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: AirFortress® Client.lnk = ? O4 - Global Startup: FMTP.lnk = C:\WINNT\Support_Files\ifmem.bat O4 - Global Startup: FMTPprinter.lnk = C:\WINNT\Support_Files\printer.bat O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINNT\system32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NFServer - Unknown owner - C:\Program Files\Fortress\AirFortress® Client\NFServer.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe -- End of file - 9659 bytes This post has been edited by newromecity: Mar 13 2009, 09:28 PM

Ironbender	Mar 14 2009, 03:26 AM Post #4
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	According to your HJT log, the SVCHOST file is running from its proper folder. The wareout infection seems to be gone. You may have other infections associated with it, and there is a possibility that they are interfering with the normal system behavior. - Download and run CrapCleaner from http://www.ccleaner.com/ Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours"). - Download Malwarebytes Anti-Malware from http://www.majorgeeks.com/Malwarebyte'...ware_d5756.html to the desktop. - Double-click on Download_mbam-setup.exe to install the application. - When the installation begins, follow the prompts and do not make any changes to default settings. - When installation has finished, make sure you leave both these checked: - Update Malwarebytes Anti-Malware - Launch Malwarebytes Anti-Malware - Then click Finish. - MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. - On the Scanner tab: - Make sure the "Perform Full Scan" option is selected. - Then click on the Scan button. - The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button. - The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". - Click OK to close the message box and continue with the removal process. - Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. - Make sure that everything is checked, and click Remove Selected. - When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply along with a fresh HijackThis log and exit MBAM. NB - If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately. Post the mbam report along with a fresh HJT log. Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 14 2009, 10:08 AM Post #5
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	Very frustrating. MBAM will not run automatically. It's installed and it's there but it won't open when I click on it, nor will it open automatically after setup.

Ironbender	Mar 14 2009, 02:18 PM Post #6
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	Try to rename mbam.exe to see if any improvement. Also, download RSIT from http://images.malwareremoval.com/random/RSIT.exe to your desktop and run it there. Post the log it generates. Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 15 2009, 12:32 AM Post #7
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	MBAM.exe still doesn't run. As for RSIT, I get the following message... "AutoIt Error Line - 1: Error: Incorrect number of parameters in function call." Question. In the first hijack log, you had me fix the error of internat.exe. I believe there are two more instances of it though in the 2nd hijack log under 04, do those matter or are they supposed to remain?

Ironbender	Mar 15 2009, 03:43 AM Post #8
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	internat.exe may either be a Windows legit program (keyboard language) or Added by the Backdoor.AntiLam.20.K. Name: SVCHOST Filename: internat.exe This one can give a hacker access to your system. Since it's coming back, I need you to run the other tools to be sure. This will be a shot in the dark... Download Combofix to your desktop by clicking here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double click combofix.exe and follow the prompts. When finished, it will produce a log for you. Post that log in your next reply. Note: Close all windows and any program on your system tray. Do not mouseclick or type anything while combofix is running. That may cause it to stall. You can safely ignore warnings about not having the recovery console installed. Run it only once ! Post the Combofix report along with a fresh HJT log. Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 15 2009, 09:26 AM Post #9
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	ComboFix detected something known as rootkit activity on my PC. Here's the report. I will post a fresh HJT following this post. ComboFix 09-03-14.01 - Administrator 2009-03-15 12:05:20.1 - NTFSx86 Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf c:\documents and settings\Administrator\Application Data\WeatherDPA c:\documents and settings\Administrator\Application Data\WeatherDPA\Weather\WeatherStartup.xml c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 c:\documents and settings\All Users\Application Data\ZangoSA c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf_update.dat c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht c:\recycler\S-3-0-30-100026831-100028940-100024868-8434.com C:\resycled c:\winnt\packet.dll c:\winnt\pthreadVC.dll c:\winnt\system32\drivers\gaopdxttrpbqbapsxwnomujnklftjuyfuxbhxe.sys c:\winnt\system32\gaopdxcounter c:\winnt\system32\gaopdxphvtomuwykrvmswiyobobqmcxcrvooda.dll c:\winnt\Web\default.htt c:\winnt\wpcap.dll D:\Autorun.inf d:\recycler\S-3-0-30-100026831-100028940-100024868-8434.com D:\resycled E:\Autorun.inf e:\recycler\S-3-0-30-100026831-100028940-100024868-8434.com E:\resycled . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gaopdxserv.sys -------\Legacy_IPRIP -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))))) . 2009-03-15 04:16 . 09-03-15 04:16 588,502 ---h----- c:\winnt\ShellIconCache 2009-03-14 23:52 . 09-03-14 23:52 <DIR> d-------- C:\rsit 2009-03-14 13:05 . 09-03-14 13:05 <DIR> d-------- c:\program files\MBAM 2009-03-14 13:05 . 09-03-14 13:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-14 13:05 . 09-02-11 10:19 38,496 --a------ c:\winnt\SYSTEM32\DRIVERS\mbamswissarmy.sys 2009-03-14 13:05 . 09-02-11 10:19 15,504 --a------ c:\winnt\SYSTEM32\DRIVERS\mbam.sys 2009-03-14 12:37 . 09-03-14 12:37 <DIR> d-------- c:\program files\CCleaner 2009-03-13 20:19 . 09-03-13 21:21 <DIR> d-------- C:\fixwareout 2009-03-13 14:16 . 09-03-13 14:36 <DIR> d-------- c:\program files\Trend Micro 2009-03-12 21:30 . 09-03-12 21:30 <DIR> d-------- c:\program files\F-Group 2009-03-12 20:59 . 07-08-22 13:10 400,890 --a------ C:\txtsetup.sif 2009-03-12 20:59 . 05-07-13 23:06 259,776 --a------ C:\$LDR$ 2009-03-12 20:55 . 09-03-12 20:55 <DIR> d-------- C:\$WIN_NT$.~LS 2009-03-12 20:55 . 09-03-12 20:55 <DIR> d-------- C:\$WIN_NT$.~BT 2009-03-12 14:02 . 09-03-12 15:41 <DIR> d-------- c:\program files\Ascentive 2009-03-12 14:02 . 08-11-07 17:58 223,232 --a------ c:\winnt\SYSTEM32\sqlite3.dll 2009-03-12 14:02 . 09-02-10 18:05 208,896 --a------ c:\winnt\SYSTEM32\ConTest.dll 2009-03-12 14:02 . 08-11-07 17:58 86,016 --a------ c:\winnt\SYSTEM32\SQLiteWrapper.dll 2009-03-12 14:02 . 08-11-06 16:04 36,864 --a------ c:\winnt\SYSTEM32\ascbalon.dll 2009-03-12 14:02 . 08-11-06 16:04 20,480 --a------ c:\winnt\SYSTEM32\SysRestore.dll 2009-03-12 00:33 . 09-03-12 01:20 <DIR> d-------- c:\program files\Anti Trojan Elite 2009-03-12 00:20 . 05-08-27 03:38 1,435,272 --a------ c:\winnt\SYSTEM32\Flash.ocx 2009-03-12 00:20 . 03-11-19 14:59 512,688 --a------ c:\winnt\SYSTEM32\XceedCry.dll 2009-03-12 00:20 . 04-05-11 10:56 423,784 --a------ c:\winnt\SYSTEM32\XceedBkp.dll 2009-03-12 00:20 . 04-02-05 21:53 389,120 --a------ c:\winnt\SYSTEM32\ACTSKN43.OCX 2009-03-12 00:20 . 01-07-28 13:50 265,753 --a------ c:\winnt\SYSTEM32\AS-Exp2.ocx 2009-03-12 00:20 . 04-01-09 11:54 188,416 --a------ c:\winnt\SYSTEM32\actsplash.ocx 2009-03-12 00:20 . 04-03-09 00:00 131,856 --a------ c:\winnt\SYSTEM32\MSADODC.ocx 2009-03-12 00:20 . 01-03-28 23:02 89,088 --a------ c:\winnt\SYSTEM32\ProgressBar4.ocx 2009-03-12 00:20 . 01-04-20 02:28 28,672 --a------ c:\winnt\SYSTEM32\systray.ocx 2009-03-12 00:20 . 99-01-26 20:36 11,012 --a------ c:\winnt\SYSTEM32\threadapi.tlb 2009-03-11 21:31 . 09-03-12 15:36 <DIR> d-------- c:\program files\Panda Security 2009-03-11 14:37 . 08-11-02 20:00 <DIR> d-------- c:\documents and settings\ASPNET\Application Data\SACore 2009-03-11 14:37 . 09-03-11 14:37 <DIR> d-------- c:\documents and settings\ASPNET 2009-03-10 15:13 . 09-03-10 15:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Thinstall . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-15 07:02 --------- d-----w c:\program files\yRead2 2009-03-14 01:12 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-03-13 05:00 --------- d-----w c:\program files\Advanced Uninstaller PRO - Version 9 2009-03-12 20:44 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-12 19:05 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-03-11 17:32 --------- d-----w c:\program files\DivX 2009-02-27 22:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire 2009-02-08 17:36 --------- d---a-w c:\program files\Dell 2009-02-08 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit 2009-02-08 17:34 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-02-08 17:21 --------- d-----w c:\documents and settings\All Users\Application Data\Innovative Solutions 2009-02-07 02:42 --------- d-----w c:\documents and settings\Administrator\Application Data\WNR 2009-02-07 00:25 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-02-07 00:18 --------- d---a-w c:\documents and settings\All Users\Application Data\Apple Computer 2009-02-07 00:09 --------- d-----w c:\program files\HP 2009-02-07 00:05 --------- d-----w c:\program files\Common Files\HP 2009-02-07 00:01 --------- d---a-w c:\program files\Common Files\Adaptec Shared 2009-02-06 23:50 --------- d-----w c:\program files\Common Files\Nullsoft 2009-02-04 17:18 --------- d-----w c:\documents and settings\Administrator\Application Data\Move Networks 2009-02-04 02:38 --------- d-----w c:\documents and settings\Administrator\Application Data\Aim 2009-02-04 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks 2009-02-04 02:24 --------- d-----w c:\program files\Common Files\Real 2009-02-02 17:38 --------- d-----w c:\documents and settings\Administrator\Application Data\.BitTornado 2009-02-02 05:18 --------- d-----w c:\documents and settings\Administrator\Application Data\Graboid Inc 2009-02-01 23:37 --------- d-----w c:\documents and settings\Administrator\Application Data\MozillaControl 2009-02-01 22:34 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer 2009-02-01 01:34 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc 2008-08-22 23:50 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2007-08-15 23:29 18,848 ----a-w c:\documents and settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2003-07-10 18:54 271 ---ha-w c:\program files\DESKTOP.INI 2003-07-10 18:54 21,952 ---ha-w c:\program files\FOLDER.HTT 2003-06-20 12:00 32,528 ----a-w c:\winnt\INF\WBFIRDMA.SYS . ------- Sigcheck ------- 01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\SYSTEM32\CTFMON.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 c:\winnt\SYSTEM32\CTFMON.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [04-10-30 14:59 385024] "Synchronization Manager"="mobsync.exe" [03-06-20 07:00 111376 c:\winnt\SYSTEM32\MOBSYNC.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "internat.exe"="internat.exe" [03-06-20 07:00 20752 c:\winnt\SYSTEM32\INTERNAT.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-20 07:00 186640] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 04-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau] 06-09-01 00:49 140048 c:\winnt\SYSTEM32\NWPROVAU.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="1" "UpdatesDisableNotify"="1" R3 ATE_PROCMON;ATE_PROCMON; [x] R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [99-10-23 12:22 61712] R3 SavRoam;SavRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [04-03-12 14:18 169192] R3 Scr110;SCR110 Serial Smart Card Reader;c:\winnt\system32\DRIVERS\Scr110.sys [03-02-04 03:00 19272] R3 SCRx31 USB Reader;SCRx31 USB Reader;c:\winnt\system32\DRIVERS\stc2.sys [02-07-03 19:32 56320] R3 w70n5;Intel® PRO/Wireless 7100 Adapter Driver;c:\winnt\system32\DRIVERS\w70n5.sys [04-01-13 02:46 2481408] R4 NFServer;NFServer;c:\program files\Fortress\AirFortress® Client\NFServer.exe [02-06-21 17:21 110592] S0 fasttrak;fasttrak;c:\winnt\system32\DRIVERS\fasttrak.sys [01-04-26 16:00 64418] S0 mraid2k;mraid2k;c:\winnt\system32\DRIVERS\mraid2k.sys [01-06-08 09:25 17258] S1 Dlc;DLC Protocol;c:\winnt\system32\DRIVERS\dlc.sys [03-06-20 07:00 56112] S1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\ghpciscan.sys [02-08-14 14:11 5632] S2 AppleTalk;AppleTalk Protocol;c:\winnt\system32\DRIVERS\sfmatalk.sys [03-06-20 07:00 148400] S2 PRPC;PRPC; [x] S3 GTIPCI21;GTIPCI21;c:\winnt\system32\DRIVERS\gtipci21.sys [04-05-03 16:26 80384] S3 IWCA2K;Intel Wireless Connection Agent Miniport for Win 2K;c:\winnt\system32\DRIVERS\iwca2k.sys [04-08-12 08:43 21504] S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [04-01-16 19:06 50032] --- Other Services/Drivers In Memory --- Deregistered - adpu160m Deregistered - AegisP Deregistered - AFD Deregistered - agp440 Deregistered - Aha154x Deregistered - aic78u2 Deregistered - aic78xx Deregistered - Alerter Deregistered - AppleTalk Deregistered - AppMgmt Deregistered - Aspi32 Deregistered - aspnet_state Deregistered - audstub Deregistered - BASFND Deregistered - Beep Deregistered - Browser Deregistered - ccProxy Deregistered - Cdfs Deregistered - Compbatt Deregistered - DefWatch Deregistered - Dhcp Deregistered - Diskperf Deregistered - Dlc Deregistered - dmio Deregistered - dmload Deregistered - Dnscache Deregistered - EFS Deregistered - Fastfat Deregistered - fasttrak Deregistered - Fd16_700 Deregistered - Fips Deregistered - FltMgr Deregistered - Ftdisk Deregistered - GhPciScan Deregistered - Gpc Deregistered - IntelIde Deregistered - IpFilterDriver Deregistered - IWCA2K Deregistered - KSecDD Deregistered - lanmanserver Deregistered - lanmanworkstation Deregistered - LmHosts Deregistered - mdmxsdk Deregistered - mnmdd Deregistered - MountMgr Deregistered - MPFP Deregistered - MpfService Deregistered - mraid2k Deregistered - mraid35x Deregistered - MRxSmb Deregistered - Msfs Deregistered - Mup Deregistered - NAVENG Deregistered - NAVEX15 Deregistered - NDIS Deregistered - Ndisuio Deregistered - NdisWan Deregistered - NDProxy Deregistered - NetBIOS Deregistered - NetBT Deregistered - NetDDE Deregistered - NetDDEdsdm Deregistered - Netlogon Deregistered - Npfs Deregistered - Ntfs Deregistered - NtLmSsp Deregistered - Null Deregistered - NwlnkIpx Deregistered - NwlnkNb Deregistered - NwlnkSpx Deregistered - omci Deregistered - Parallel Deregistered - PartMgr Deregistered - ParVdm Deregistered - PptpMiniport Deregistered - RasAcd Deregistered - Rasl2tp Deregistered - Raspti Deregistered - Rdbss Deregistered - RemoteRegistry Deregistered - ROOTMODEM Deregistered - RSVP Deregistered - s24trans Deregistered - SamSs Deregistered - SAVRT Deregistered - SAVRTPEL Deregistered - SbcpHid Deregistered - seclogon Deregistered - SimpTcp Deregistered - SNDSrvc Deregistered - Sparrow Deregistered - Srv Deregistered - swenum Deregistered - Symantec AntiVirus Deregistered - SYMDNS Deregistered - SymEvent Deregistered - SYMFW Deregistered - SYMIDS Deregistered - SYMIDSCO Deregistered - SYMNDIS Deregistered - SYMREDRV Deregistered - SYMTDI Deregistered - SysmonLog Deregistered - Tcpip Deregistered - Ultra Deregistered - Update Deregistered - UPS Deregistered - UtilMan Deregistered - VgaSave Deregistered - W32Time Deregistered - Wanarp Deregistered - wanatw Deregistered - WmdmPmSN Deregistered - Wmi Deregistered - wuauserv . Contents of the 'Scheduled Tasks' folder 2004-08-04 c:\winnt\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [04-01-02 13:20 ] . - - - - ORPHANS REMOVED - - - - WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file) WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file) WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file) Notify-AtiExtEvent - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://live.xbox.com/en-US/profile/Friends.aspx uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}\SOFTWARE IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}\SOFTWARE\Classes IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}\SOFTWARE\Classes\CLSID IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ProgID LSP: %SystemRoot%\system32\msafd.dll DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gzlf1ra1.default\ FF - prefs.js: browser.startup.homepage - hxxp://games.espn.go.com/frontpage/flbdraftkit\|http://sports.espn.go.com/fantasy/baseball/flb/story?page=mlbdk2k9ranksTop500\|http://webmail.aol.com/41421/aim/en-us/Suite.aspx\|http://games.espn.go.com/flb/leagueoffice?leagueId=43108 . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 12:13:31 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-577020384-2308808795-1272252130-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63496D0E-1653-5764-30C8-8B7AE0E43F7E}*] "bbehecjdilgdpohalhpomfdfdaamgcffalkn"=hex:61,61,00,00 "abehecjdilgdpohalhiphkgpaeocpaolen"=hex:61,61,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\BaseWinOptions] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\EncInst] @DACL=(02 0000) "DebugFile"="c:\\encinst.log" "DebugLevel"=hex:ef "Enabled"=hex:fe "path"="c:\\WINNT\\system32\\export\\encinst.exe" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents] @DACL=(02 0000) "ComponentList"=multi:"{FB8B5424-4B01-433E-AB3B-4B296655D43A}\00{89820200-ECBD-11CF-8B85-00AA005B4383}\00{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\00{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\00{5DC6714D-359A-4BBE-A62E-38E86902C81A}\00{E9A84D17-E5C1-4890-A557-4460207F6AAF}\00{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\00{C53A407B-397A-4EEC-812F-E951673CDE7F}\00{0E7420B5-D964-400C-8AC0-60537B2D0832}\00{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\00{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\00{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\00{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\00{AA936DF4-2B08-4B1F-B071-72192E287704}\00{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\00{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\00\00" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{0E7420B5-D964-400C-8AC0-60537B2D0832}] @DACL=(02 0000) "FriendlyName"="SQLXMLX Exception Package" "ComponentGUID"="{0E7420B5-D964-400C-8AC0-60537B2D0832}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{0E7420B5-D964-400C-8AC0-60537B2D0832}\\SQLXMLXP.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{0E7420B5-D964-400C-8AC0-60537B2D0832}\\sqlxmlxp.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}] @DACL=(02 0000) "FriendlyName"="Microsoft MDAC Response Files" "ComponentGUID"="{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\\rspfiles.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\\rspfiles.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}] @DACL=(02 0000) "FriendlyName"="DirectX" "ComponentGUID"="{44BBA855-CC51-11CF-AAFA-00AA00B6015C}" "Version"=dword:00040009 "Sub-Version"=dword:00000386 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\\dxxp.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\\dxxp.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{5DC6714D-359A-4BBE-A62E-38E86902C81A}] @DACL=(02 0000) "FriendlyName"="Microsoft MDAC Setup Files" "ComponentGUID"="{5DC6714D-359A-4BBE-A62E-38E86902C81A}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{5DC6714D-359A-4BBE-A62E-38E86902C81A}\\dasetup.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{5DC6714D-359A-4BBE-A62E-38E86902C81A}\\dasetup.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{89820200-ECBD-11CF-8B85-00AA005B4383}] @DACL=(02 0000) "FriendlyName"="Internet Explorer 6" "ComponentGUID"="{89820200-ECBD-11CF-8B85-00AA005B4383}" "Version"=dword:00060000 "Sub-Version"=dword:00000000 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\ieex.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{89820200-ECBD-11cf-8B85-00AA005B4383}\\ieex.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}] @DACL=(02 0000) "FriendlyName"="BidInterface Exception Package" "ComponentGUID"="{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\\bidintrx.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\\bidintrx.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}] @DACL=(02 0000) "FriendlyName"="Microsoft SQL Server ODBC Drivers" "ComponentGUID"="{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\\SQLODBC.INF" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\\sqlodbc.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AA936DF4-2B08-4B1F-B071-72192E287704}] @DACL=(02 0000) "FriendlyName"="DirectX BDA" "ComponentGUID"="{AA936DF4-2B08-4B1F-B071-72192E287704}" "Version"=dword:00040009 "Sub-Version"=dword:00000386 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{AA936DF4-2B08-4B1F-B071-72192E287704}\\dxbda.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{AA936DF4-2B08-4B1F-B071-72192E287704}\\dx9bda.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}] @DACL=(02 0000) "FriendlyName"="Microsoft SQL Server Net Libs" "ComponentGUID"="{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\\SQLNET.INF" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\\sqlnet.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}] @DACL=(02 0000) "FriendlyName"="Microsoft SQL Server OLEDB Provider" "ComponentGUID"="{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\\SQLOLDB.INF" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\\sqloldb.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}] @DACL=(02 0000) "FriendlyName"="Microsoft Active Accessibility" "ComponentGUID"="{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}" "Version"=dword:00040002 "Sub-Version"=dword:151e0000 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\\msaaNT.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\\msaa2K.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C53A407B-397A-4EEC-812F-E951673CDE7F}] @DACL=(02 0000) "FriendlyName"="MSXML 3.0 Exception Package" "ComponentGUID"="{C53A407B-397A-4EEC-812F-E951673CDE7F}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{C53A407B-397A-4EEC-812F-E951673CDE7F}\\MSXMLX.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{C53A407B-397A-4EEC-812F-E951673CDE7F}\\msxmlx.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}] @DACL=(02 0000) "FriendlyName"="Windows Media Player Exception Pack" "ComponentGUID"="{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}" "Version"=dword:00090000 "Sub-Version"=dword:00000ba4 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\\wmexpack.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\\wmexpack.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{E9A84D17-E5C1-4890-A557-4460207F6AAF}] @DACL=(02 0000) "FriendlyName"="WebData Setup Exception Package" "ComponentGUID"="{E9A84D17-E5C1-4890-A557-4460207F6AAF}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{E9A84D17-E5C1-4890-A557-4460207F6AAF}\\WDSETUP.INF" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{E9A84D17-E5C1-4890-A557-4460207F6AAF}\\wdsetup.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}] @DACL=(02 0000) "FriendlyName"="Mdac 2.8 Exception Package" "ComponentGUID"="{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\\MDACXPAK.INF" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\\mdacxpak.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{FB8B5424-4B01-433E-AB3B-4B296655D43A}] @DACL=(02 0000) "FriendlyName"="DirectX quartz Exception Pack" "ComponentGUID"="{FB8B5424-4B01-433E-AB3B-4B296655D43A}" "Version"=dword:00060003 "Sub-Version"=dword:00010376 "ExceptionInfName"=expand:"c:\\WINNT\\RegisteredPackages\\{FB8B5424-4B01-433E-AB3B-4B296655D43A}\\dx819696_w2k.inf" "ExceptionCatalogName"=expand:"c:\\WINNT\\RegisteredPackages\\{FB8B5424-4B01-433E-AB3B-4B296655D43A}\\dx819696_w2k.cat" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\KnownGood] @DACL=(02 0000) "SpeechCpl"="c:\\Program Files\\Common Files\\Microsoft Shared\\Speech\\sapi.cpl" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\Migration DLLs] @DACL=(02 0000) "Microsoft Office Family"="c:\\PROGRA~1\\MICROS~2\\Office10\\MIGRAT~1\\MIGRATE.DLL" "Roxio Easy CD Creator 5"="c:\\Program Files\\Common Files\\Adaptec Shared\\Migration" "Microsoft Windows Media Player 9 Series"="c:\\Program Files\\Windows Media Player\\Installer" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OC Manager] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\AddressBook] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(208) c:\program files\Intel\Wireless\Bin\LgNotify.dll c:\winnt\system32\wzcdlg.dll c:\winnt\system32\WZCSAPI.DLL - - - - - - - > 'lsass.exe'(272) c:\winnt\System32\BCMLogon.dll . Completion time: 2009-03-15 12:17:03 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-15 17:16:59 Pre-Run: 3,982,138,880 bytes free Post-Run: 4,159,325,184 bytes free 483

newromecity	Mar 15 2009, 10:08 AM Post #10
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	A couple of notes...the SVCHOST application error seems to have finally gone away. No longer do I get the message "Local Area Connection can not be found" either. However, still can't connect to internet, even though the properties of LAN show it is enabled and has obtain IP and obtain DNS Server automatically, checked. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:54:14 PM, on 3/15/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\netdde.exe C:\WINNT\system32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\cisvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\msiexec.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\dmadmin.exe C:\WINNT\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\cidaemon.exe C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINNT\system32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7920 bytes

newromecity	Mar 15 2009, 02:29 PM Post #11
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	The MBAM program finally opened and I was able to run it. Here's the log from that, along with a new HJT log. Malwarebytes' Anti-Malware 1.34 Database version: 1749 Windows 5.0.2195 Service Pack 4 3/15/2009 5:06:30 PM mbam-log-2009-03-15 (17-06-18).txt Scan type: Full Scan (C:\\|D:\\|E:\\|F:\\|) Objects scanned: 113772 Time elapsed: 37 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{b0cb585f-3271-4e42-88d9-ae5c9330d554} (Adware.Zango) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\XP Police Antivirus (Rogue.XP-Police-Antivirus) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\Zango@Zango.com (Adware.Zango) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Desktop\Rome\Videos\WindXpSp3By_AleXDa1NOnLy\WW2.5+Z+TZ\$OEM$\$$\system32\cmdow.exe (Malware.Tool) -> No action taken. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:24:43 PM, on 3/15/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\netdde.exe C:\WINNT\system32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\cisvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\dmadmin.exe C:\WINNT\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\cidaemon.exe C:\Program Files\Trend Micro\HijackCheck\Hcheck.exe C:\WINNT\system32\notepad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINNT\system32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 167.206.254.1,167.206.254.2 O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7995 bytes

Ironbender	Mar 15 2009, 03:04 PM Post #12
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	Combofix shows no active rootkit. You must uninstall XP Police Antivirus from your add-remove programs if listed there. It is a rogue antivirus and may download more crap to your system. Uninstall Zango toolbar as well if possible. Mbam was not updated: (database version: 1749). Also, the report shows "no action taken" instead of "Quarantined and deleted" as it should. Please update and run it again, making it quarantine or delete anything found. Does RSIT still not run ? Chris PS - Download an run LSPfix from http://www.cexx.org/LSPFix.exe and see if you can connect. -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 15 2009, 04:07 PM Post #13
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	RSIT had to be run on Safe Mode since I can't connect on regular boot. Logfile of random's system information tool 1.05 (written by random/random) Run by Administrator at 2009-03-15 19:07:56 Microsoft Windows 2000 Professional Service Pack 4 System drive C: has 4 GB (12%) free of 38 GB Total RAM: 503 MB (73% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:08:02 PM, on 3/15/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Safe mode with network support Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\dmadmin.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackCheck\Administrator.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINNT\system32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 167.206.254.1,167.206.254.2 O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 6844 bytes ======Scheduled tasks folder====== C:\WINNT\tasks\Symantec NetDetect.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-05-13 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-07 737776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {8E718888-423F-11D2-876E-00A0C9082467} - @msdxmLC.dll,-1@1033,&Radio - C:\WINNT\s [2007-08-25 40] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-05-13 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-10-30 385024] "Synchronization Manager"=mobsync.exe /logon [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2001-02-20 8192] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINNT\system32\igfxdev.dll [2005-10-14 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-09-07 110592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] C:\WINNT\s [2007-08-25 40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau] C:\WINNT\system32\nwprovau.dll [2006-09-01 140048] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] C:\WINNT\system32\wlnotify.dll [2005-04-08 57104] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 nwprovau [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "disablecad"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=323 "NoDriveAutoRun"=67108863 "NoDrives"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveAutoRun"= "NoDriveTypeAutoRun"= "NoDrives"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======List of files/folders created in the last 1 months====== 2009-03-15 16:24:55 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2009-03-15 15:47:26 ----SHD---- C:\RECYCLER 2009-03-15 12:48:16 ----A---- C:\WINNT\SchedLgU.Txt 2009-03-15 12:17:07 ----D---- C:\WINNT\temp 2009-03-15 12:17:04 ----A---- C:\ComboFix.txt 2009-03-15 11:54:54 ----A---- C:\WINNT\zip.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\VFIND.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWXCACLS.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWSC.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWREG.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\sed.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\NIRCMD.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\grep.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\fdsv.exe 2009-03-15 11:54:31 ----D---- C:\WINNT\ERDNT 2009-03-15 11:54:29 ----D---- C:\Qoobox 2009-03-14 23:52:31 ----D---- C:\rsit 2009-03-14 13:05:17 ----D---- C:\Program Files\MBAM 2009-03-14 13:05:17 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-03-14 12:59:52 ----A---- C:\WINNT\ntbtlog.txt 2009-03-14 12:37:31 ----D---- C:\Program Files\CCleaner 2009-03-13 20:19:31 ----D---- C:\fixwareout 2009-03-13 14:16:25 ----D---- C:\Program Files\Trend Micro 2009-03-12 21:30:43 ----D---- C:\Program Files\F-Group 2009-03-12 21:00:13 ----ASH---- C:\BOOT.BAK 2009-03-12 20:55:54 ----D---- C:\$WIN_NT$.~LS 2009-03-12 20:55:54 ----D---- C:\$WIN_NT$.~BT 2009-03-12 17:40:12 ----A---- C:\WINNT\UPGRADE.TXT 2009-03-12 17:40:10 ----D---- C:\WINNT\setup.pss 2009-03-12 14:02:45 ----A---- C:\WINNT\system32\sqlite3.dll 2009-03-12 14:02:45 ----A---- C:\WINNT\system32\ascbalon.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\SysRestore.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\SQLiteWrapper.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\ConTest.dll 2009-03-12 14:02:43 ----D---- C:\Program Files\Ascentive 2009-03-12 00:33:29 ----D---- C:\Program Files\Anti Trojan Elite 2009-03-12 00:20:44 ----A---- C:\WINNT\system32\XceedCry.dll 2009-03-12 00:20:44 ----A---- C:\WINNT\system32\XceedBkp.dll 2009-03-11 21:31:54 ----D---- C:\Program Files\Panda Security 2009-03-11 20:16:26 ----D---- C:\WINNT\SoftwareDistribution 2009-03-10 15:13:08 ----D---- C:\Documents and Settings\Administrator\Application Data\Thinstall ======List of files/folders modified in the last 1 months====== 2009-03-15 19:07:56 ----AD---- C:\WINNT\SYSTEM32 2009-03-15 19:07:14 ----D---- C:\Program Files\Mozilla Firefox 2009-03-15 19:04:05 ----A---- C:\WINNT\ModemLog_Conexant D110 MDC V.92 Modem.txt 2009-03-15 19:01:35 ----AD---- C:\WINNT\system32\IAS 2009-03-15 19:01:03 ----AD---- C:\WINNT\Debug 2009-03-15 18:58:35 ----AD---- C:\Program Files 2009-03-15 18:57:28 ----AD---- C:\WINNT\system32\DRIVERS 2009-03-15 18:14:12 ----AD---- C:\WINNT 2009-03-15 17:35:36 ----AHD---- C:\WINNT\INF 2009-03-15 15:38:19 ----D---- C:\WINNT\system32\NtmsData 2009-03-15 15:05:28 ----D---- C:\Program Files\yRead2 2009-03-15 12:13:34 ----A---- C:\WINNT\system.ini 2009-03-15 12:07:39 ----AD---- C:\WINNT\AppPatch 2009-03-15 12:07:38 ----AD---- C:\Program Files\Common Files 2009-03-15 12:05:43 ----SD---- C:\WINNT\Web 2009-03-14 12:51:26 ----D---- C:\WINNT\Minidump 2009-03-14 01:13:38 ----SHD---- C:\WINNT\CSC 2009-03-13 22:26:23 ----SD---- C:\WINNT\Downloaded Program Files 2009-03-13 20:12:14 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint 2009-03-13 12:44:18 ----D---- C:\WINNT\system32\Macromed 2009-03-13 00:00:08 ----D---- C:\Program Files\Advanced Uninstaller PRO - Version 9 2009-03-12 22:24:47 ----RASH---- C:\BOOT.INI 2009-03-12 21:30:20 ----D---- C:\Downloads 2009-03-12 16:38:33 ----D---- C:\Rome 2009-03-12 15:44:08 ----HD---- C:\Program Files\InstallShield Installation Information 2009-03-12 15:38:00 ----SD---- C:\WINNT\Tasks 2009-03-12 14:05:10 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-03-12 14:02:54 ----SHD---- C:\WINNT\Installer 2009-03-12 14:02:54 ----AHD---- C:\Config.Msi 2009-03-12 14:02:47 ----D---- C:\WINNT\Support_Files 2009-03-11 16:04:55 ----A---- C:\WINNT\WIN.INI 2009-03-11 16:04:51 ----RASD---- C:\WINNT\Fonts 2009-03-11 15:52:16 ----ASD---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2009-03-11 14:37:38 ----AD---- C:\Documents and Settings 2009-03-11 14:19:40 ----AD---- C:\WINNT\system32\CONFIG 2009-03-11 12:32:11 ----D---- C:\Program Files\DivX 2009-02-27 17:03:48 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire 2009-02-25 12:55:00 ----A---- C:\WINNT\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2007-08-25 40] R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2007-08-25 40] R1 GhPciScan;GhostPciScanner; \??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [] R1 MPFP;MPFP; C:\WINNT\S [2007-08-25 40] R1 omci;OMCI WDM Device Driver; C:\WINNT\s [2007-08-25 40] R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINNT\s [2007-08-25 40] R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINNT\s [2007-08-25 40] R3 IWCA2K;Intel Wireless Connection Agent Miniport for Win 2K; C:\WINNT\s [2007-08-25 40] R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\s [2007-08-25 40] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\s [2007-08-25 40] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\s [2007-08-25 40] R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\s [2007-08-25 40] R3 wanatw;WAN Miniport (ATW); C:\WINNT\s [2007-08-25 40] S1 Dlc;DLC Protocol; C:\WINNT\s [2007-08-25 40] S1 SAVRT;SAVRT; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys [] S1 SbcpHid;SbcpHid; \??\C:\WINNT\system32\Drivers\SbcpHid.sys [] S1 SYMTDI;SYMTDI; C:\WINNT\S [2007-08-25 40] S2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINNT\s [2007-08-25 40] S2 AppleTalk;AppleTalk Protocol; C:\WINNT\s [2007-08-25 40] S2 Aspi32;Aspi32; C:\WINNT\s [2007-08-25 40] S2 BASFND;BASFND; \??\C:\WINNT\system32\Drivers\BASFND.sys [] S2 HidUsb;Microsoft HID Class Driver; C:\WINNT\s [2007-08-25 40] S2 mdmxsdk;mdmxsdk; C:\WINNT\s [2007-08-25 40] S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\s [2007-08-25 40] S2 NwlnkNb;NWLink NetBIOS; C:\WINNT\s [2007-08-25 40] S2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\s [2007-08-25 40] S2 PRPC;PRPC; C:\WINNT\s [2007-08-25 40] S2 s24trans;WLAN Transport; C:\WINNT\s [2007-08-25 40] S2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys [] S3 ATE_PROCMON;ATE_PROCMON; C:\WINNT\s [2007-08-25 40] S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\Common Files\AOL\ACS\ATWPKT2.SYS [] S3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINNT\s [2007-08-25 40] S3 bvrp_pci;bvrp_pci; C:\WINNT\s [2007-08-25 40] S3 ccdecode;Closed Caption Decoder; C:\WINNT\s [2007-08-25 40] S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\s [2007-08-25 40] S3 EL90BC;3Com EtherLink XL B/C Adapter Driver; C:\WINNT\s [2007-08-25 40] S3 GTIPCI21;GTIPCI21; C:\WINNT\s [2007-08-25 40] S3 HSF_DP;HSF_DP; C:\WINNT\s [2007-08-25 40] S3 HSF_DPV;HSF_DPV; C:\WINNT\s [2007-08-25 40] S3 HSFHWICH;HSFHWICH; C:\WINNT\s [2007-08-25 40] S3 ialm;ialm; C:\WINNT\s [2007-08-25 40] S3 mouhid;Mouse HID Driver; C:\WINNT\s [2007-08-25 40] S3 MPE;BDA MPE Filter; C:\WINNT\s [2007-08-25 40] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\s [2007-08-25 40] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\s [2007-08-25 40] S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090311.003\naveng.sys [] S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090311.003\navex15.sys [] S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver; C:\WINNT\s [2007-08-25 40] S3 nm;Network Monitor Driver; C:\WINNT\s [2007-08-25 40] S3 nv4;nv4; C:\WINNT\s [2007-08-25 40] S3 NWRDR;NetWare Rdr; C:\WINNT\s [2007-08-25 40] S3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINNT\s [2007-08-25 40] S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2007-08-25 40] S3 Scr110;SCR110 Serial Smart Card Reader; C:\WINNT\s [2007-08-25 40] S3 SCRx31 USB Reader;SCRx31 USB Reader; C:\WINNT\s [2007-08-25 40] S3 SLIP;BDA Slip De-Framer; C:\WINNT\s [2007-08-25 40] S3 STAC97;SigmaTel C-Major Audio; C:\WINNT\s [2007-08-25 40] S3 streamip;BDA IPSink; C:\WINNT\s [2007-08-25 40] S3 SYMDNS;SYMDNS; C:\WINNT\S [2007-08-25 40] S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [] S3 SYMFW;SYMFW; C:\WINNT\S [2007-08-25 40] S3 SYMIDS;SYMIDS; C:\WINNT\S [2007-08-25 40] S3 SYMIDSCO;SYMIDSCO; C:\WINNT\S [2007-08-25 40] S3 SYMNDIS;SYMNDIS; C:\WINNT\S [2007-08-25 40] S3 SYMREDRV;SYMREDRV; C:\WINNT\S [2007-08-25 40] S3 tapvpn;TAP VPN Adapter; C:\WINNT\s [2007-08-25 40] S3 UIUSys;Conexant Setup API; C:\WINNT\s [2007-08-25 40] S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\s [2007-08-25 40] S3 w70n5;Intel® PRO/Wireless 7100 Adapter Driver; C:\WINNT\s [2007-08-25 40] S3 winachsf;winachsf; C:\WINNT\s [2007-08-25 40] S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\s [2007-08-25 40] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\S [2007-08-25 40] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-09 884360] S2 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] S2 BAsfIpM;Broadcom ASF IP monitoring service v6.0.3; C:\WINNT\s [2007-08-25 40] S2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-02-29 255096] S2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2004-02-29 291960] S2 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-02-29 87160] S2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-02-29 242808] S2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe [2004-05-06 29912] S2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-09-07 86016] S2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [] S2 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [] S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120] S2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-09-07 139264] S2 SimpTcp;Simple TCP/IP Services; C:\WINNT\s [2007-08-25 40] S2 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-03-11 193760] S2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe [2004-03-12 1221864] S2 SymSecurePort;Symantec SecurePort; C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe [2004-05-05 222352] S2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2004-09-07 225353] S2 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2007-08-25 40] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 SavRoam;SAVRoam; C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192] S4 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2004-10-20 10328] S4 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016] S4 GhostStartService;GhostStartService; C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE [2002-08-14 200704] S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 138168] S4 NFServer;NFServer; C:\Program Files\Fortress\AirFortress® Client\NFServer.exe [2002-06-21 110592] S4 NWCWorkstation;Client Service for NetWare; C:\WINNT\s [2007-08-25 40] S4 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-09-07 360521] S4 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINNT\S [2007-08-25 40] -----------------EOF-----------------

newromecity	Mar 15 2009, 04:08 PM Post #14
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	Malwarebytes' Anti-Malware 1.34 Database version: 1853 Windows 5.0.2195 Service Pack 4 3/15/2009 6:56:30 PM mbam-log-2009-03-15 (18-56-30).txt Scan type: Full Scan (C:\\|D:\\|E:\\|F:\\|) Objects scanned: 117223 Time elapsed: 21 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b0cb585f-3271-4e42-88d9-ae5c9330d554} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XP Police Antivirus (Rogue.XP-Police-Antivirus) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Desktop\Rome\Videos\WindXpSp3By_AleXDa1NOnLy\WW2.5+Z+TZ\$OEM$\$$\system32\cmdow.exe (Malware.Tool) -> Quarantined and deleted successfully.

newromecity	Mar 15 2009, 04:26 PM Post #15
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	LSPfix says there are no problems found, and lists the following .dll files under KEEP. RNR20 WINRNR NWPROVAU MSAFD RSVPSP

newromecity	Mar 15 2009, 06:59 PM Post #16
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	I've been able to get Internet Explorer to work now. I don't know if this specifically had anything to do with it but I went to Windows Automatic Updates and turned them on, they had been turned off. Still can't connect to Mozilla Firefox for some odd reason, working on it.

Ironbender	Mar 15 2009, 08:04 PM Post #17
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	We are making some progress. Download SDFix from: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop. Double click SDFix.exe and it will extract the files to C:\SDFix\ Reboot into Safe Mode (without networking support !) - Open the extracted SDFix folder and double click RunThis.bat to start the script. - Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. - Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. - Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). I need that log afterwards. Post back the sdfix report along with a new RSIT report. Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

newromecity	Mar 15 2009, 08:59 PM Post #18
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	I got a couple of prompts on screen telling me about new hardware added, "Network Controller" but Windows couldn't locate any drivers for it. Important? SDFix: Version 1.240 Run by Administrator on Sun 03/15/2009 at 11:32p Microsoft Windows 2000 [Version 5.00.2195] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 23:55:54 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\EncInst] "DebugFile"="c:\encinst.log" "path"="C:\WINNT\system32\export\encinst.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents] "ComponentList"=str(7):"{FB8B5424-4B01-433E-AB3B-4B296655D43A}\0{89820200-ECBD-11CF-8B85-00AA005B4383}\0{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\0{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\0{5DC6714D-359A-4BBE-A62E-38E86902C81A}\0{E9A84D17-E5C1-4890-A557-4460207F6AAF}\0{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\0{C53A407B-397A-4EEC-812F-E951673CDE7F}\0{0E7420B5-D964-400C-8AC0-60537B2D0832}\0{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\0{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\0{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\0{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\0{AA936DF4-2B08-4B1F-B071-72192E287704}\0{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\0{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{0E7420B5-D964-400C-8AC0-60537B2D0832}] "FriendlyName"="SQLXMLX Exception Package" "ComponentGUID"="{0E7420B5-D964-400C-8AC0-60537B2D0832}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{0E7420B5-D964-400C-8AC0-60537B2D0832}\SQLXMLXP.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{0E7420B5-D964-400C-8AC0-60537B2D0832}\sqlxmlxp.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}] "FriendlyName"="Microsoft MDAC Response Files" "ComponentGUID"="{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\rspfiles.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{12F1D3F6-5371-4962-8B9E-41AC0668F2C1}\rspfiles.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}] "FriendlyName"="DirectX" "ComponentGUID"="{44BBA855-CC51-11CF-AAFA-00AA00B6015C}" "Version"=dword:00040009 "Sub-Version"=dword:00000386 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxxp.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxxp.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{5DC6714D-359A-4BBE-A62E-38E86902C81A}] "FriendlyName"="Microsoft MDAC Setup Files" "ComponentGUID"="{5DC6714D-359A-4BBE-A62E-38E86902C81A}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{5DC6714D-359A-4BBE-A62E-38E86902C81A}\dasetup.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{5DC6714D-359A-4BBE-A62E-38E86902C81A}\dasetup.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{89820200-ECBD-11CF-8B85-00AA005B4383}] "FriendlyName"="Internet Explorer 6" "ComponentGUID"="{89820200-ECBD-11CF-8B85-00AA005B4383}" "Version"=dword:00060000 "Sub-Version"=dword:00000000 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{89820200-ECBD-11cf-8B85-00AA005B4383}\ieex.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{89820200-ECBD-11cf-8B85-00AA005B4383}\ieex.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}] "FriendlyName"="BidInterface Exception Package" "ComponentGUID"="{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\bidintrx.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{97F5A9DB-8CA2-496B-9847-9C1DF6D93701}\bidintrx.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}] "FriendlyName"="Microsoft SQL Server ODBC Drivers" "ComponentGUID"="{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\SQLODBC.INF" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{A2F3B5A7-2D39-4A4E-96E6-BFADEBCBB27B}\sqlodbc.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AA936DF4-2B08-4B1F-B071-72192E287704}] "FriendlyName"="DirectX BDA" "ComponentGUID"="{AA936DF4-2B08-4B1F-B071-72192E287704}" "Version"=dword:00040009 "Sub-Version"=dword:00000386 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\dxbda.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{AA936DF4-2B08-4B1F-B071-72192E287704}\dx9bda.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}] "FriendlyName"="Microsoft SQL Server Net Libs" "ComponentGUID"="{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\SQLNET.INF" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{B15C73EE-0AD0-41C2-BC15-D0A623F0078C}\sqlnet.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}] "FriendlyName"="Microsoft SQL Server OLEDB Provider" "ComponentGUID"="{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\SQLOLDB.INF" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{BA63DE4B-CAD8-49C5-A3F2-E976BEB019C8}\sqloldb.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}] "FriendlyName"="Microsoft Active Accessibility" "ComponentGUID"="{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}" "Version"=dword:00040002 "Sub-Version"=dword:151e0000 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\msaaNT.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{BA840A40-FE9C-49A6-B5DA-18EEEF49B9A7}\msaa2K.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C53A407B-397A-4EEC-812F-E951673CDE7F}] "FriendlyName"="MSXML 3.0 Exception Package" "ComponentGUID"="{C53A407B-397A-4EEC-812F-E951673CDE7F}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{C53A407B-397A-4EEC-812F-E951673CDE7F}\MSXMLX.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{C53A407B-397A-4EEC-812F-E951673CDE7F}\msxmlx.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}] "FriendlyName"="Windows Media Player Exception Pack" "ComponentGUID"="{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}" "Version"=dword:00090000 "Sub-Version"=dword:00000ba4 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{E9A84D17-E5C1-4890-A557-4460207F6AAF}] "FriendlyName"="WebData Setup Exception Package" "ComponentGUID"="{E9A84D17-E5C1-4890-A557-4460207F6AAF}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{E9A84D17-E5C1-4890-A557-4460207F6AAF}\WDSETUP.INF" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{E9A84D17-E5C1-4890-A557-4460207F6AAF}\wdsetup.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}] "FriendlyName"="Mdac 2.8 Exception Package" "ComponentGUID"="{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}" "Version"=dword:00020050 "Sub-Version"=dword:03fe0003 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\MDACXPAK.INF" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{F1CAE27D-85D3-4642-B9E9-48D7F9F56C82}\mdacxpak.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{FB8B5424-4B01-433E-AB3B-4B296655D43A}] "FriendlyName"="DirectX quartz Exception Pack" "ComponentGUID"="{FB8B5424-4B01-433E-AB3B-4B296655D43A}" "Version"=dword:00060003 "Sub-Version"=dword:00010376 "ExceptionInfName"=str(2):"C:\WINNT\RegisteredPackages\{FB8B5424-4B01-433E-AB3B-4B296655D43A}\dx819696_w2k.inf" "ExceptionCatalogName"=str(2):"C:\WINNT\RegisteredPackages\{FB8B5424-4B01-433E-AB3B-4B296655D43A}\dx819696_w2k.cat" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\KnownGood] "SpeechCpl"="C:\Program Files\Common Files\Microsoft Shared\Speech\sapi.cpl" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Migration DLLs] "Microsoft Office Family"="C:\PROGRA~1\MICROS~2\Office10\MIGRAT~1\MIGRATE.DLL" "Roxio Easy CD Creator 5"="C:\Program Files\Common Files\Adaptec Shared\Migration" "Microsoft Windows Media Player 9 Series"="C:\Program Files\Windows Media Player\Installer" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\MasterInfs] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents] "wmpocm"=dword:00000001 "autoupdate"=dword:00000001 "dtc"=dword:00000001 "msmq"=dword:00000000 "ieaccess"=dword:00000001 "iis_common"=dword:00000000 "iis_inetmgr"=dword:00000000 "com"=dword:00000001 "iis_www"=dword:00000000 "iis_pwmgr"=dword:00000000 "iis_doc"=dword:00000000 "iis_ftp"=dword:00000000 "iis_smtp"=dword:00000000 "fp_extensions"=dword:00000000 "oeaccess"=dword:00000001 "mswordpad"=dword:00000001 "calc"=dword:00000001 "charmap"=dword:00000001 "clipbook"=dword:00000001 "deskpaper"=dword:00000001 "mousepoint"=dword:00000001 "objectpkg"=dword:00000001 "paint"=dword:00000001 "templates"=dword:00000001 "chat"=dword:00000001 "dialer"=dword:00000001 "hypertrm"=dword:00000001 "cdplayer"=dword:00000001 "mplay"=dword:00000001 "rec"=dword:00000001 "vol"=dword:00000001 "media_clips"=dword:00000001 "media_utopia"=dword:00000001 "accessopt"=dword:00000001 "pinball"=dword:00000001 "freecell"=dword:00000001 "minesweeper"=dword:00000001 "solitaire"=dword:00000001 "imagevue"=dword:00000001 "fax"=dword:00000001 "indexsrv_system"=dword:00000001 "snmp"=dword:00000000 "simptcp"=dword:00000001 "iprip"=dword:00000001 "lpdsvc"=dword:00000000 "iisdbg"=dword:00000000 "display"=dword:00000001 "ntcomponents"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\AddressBook] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash] "Installed"="1" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63496D0E-1653-5764-30C8-8B7AE0E43F7E}] "bbehecjdilgdpohalhpomfdfdaamgcffalkn?"=hex:61,61,00,00 "abehecjdilgdpohalhiphkgpaeocpaolen?"=hex:61,61,00,00 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Remaining Files : Files with Hidden Attributes : Wed 12 May 2004 192 A.SH. --- "C:\BOOT.BAK" Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe" Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe" Wed 14 Aug 2002 65,088 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM" Wed 14 Aug 2002 12,732 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM" Wed 14 Aug 2002 26,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM" Wed 14 Aug 2002 28,062 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM" Wed 14 Aug 2002 10,710 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM" Wed 14 Aug 2002 10,083 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM" Wed 14 Aug 2002 10,257 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM" Wed 14 Aug 2002 29,499 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM" Wed 14 Aug 2002 12,660 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM" Wed 14 Aug 2002 11,031 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM" Wed 14 Aug 2002 17,952 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM" Wed 14 Aug 2002 9,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM" Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM" Wed 14 Aug 2002 13,673 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM" Wed 14 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM" Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM" Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM" Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM" Wed 14 Aug 2002 7,243 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM" Wed 14 Aug 2002 24,767 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM" Wed 14 Aug 2002 7,463 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM" Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM" Wed 14 Aug 2002 10,286 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM" Wed 14 Aug 2002 25,460 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM" Wed 14 Aug 2002 28,866 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM" Wed 14 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM" Wed 14 Aug 2002 8,544 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys" Wed 14 Aug 2002 33,149 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys" Wed 28 May 2003 51,150 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS" Wed 14 Aug 2002 35,340 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS" Wed 14 Aug 2002 14,378 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS" Wed 14 Aug 2002 37,984 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS" Wed 14 Aug 2002 44,828 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS" Wed 14 Aug 2002 29,628 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS" Wed 28 May 2003 52,106 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS" Wed 14 Aug 2002 49,242 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS" Wed 14 Aug 2002 50,606 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS" Wed 14 Aug 2002 161,792 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS" Wed 14 Aug 2002 174,080 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys" Wed 14 Aug 2002 21,971 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS" Wed 14 Aug 2002 30,955 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS" Wed 14 Aug 2002 202,517 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE" Wed 14 Aug 2002 374,038 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE" Wed 14 Aug 2002 22,158 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS" Wed 14 Aug 2002 1,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM" Wed 14 Aug 2002 15,345 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS" Wed 14 Aug 2002 7,840 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS" Wed 14 Aug 2002 56,821 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE" Wed 14 Aug 2002 64,425 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS" Wed 14 Aug 2002 32,396 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE" Wed 14 Aug 2002 14,160 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS" Wed 14 Aug 2002 10,898 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM" Wed 14 Aug 2002 53,556 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS" Wed 14 Aug 2002 15,777 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM" Wed 14 Aug 2002 37,681 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM" Wed 14 Aug 2002 354,304 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys" Wed 14 Aug 2002 21,180 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE" Wed 14 Aug 2002 354,263 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe" Wed 14 Aug 2002 8,513 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM" Wed 14 Aug 2002 41,302 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS" Wed 14 Aug 2002 129,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE" Wed 14 Aug 2002 28,439 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com" Wed 14 Aug 2002 13,770 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE" Wed 14 Aug 2002 130,980 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE" Wed 14 Aug 2002 11,854 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM" Wed 14 Aug 2002 52,715 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM" Wed 14 Aug 2002 62,391 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM" Wed 14 Aug 2002 11,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com" Wed 14 Aug 2002 17,791 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com" Wed 14 Aug 2002 17,043 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com" Wed 14 Aug 2002 11,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com" Wed 14 Aug 2002 18,300 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com" Wed 14 Aug 2002 48,224 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com" Wed 14 Aug 2002 13,360 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com" Wed 14 Aug 2002 9,190 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com" Wed 14 Aug 2002 12,567 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com" Wed 14 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM" Wed 14 Aug 2002 56,896 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com" Wed 14 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com" Wed 14 Aug 2002 9,692 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com" Wed 14 Aug 2002 9,537 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM" Wed 14 Aug 2002 32,484 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com" Wed 14 Aug 2002 52,225 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe" Wed 14 Aug 2002 48,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe" Wed 14 Aug 2002 50,405 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com" Wed 14 Aug 2002 33,860 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe" Wed 14 Aug 2002 50,175 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe" Wed 14 Aug 2002 50,795 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe" Wed 14 Aug 2002 48,223 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com" Wed 14 Aug 2002 48,641 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe" Wed 14 Aug 2002 49,015 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com" Wed 14 Aug 2002 53,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com" Wed 14 Aug 2002 44,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM" Wed 14 Aug 2002 42,550 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM" Finished!

newromecity	Mar 15 2009, 09:00 PM Post #19
Group: Members Posts: 18 Joined: 13-March 09 Member No.: 25,997	Logfile of random's system information tool 1.05 (written by random/random) Run by Administrator at 2009-03-16 00:03:09 Microsoft Windows 2000 Professional Service Pack 4 System drive C: has 4 GB (10%) free of 38 GB Total RAM: 503 MB (59% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:03:28 AM, on 3/16/2009 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\netdde.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\system32\basfipm.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\cisvc.exe C:\WINNT\system32\clipsrv.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\locator.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\dmadmin.exe C:\WINNT\system32\msdtc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\cidaemon.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\WINNT\system32\DllHost.exe C:\Documents and Settings\Administrator\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackCheck\Administrator.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://live.xbox.com/en-US/profile/Friends.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKUS\S-1-5-21-577020384-2308808795-1272252130-1009\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET') O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINNT\system32\shdocvw.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134589117044 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143753340215 O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9758C124-7DE9-4E40-8FA8-9A680ACA1457}: NameServer = 167.206.254.1,167.206.254.2 O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NFServer - Unknown owner - C:\Program Files\Fortress\AirFortress® Client\NFServer.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9800 bytes ======Scheduled tasks folder====== C:\WINNT\tasks\Symantec NetDetect.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-05-13 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-09-07 737776] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {8E718888-423F-11D2-876E-00A0C9082467} - @msdxmLC.dll,-1@1033,&Radio - C:\WINNT\s [2007-08-25 40] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-05-13 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2004-02-29 66680] "GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe [2002-08-14 94208] "IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-10-30 385024] "ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-16 221184] "ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-06-16 81920] "Synchronization Manager"=mobsync.exe /logon [] "vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe [2004-05-06 124112] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2001-02-20 8192] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINNT\system32\igfxdev.dll [2005-10-14 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-09-07 110592] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon] C:\WINNT\s [2007-08-25 40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau] C:\WINNT\system32\nwprovau.dll [2006-09-01 140048] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] C:\WINNT\system32\wlnotify.dll [2005-04-08 57104] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 nwprovau [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "disablecad"=0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=323 "NoDriveAutoRun"=67108863 "NoDrives"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveAutoRun"= "NoDriveTypeAutoRun"= "NoDrives"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======List of files/folders created in the last 1 months====== 2009-03-15 23:26:12 ----D---- C:\WINNT\ERUNT 2009-03-15 23:12:12 ----D---- C:\SDFix 2009-03-15 21:58:36 ----A---- C:\WINNT\system32\wuauclt.exe 2009-03-15 21:44:43 ----D---- C:\Program Files\Adaptec 2009-03-15 16:24:55 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2009-03-15 15:47:26 ----SHD---- C:\RECYCLER 2009-03-15 12:48:16 ----A---- C:\WINNT\SchedLgU.Txt 2009-03-15 12:17:07 ----D---- C:\WINNT\temp 2009-03-15 12:17:04 ----A---- C:\ComboFix.txt 2009-03-15 11:54:54 ----A---- C:\WINNT\zip.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\VFIND.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWXCACLS.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWSC.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\SWREG.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\sed.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\NIRCMD.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\grep.exe 2009-03-15 11:54:54 ----A---- C:\WINNT\fdsv.exe 2009-03-15 11:54:31 ----D---- C:\WINNT\ERDNT 2009-03-15 11:54:29 ----D---- C:\Qoobox 2009-03-14 23:52:31 ----D---- C:\rsit 2009-03-14 13:05:17 ----D---- C:\Program Files\MBAM 2009-03-14 13:05:17 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2009-03-14 12:59:52 ----A---- C:\WINNT\ntbtlog.txt 2009-03-14 12:37:31 ----D---- C:\Program Files\CCleaner 2009-03-13 20:19:31 ----D---- C:\fixwareout 2009-03-13 14:16:25 ----D---- C:\Program Files\Trend Micro 2009-03-12 21:30:43 ----D---- C:\Program Files\F-Group 2009-03-12 21:00:13 ----ASH---- C:\BOOT.BAK 2009-03-12 20:55:54 ----D---- C:\$WIN_NT$.~LS 2009-03-12 20:55:54 ----D---- C:\$WIN_NT$.~BT 2009-03-12 17:40:12 ----A---- C:\WINNT\UPGRADE.TXT 2009-03-12 17:40:10 ----D---- C:\WINNT\setup.pss 2009-03-12 14:02:45 ----A---- C:\WINNT\system32\sqlite3.dll 2009-03-12 14:02:45 ----A---- C:\WINNT\system32\ascbalon.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\SysRestore.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\SQLiteWrapper.dll 2009-03-12 14:02:44 ----A---- C:\WINNT\system32\ConTest.dll 2009-03-12 14:02:43 ----D---- C:\Program Files\Ascentive 2009-03-12 00:33:29 ----D---- C:\Program Files\Anti Trojan Elite 2009-03-12 00:20:44 ----A---- C:\WINNT\system32\XceedCry.dll 2009-03-12 00:20:44 ----A---- C:\WINNT\system32\XceedBkp.dll 2009-03-11 21:31:54 ----D---- C:\Program Files\Panda Security 2009-03-11 20:16:26 ----D---- C:\WINNT\SoftwareDistribution 2009-03-10 15:13:08 ----D---- C:\Documents and Settings\Administrator\Application Data\Thinstall ======List of files/folders modified in the last 1 months====== 2009-03-16 00:03:10 ----AD---- C:\WINNT\SYSTEM32 2009-03-16 00:00:47 ----D---- C:\Program Files\Mozilla Firefox 2009-03-15 23:42:00 ----D---- C:\WINNT\system32\NtmsData 2009-03-15 23:41:57 ----AD---- C:\WINNT\system32\IAS 2009-03-15 23:41:36 ----A---- C:\WINNT\ModemLog_Conexant D110 MDC V.92 Modem.txt 2009-03-15 23:41:33 ----AD---- C:\WINNT\Debug 2009-03-15 23:26:12 ----AD---- C:\WINNT 2009-03-15 21:58:41 ----RASHD---- C:\WINNT\system32\DLLCACHE 2009-03-15 21:58:27 ----AHD---- C:\WINNT\INF 2009-03-15 21:44:43 ----AD---- C:\Program Files\Windows Media Player 2009-03-15 21:44:43 ----AD---- C:\Program Files\Common Files 2009-03-15 21:44:43 ----AD---- C:\Program Files 2009-03-15 21:41:07 ----AD---- C:\WINNT\Help 2009-03-15 21:38:44 ----RASH---- C:\BOOT.INI 2009-03-15 18:58:35 ----AD---- C:\WINNT\system32\DRIVERS 2009-03-15 15:05:28 ----D---- C:\Program Files\yRead2 2009-03-15 12:13:34 ----A---- C:\WINNT\system.ini 2009-03-15 12:07:39 ----AD---- C:\WINNT\AppPatch 2009-03-15 12:05:43 ----SD---- C:\WINNT\Web 2009-03-14 12:51:26 ----D---- C:\WINNT\Minidump 2009-03-14 01:13:38 ----SHD---- C:\WINNT\CSC 2009-03-13 22:26:23 ----SD---- C:\WINNT\Downloaded Program Files 2009-03-13 20:12:14 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint 2009-03-13 12:44:18 ----D---- C:\WINNT\system32\Macromed 2009-03-13 00:00:08 ----D---- C:\Program Files\Advanced Uninstaller PRO - Version 9 2009-03-12 21:30:20 ----D---- C:\Downloads 2009-03-12 16:38:33 ----D---- C:\Rome 2009-03-12 15:44:08 ----HD---- C:\Program Files\InstallShield Installation Information 2009-03-12 15:38:00 ----SD---- C:\WINNT\Tasks 2009-03-12 14:05:10 ----D---- C:\Program Files\Common Files\Symantec Shared 2009-03-12 14:02:54 ----SHD---- C:\WINNT\Installer 2009-03-12 14:02:54 ----AHD---- C:\Config.Msi 2009-03-12 14:02:47 ----D---- C:\WINNT\Support_Files 2009-03-11 16:04:55 ----A---- C:\WINNT\WIN.INI 2009-03-11 16:04:51 ----RASD---- C:\WINNT\Fonts 2009-03-11 15:52:16 ----ASD---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2009-03-11 14:37:38 ----AD---- C:\Documents and Settings 2009-03-11 14:19:40 ----AD---- C:\WINNT\system32\CONFIG 2009-03-11 12:32:11 ----D---- C:\Program Files\DivX 2009-02-27 17:03:48 ----D---- C:\Documents and Settings\Administrator\Application Data\LimeWire 2009-02-25 12:55:00 ----A---- C:\WINNT\system32\MRT.exe ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2007-08-25 40] R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2007-08-25 40] R1 Dlc;DLC Protocol; C:\WINNT\s [2007-08-25 40] R1 GhPciScan;GhostPciScanner; \??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [] R1 MPFP;MPFP; C:\WINNT\S [2007-08-25 40] R1 omci;OMCI WDM Device Driver; C:\WINNT\s [2007-08-25 40] R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys [] R1 SbcpHid;SbcpHid; \??\C:\WINNT\system32\Drivers\SbcpHid.sys [] R1 SYMTDI;SYMTDI; C:\WINNT\S [2007-08-25 40] R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINNT\s [2007-08-25 40] R2 AppleTalk;AppleTalk Protocol; C:\WINNT\s [2007-08-25 40] R2 Aspi32;Aspi32; C:\WINNT\s [2007-08-25 40] R2 BASFND;BASFND; \??\C:\WINNT\system32\Drivers\BASFND.sys [] R2 mdmxsdk;mdmxsdk; C:\WINNT\s [2007-08-25 40] R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\s [2007-08-25 40] R2 NwlnkNb;NWLink NetBIOS; C:\WINNT\s [2007-08-25 40] R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\s [2007-08-25 40] R2 PRPC;PRPC; C:\WINNT\s [2007-08-25 40] R2 s24trans;WLAN Transport; C:\WINNT\s [2007-08-25 40] R2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys [] R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINNT\s [2007-08-25 40] R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINNT\s [2007-08-25 40] R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [] R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\s [2007-08-25 40] R3 GTIPCI21;GTIPCI21; C:\WINNT\s [2007-08-25 40] R3 HSF_DPV;HSF_DPV; C:\WINNT\s [2007-08-25 40] R3 HSFHWICH;HSFHWICH; C:\WINNT\s [2007-08-25 40] R3 ialm;ialm; C:\WINNT\s [2007-08-25 40] R3 IWCA2K;Intel Wireless Connection Agent Miniport for Win 2K; C:\WINNT\s [2007-08-25 40] R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090311.003\naveng.sys [] R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090311.003\navex15.sys [] R3 NWRDR;NetWare Rdr; C:\WINNT\s [2007-08-25 40] R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2007-08-25 40] R3 STAC97;SigmaTel C-Major Audio; C:\WINNT\s [2007-08-25 40] R3 SYMDNS;SYMDNS; C:\WINNT\S [2007-08-25 40] R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [] R3 SYMFW;SYMFW; C:\WINNT\S [2007-08-25 40] R3 SYMIDS;SYMIDS; C:\WINNT\S [2007-08-25 40] R3 SYMIDSCO;SYMIDSCO; C:\WINNT\S [2007-08-25 40] R3 SYMNDIS;SYMNDIS; C:\WINNT\S [2007-08-25 40] R3 SYMREDRV;SYMREDRV; C:\WINNT\S [2007-08-25 40] R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\s [2007-08-25 40] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\s [2007-08-25 40] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\s [2007-08-25 40] R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\s [2007-08-25 40] R3 wanatw;WAN Miniport (ATW); C:\WINNT\s [2007-08-25 40] R3 winachsf;winachsf; C:\WINNT\s [2007-08-25 40] S2 HidUsb;Microsoft HID Class Driver; C:\WINNT\s [2007-08-25 40] S3 ATE_PROCMON;ATE_PROCMON; C:\WINNT\s [2007-08-25 40] S3 ATWPKT2;ATWPKT2; \??\C:\Program Files\Common Files\AOL\ACS\ATWPKT2.SYS [] S3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINNT\s [2007-08-25 40] S3 bvrp_pci;bvrp_pci; C:\WINNT\s [2007-08-25 40] S3 ccdecode;Closed Caption Decoder; C:\WINNT\s [2007-08-25 40] S3 EL90BC;3Com EtherLink XL B/C Adapter Driver; C:\WINNT\s [2007-08-25 40] S3 HSF_DP;HSF_DP; C:\WINNT\s [2007-08-25 40] S3 mouhid;Mouse HID Driver; C:\WINNT\s [2007-08-25 40] S3 MPE;BDA MPE Filter; C:\WINNT\s [2007-08-25 40] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\s [2007-08-25 40] S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\s [2007-08-25 40] S3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver; C:\WINNT\s [2007-08-25 40] S3 nm;Network Monitor Driver; C:\WINNT\s [2007-08-25 40] S3 nv4;nv4; C:\WINNT\s [2007-08-25 40] S3 O2SCBUS;O2Micro SmartCardBus Reader; C:\WINNT\s [2007-08-25 40] S3 Scr110;SCR110 Serial Smart Card Reader; C:\WINNT\s [2007-08-25 40] S3 SCRx31 USB Reader;SCRx31 USB Reader; C:\WINNT\s [2007-08-25 40] S3 SLIP;BDA Slip De-Framer; C:\WINNT\s [2007-08-25 40] S3 streamip;BDA IPSink; C:\WINNT\s [2007-08-25 40] S3 tapvpn;TAP VPN Adapter; C:\WINNT\s [2007-08-25 40] S3 UIUSys;Conexant Setup API; C:\WINNT\s [2007-08-25 40] S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\s [2007-08-25 40] S3 w70n5;Intel® PRO/Wireless 7100 Adapter Driver; C:\WINNT\s [2007-08-25 40] S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\s [2007-08-25 40] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\S [2007-08-25 40] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2004-10-20 10328] R2 AOL TopSpeedMonitor;AOL TopSpeed Monitor; C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [2004-10-15 100016] R2 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800] R2 BAsfIpM;Broadcom ASF IP monitoring service v6.0.3; C:\WINNT\s [2007-08-25 40] R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-02-29 255096] R2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2004-02-29 291960] R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-02-29 242808] R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe [2004-05-06 29912] R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-09-07 86016] R2 GhostStartService;GhostStartService; C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE [2002-08-14 200704] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120] R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-09 884360] R2 NWCWorkstation;Client Service for NetWare; C:\WINNT\s [2007-08-25 40] R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-09-07 139264] R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-09-07 360521] R2 SimpTcp;Simple TCP/IP Services; C:\WINNT\s [2007-08-25 40] R2 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-03-11 193760] R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe [2004-03-12 1221864] R2 SymSecurePort;Symantec SecurePort; C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe [2004-05-05 222352] R2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2004-09-07 225353] S2 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-02-29 87160] S2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 138168] S2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [] S2 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [] S2 NFServer;NFServer; C:\Program Files\Fortress\AirFortress® Client\NFServer.exe [2002-06-21 110592] S2 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2007-08-25 40] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144] S3 SavRoam;SAVRoam; C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192] -----------------EOF-----------------

Ironbender	Mar 16 2009, 04:14 AM Post #20
Reality is just an illusion due to a lack of alcohol. Group: SAF Moderator Posts: 15,378 Joined: 16-March 05 From: Jacarei, SP - Brazil Member No.: 10,092	Well, looks clean to me now. How is your system running ? Still having problems ? Chris -------------------- Please help Ana My Roots ~ My Nephew's band ~ My Online Newspaper It sounds like English, but I can't understand a word you are saying Men have become the tools of their tools. - H. D. Thoreau

« Next Oldest · Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking