Jump to content

Recommended Posts

I ran a Panda Security scan and when it was about 1/3 done scanning my computer, the program shut down. I was able to see it found 2 Hijack - Root kits before the program went down. I ran a Hijack This scan and received the following logfile. Any help with finding what was considered the 2 Hijack/root kits or anything else that shouldn't be there?

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\HPHipm11.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton SystemWorks\Norton Antivirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - S-1-5-18 Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Search - ?p=ZCxdm594YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.aaa.com

O15 - Trusted Zone: www.aaaohio.com

O15 - Trusted Zone: www.gap.com

O15 - Trusted Zone: http://maps.live.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115248224117

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 12861 bytes

Link to post
Share on other sites

Hi there, and welcome to Malwarebytes. You omitted part of the HJT log. Please follow the instructions below in the order given carefully and thoroughly.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exeHiJack This!://http://www.trendsecure.com/portal/e...k This!://http://www.trendsecure.com/portal/e...k This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Link to post
Share on other sites

Hi- I do have Spybot and use it regularly. I did run a scan with it last night and also immunized. Here is the first log you requested from AVG. I will run the other scans.

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 9:52:19 PM 9/11/2007

+ Scan result:

C:\Program Files\Screensavers.com -> Adware.Generic : Cleaned.

C:\RECYCLER\NPROTECT1366059.TXT -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.

C:\RECYCLER\NPROTECT1358774.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1358775.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1358776.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1358830.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1358831.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1366055.TXT -> TrackingCookie.Pointroll : Cleaned.

C:\RECYCLER\NPROTECT1358801.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358802.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358803.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358804.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358808.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358809.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358810.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358811.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358812.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358813.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358817.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358818.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358819.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358820.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358821.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358825.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358826.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358827.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358828.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358829.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358839.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358843.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358844.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358845.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358846.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358847.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1358848.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1366056.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\RECYCLER\NPROTECT1366060.TXT -> TrackingCookie.Serving-sys : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\Mom\Cookies\mom@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.

::Report end

This is also the Hijack This log I had that I must have had something missing.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:47 PM, on 9/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\HPHipm11.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton SystemWorks\Norton Antivirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - S-1-5-18 Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Search - ?p=ZCxdm594YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.aaa.com

O15 - Trusted Zone: www.aaaohio.com

O15 - Trusted Zone: www.gap.com

O15 - Trusted Zone: http://maps.live.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115248224117

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 12861 bytes

Link to post
Share on other sites

Hi there, and welcome to Malwarebytes. You omitted part of the HJT log. Please follow the instructions below in the order given carefully and thoroughly.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exeHiJack This!://http://www.trendsecure.com/portal/e...k This!</u>://http://www.trendsecure.com/portal/e...!</u>://http://www.trendsecure.com/portal/e...!</u>

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Link to post
Share on other sites

Also, I have run the Panda scan twice. Both times it completely shut down by itself when it was only about 1/2 done. It did tell me I had 2 Hacker/root kits at that point. I will try to run it a third time. Just not sure if it will make it through the whole scan.

Link to post
Share on other sites

I have attempted to run the Panda scan for a third time. It is shutting itself down at the same point each time, only making it about 1/3 through the scan.

Here is what it says when it freezes for about 5-10 minutes and then just shuts itself down.

files scanned 112,650...d settings\sam\windows\system\

That's all the further I can get in that scan. Something stops it at that point.

Link to post
Share on other sites

In your first HJT log you left off the system and boot type information. It is important for me to know. We don't know if you have a root kit or not to be safe you should notify all banks and credit cards, change passwords but don't log on until we clean you up.

Let's run this tool. Print the instructions for reference.

ComboScan

Download Deckards System Scanner to your desktop. Alternate download link

Close all applications and windows.

  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread back into this thread for me to view.

A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.

Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

At this point reboot the system, and post back another HJT log file along with the other two logs requested.

Link to post
Share on other sites

Deckard's System Scanner v20070905.67

Run by Mom on 2007-09-12 21:17:50

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

103: 2007-09-13 01:18:14 UTC - RP905 - Deckard's System Scanner Restore Point

102: 2007-09-13 00:57:27 UTC - RP904 - System Checkpoint

101: 2007-09-12 00:12:49 UTC - RP903 - Software Distribution Service 3.0

100: 2007-09-11 08:57:28 UTC - RP902 - System Checkpoint

99: 2007-09-10 07:57:22 UTC - RP901 - System Checkpoint

-- First Restore Point --

1: 2007-06-15 05:39:39 UTC - RP803 - Software Distribution Service 2.0

Backed up registry hives.

Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Mom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:22:09 PM, on 9/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\HPHipm11.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\Z06YLA3O\dss[1].exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Mom.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton SystemWorks\Norton Antivirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Sam')

O4 - HKUS\S-1-5-21-1454471165-764733703-725345543-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Sam')

O4 - S-1-5-21-1454471165-764733703-725345543-1005 User Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE (User 'Sam')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Search - ?p=ZCxdm594YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.aaa.com

O15 - Trusted Zone: www.aaaohio.com

O15 - Trusted Zone: www.gap.com

O15 - Trusted Zone: http://maps.live.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115248224117

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 13002 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>

R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>

R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>

R1 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>

R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

R2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager

Link to post
Share on other sites

New Hijack This Log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:08:34 PM, on 9/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\HPHipm11.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\kmw_run.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\system32\KMW_SHOW.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf

O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton SystemWorks\Norton Antivirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Search - ?p=ZCxdm594YYUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.aaa.com

O15 - Trusted Zone: www.aaaohio.com

O15 - Trusted Zone: www.gap.com

O15 - Trusted Zone: http://maps.live.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115248224117

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

End of file - 11959 bytes

Link to post
Share on other sites

OK we may be a step closer. Set your system to show hidden files and folders by doing this:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

Then using Windows Explorer navigate to this file:

Please scan this file S3 cel90xbe - c:\documents and settings\sam\local settings\temp\cel90xbe.sys here http://www.virustotal.com/ I'm reasonably sure it's going to show it is bad, if that is what you get for results delete the file.

Now download and unzip this http://www.gmer.net/gmer.zip

.

  • Right Click the Zip file top open it and Select "Extract All"
  • Double-click gmer.exe to launch the program.
  • Click on the Rootkit Tab and on the right side, untick the Registry [] box, then click Scan.

Once the scan is done, hit the [ copy ] button, then open notepad and paste the results here for me to see.

Warning ! Please, do not select the "Show all" check box during the scan.

We will go from there.

Link to post
Share on other sites

I am getting ready to do the next step you told me to do. In the meantime, here is what I got back on the file cel90xbe.

If I am reading it correctly, nothing is wrong with it?? It said "result 0/32 ("0%) I'll let you look.

File cel90xbe.sys received on 09.14.2007 01:48:33 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)

Loading server information...

Your file is queued in position: 4.

Estimated start time is between 52 and 75 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2007.9.14.0 2007.09.13 -

AntiVir 7.6.0.10 2007.09.13 -

Authentium 4.93.8 2007.09.14 -

Avast 4.7.1043.0 2007.09.13 -

AVG 7.5.0.485 2007.09.14 -

BitDefender 7.2 2007.09.14 -

CAT-QuickHeal 9.00 2007.09.13 -

ClamAV 0.91.2 2007.09.13 -

DrWeb 4.33 2007.09.13 -

eSafe 7.0.15.0 2007.09.13 -

eTrust-Vet 31.1.5134 2007.09.13 -

Ewido 4.0 2007.09.13 -

FileAdvisor 1 2007.09.14 -

Fortinet 3.11.0.0 2007.09.13 -

F-Prot 4.3.2.48 2007.09.13 -

F-Secure 6.70.13030.0 2007.09.13 -

Ikarus T3.1.1.12 2007.09.14 -

Kaspersky 4.0.2.24 2007.09.13 -

McAfee 5119 2007.09.13 -

Microsoft 1.2803 2007.09.14 -

NOD32v2 2529 2007.09.13 -

Norman 5.80.02 2007.09.13 -

Panda 9.0.0.4 2007.09.13 -

Prevx1 V2 2007.09.14 -

Rising 19.40.32.00 2007.09.13 -

Sophos 4.21.0 2007.09.13 -

Sunbelt 2.2.907.0 2007.09.13 -

Symantec 10 2007.09.13 -

TheHacker 6.1.10.186 2007.09.13 -

VBA32 3.12.2.4 2007.09.13 -

VirusBuster 4.3.26:9 2007.09.13 -

Webwasher-Gateway 6.0.1 2007.09.14 -

Additional information

File size: 15872 bytes

MD5: 9740a77e3df3f3620c3d75eb7642c0d1

SHA1: 2c850bb7a3dfb78d4a85df11a1be29fecf05b2bc

Link to post
Share on other sites

scan log for gmer.exe

GMER 1.0.13.12551 - http://www.gmer.net

Rootkit scan 2007-09-13 20:22:05

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT 82A4F428 ZwAlertResumeThread

SSDT 82A4F4E8 ZwAlertThread

SSDT 82A46710 ZwAllocateVirtualMemory

SSDT GoBack2K.sys ZwClose

SSDT 82A6C880 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey

SSDT 82A4DED0 ZwCreateMutant

SSDT 82A502F0 ZwCreateThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey

SSDT 82A47630 ZwFreeVirtualMemory

SSDT GoBack2K.sys ZwFsControlFile

SSDT 82A4DF90 ZwImpersonateAnonymousToken

SSDT 82A4F368 ZwImpersonateThread

SSDT 82AA5CE0 ZwMapViewOfSection

SSDT 82A4DE10 ZwOpenEvent

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess

SSDT 82AA2670 ZwOpenProcessToken

SSDT 82A4F8F0 ZwOpenThreadToken

SSDT 82BA5E30 ZwResumeThread

SSDT 82A4F830 ZwSetContextThread

SSDT 82A4F9B0 ZwSetInformationProcess

SSDT 82A4F770 ZwSetInformationThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey

SSDT 82A4DD50 ZwSuspendProcess

SSDT 82A4F5F0 ZwSuspendThread

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

SSDT 82A4F6B0 ZwTerminateThread

SSDT 82A4FA70 ZwUnmapViewOfSection

SSDT 82A46640 ZwWriteVirtualMemory

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!isdigit] [4DC0BBD6] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!strpbrk] [4DC37BA0] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!isspace] [4DC0BC63] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!isalnum] [4DC0BCEB] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!time] [4DC3AEA3] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!strtoul] [4DC0D730] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_vsnprintf] [4DC2FF8A] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_ftol] [4DC3FA10] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!ispunct] [4DC0BCA7] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!iscntrl] [4DC0BDC6] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!isalpha] [4DC0BB05] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_purecall] [4DC25F0D] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_CxxThrowException] [4DC126F6] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcsncpy] [4DC3806B] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!sprintf] [4DC2F931] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcsstr] [4DC38180] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!strncmp] [4DC37A50] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!srand] [4DC271BC] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!rand] [4DC271D3] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcslen] [4DC37FCC] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_wtoi] [4DC0CEE3] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcscpy] [4DC37E94] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_wcsnicmp] [4DC36ABB] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcstok] [4DC381E6] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_wcsicmp] [4DC367BD] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcscmp] [4DC37EE3] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!malloc] [4DC1C407] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!free] [4DC1C21B] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!realloc] [4DC1C437] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_initterm] [4DC29D67] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_adjust_fdiv] [4DC523D8] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!__dllonexit] [4DC24E51] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_onexit] [4DC24DF8] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!??1type_info@@UAE@XZ] [4DC11868] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!?terminate@@YAXXZ] [4DC1266D] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!wcscat] [4DC37E61] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!memchr] [4DC36E00] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!isxdigit] [4DC0BC1A] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

IAT C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe[2160] @ C:\WINDOWS\system32\WININET.dll [msvcrt.dll!_except_handler3] [4DC25C94] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F860F1DE] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F860F1DE] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F860F454] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F860F1DE] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F8602F4C] fltmgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EEF0C8F0] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [EEF0C950] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EEF0C860] SYMEVENT.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EEF0C860] SYMEVENT.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [EEF3C370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [EEF3C370] SYMTDI.SYS

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ [F85C3F80] GoBack2K.sys

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE [F85C41A0] GoBack2K.sys

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS [F85C4290] GoBack2K.sys

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL [F85C4380] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTR110 IRP_MJ_READ [F85C3F80] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTR110 IRP_MJ_WRITE [F85C41A0] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTR110 IRP_MJ_FLUSH_BUFFERS [F85C4290] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTR110 IRP_MJ_DEVICE_CONTROL [F85C4380] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTRPDO110 IRP_MJ_READ [F85C3F80] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTRPDO110 IRP_MJ_WRITE [F85C41A0] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTRPDO110 IRP_MJ_FLUSH_BUFFERS [F85C4290] GoBack2K.sys

Device \Driver\Dot4Storage HPH11 \Device\Harddisk1\HPHSTRPDO110 IRP_MJ_DEVICE_CONTROL [F85C4380] GoBack2K.sys

---- EOF - GMER 1.0.13 ----

Link to post
Share on other sites

Let's do this.

Create a Startup List

* Please boot into safe mode by tapping the F8 key just before Windows starts to load.

* Once in safe mode, open HiJackThis

* Click on the "Config..." button on the bottom right

* Click on the tab "Misc Tools"

* Put a check to the 2 boxes next to the Box that says "Generate StartupList log"

* Click on the button "Generate StartupList log"

* Copy and paste the StartupList from the notepad into your next post. (it will be saved in the same folder with HijackThis)

Also give this scanner a try and see if it can run.

http://www.kaspersky.com/virusscanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:

* Once the files have been downloaded click on NEXT

* Now click on Scan Settings

* In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

o Scan Options:

Scan Archives

Scan Mail Bases

* Click OK

* Now under select a target to scan:

Select My Computer

* This program will start and scan your system.

* The scan will take a while so be patient and let it run.

* Once the scan is complete it will display if your system has been infected.

o Now click on the Save as Text button:

* Save the file to your desktop.

* Copy and paste that information in your next post.

I am getting a second opinion on the Gmer log too.

Link to post
Share on other sites

StartupList report, 9/13/2007, 9:43:35 PM

StartupList version: 1.52.2

Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:

[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]

*No files*

Shell folders AltStartup:

*Folder not found*

User shell folders Startup:

*Folder not found*

User shell folders AltStartup:

*Folder not found*

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Microsoft Works Calendar Reminders.lnk = ?

Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

Shell folders Common AltStartup:

*Folder not found*

User shell folders Common Startup:

*Folder not found*

User shell folders Alternate Common Startup:

*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe

Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

HPHmon04 = C:\WINDOWS\system32\hphmon04.exe

HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

tgcmd = "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf

kmw_run.exe = kmw_run.exe

MSWheel =

AcctMgr = C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

MimBoot = C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

MMTray = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"

MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

osCheck = "C:\Program Files\Norton SystemWorks\Norton Antivirus\osCheck.exe"

SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

[{4b218e3e-bc98-4770-93d3-2731b9329278}]

StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}]

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}]

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}]

StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}]

StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}]

StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*

run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=%SystemRoot%\System32\logon.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

(no name) - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

(no name) - c:\program files\google\googletoolbar5.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job

HP Usg Login.job

MP Scheduled Scan.job

Norton AntiVirus - Run Full System Scan - Mom.job

one button checkeup.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab

OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[support.com Configuration Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll

CODEBASE = http://www.activation.rr.com/install/download/tgctlcm.cab

[sysProWmi Class]

InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx

CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[Microsoft Office Template and Media Control]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL

CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[sentinelVE3D Class]

InProcServer32 = C:\Program Files\Virtual Earth 3D\SentinelVirtualEarth3D.dll

CODEBASE = http://download.microsoft.com/download/0/f...tualEarth3D.cab

[Windows Genuine Advantage Validation Tool]

InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll

CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[symantec AntiVirus scanner]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}]

CODEBASE = http://forms.real.com/real/player/download...ne_Inst_Win.cab

OSD = C:\WINDOWS\Downloaded Program Files\RhapX.osd

[WUWebControl Class]

InProcServer32 = C:\WINDOWS\system32\wuweb.dll

CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1115248224117

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[Java Plug-in 1.6.0_02]

InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[ActiveScan Installer Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll

CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[MsnMessengerSetupDownloadControl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx

CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

[View22RTE Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\View22RTE.dll

CODEBASE = http://onlinedesigner.hgtv.com/images/app/view22rte.cab

[Java Plug-in 1.6.0_01]

InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab' rel="external nofollow">http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab'>http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_02]

InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_02]

InProcServer32 = C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx

CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab

[{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]

CODEBASE = http://www.popcap.com/games/popcaploader_v6.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)

ati2mpaa: System32\DRIVERS\ati2mpaa.sys (manual start)

ati2mtaa: System32\DRIVERS\ati2mtaa.sys (manual start)

ATICDSDr: \??\C:\DOCUME~1\Mom\LOCALS~1\Temp\ATICDSDr.sys (manual start)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)

Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)

AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)

AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)

AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)

pcAnywhere Host Service: C:\Program Files\Symantec\pcAnywhere\awhost32.exe (manual start)

awlegacy: \SystemRoot\System32\Drivers\awlegacy.sys (system)

AW_HOST: system32\drivers\aw_host5.sys (system)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)

Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)

CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)

cel90xbe: \??\C:\DOCUME~1\Sam\LOCALS~1\Temp\cel90xbe.sys (manual start)

Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)

.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)

Symantec Lic NetConnect service: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (autostart)

COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)

DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Disk Driver: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

dmio: System32\drivers\dmio.sys (disabled)

dmload: System32\drivers\dmload.sys (disabled)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

MS IEEE-1284.4 Driver: system32\DRIVERS\Dot4.sys (manual start)

Dot4 HPH11: system32\DRIVERS\hphid411.sys (manual start)

Print Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Prt.sys (manual start)

Print Class Driver for IEEE-1284.4 HPH11: system32\DRIVERS\hphipr11.sys (manual start)

Scan Class Driver for IEEE-1284.4: system32\DRIVERS\Dot4Scan.sys (manual start)

Storage Class Driver for IEEE-1284.4 (HPH11): System32\Drivers\hphs2k11.sys (manual start)

Dot4USB Filter Dot4USB Filter: system32\DRIVERS\dot4usb.sys (manual start)

Dot4Usb HPH11: System32\drivers\hphius11.sys (manual start)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)

EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)

STFileDriver: \??\C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys (manual start)

Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)

FltMgr: system32\drivers\fltmgr.sys (system)

Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)

GBPoll: C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe (autostart)

gmer: System32\DRIVERS\gmer.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)

HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)

HTTP: System32\Drivers\HTTP.sys (manual start)

HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)

Imapi: system32\drivers\ImapiRox.sys (system)

IMAPI CD-Burning COM Service: C:\WINDOWS\System32\ImapiRox.exe (manual start)

IntelIde: System32\DRIVERS\intelide.sys (system)

IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (system)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)

Symantec IS Password Validation: "C:\Program Files\Norton SystemWorks\Norton Antivirus\isPwdSvc.exe" (manual start)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Kensington Input Devices Class filter driver: System32\DRIVERS\KMW_KBD.sys (manual start)

Kensington MouseWorks Mouse filter driver: system32\DRIVERS\KMW_SYS.sys (manual start)

Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)

LiveUpdate Notice Service Ex: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)

LiveUpdate Notice Service: "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller: system32\DRIVERS\m4cxw2k3.sys (manual start)

Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)

WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)

NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070913.017\NAVENG.SYS (manual start)

NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070913.017\NAVEX15.SYS (manual start)

Motorola SURFboard USB Cable Modem Windows Driver: System32\DRIVERS\NetMotCM.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (disabled)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Norton Unerase Protection Driver: \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS (manual start)

Norton Unerase Protection: C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (autostart)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)

Parallel port driver: System32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: System32\DRIVERS\pci.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

Pml Driver HPH11: C:\WINDOWS\system32\HPHipm11.exe (manual start)

IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Processor Driver: System32\DRIVERS\processr.sys (system)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)

PxHelp20: System32\Drivers\PxHelp20.sys (system)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

SbcpHid: \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

SDdriver: \??\C:\WINDOWS\system32\Drivers\sddriver.sys (manual start)

Secdrv: System32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)

Serial port driver: System32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)

Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: System32\DRIVERS\sr.sys (system)

System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

SRTSP: System32\Drivers\SRTSP.SYS (manual start)

SRTSPL: System32\Drivers\SRTSPL.SYS (manual start)

SRTSPX: System32\Drivers\SRTSPX.SYS (system)

Srv: System32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)

Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{37D52E74-DECE-4221-94CF-2E83DFAFA653} (manual start)

Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)

Symantec AppCore Service: "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" (autostart)

SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)

SymEvent: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (manual start)

SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)

SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)

SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070906.004\SymIDSCo.sys (manual start)

symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)

SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)

SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)

SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: System32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microcode Update Driver: System32\DRIVERS\update.sys (manual start)

Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)

Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)

Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)

USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)

Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)

VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Winachcf: System32\DRIVERS\winachcf.sys (manual start)

Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)

Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)

Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)

Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

Windows NT checkdisk command:

BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 40,218 bytes

Report generated in 0.547 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Link to post
Share on other sites

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Friday, September 14, 2007 6:48:42 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.1

Kaspersky Anti-Virus database last update: 14/09/2007

Kaspersky Anti-Virus database records: 418126

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

A:\

C:\

D:\

E:\

Scan Statistics:

Total number of scanned objects: 144032

Number of viruses found: 1

Number of infected objects: 3

Number of suspicious objects: 0

Duration of the scan process: 02:51:21

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8a7deb4368a7be635516db43717ea57_8bb10e71-8b70-4de3-abe5-dcfff53ffe71 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04142007-191549.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mom\triggers.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-09-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B06C47AD.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Mom\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{83B83955-AF3B-4D34-8939-13870C07762C} Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Musicmatch\Jukebox\Portables.log Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\History\History.IE5\MSHist012007091320070914\index.dat Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Temp\JETD757.tmp Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mom\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Mom\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\gobackio.bin Object is locked skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX: infected - 1 skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX Dropper: infected - 1 skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVApp.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVError.log Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton Antivirus\AVVirus.log Object is locked skipped

C:\RECYCLER\NPROTECT\AlbumArtSmall.jpg Object is locked skipped

C:\RECYCLER\NPROTECT\AlbumArt_{AC607797-48E3-4E2F-896A-D601BB52AAEE}_Large.jpg Object is locked skipped

C:\RECYCLER\NPROTECT\AlbumArt_{AC607797-48E3-4E2F-896A-D601BB52AAEE}_Small.jpg Object is locked skipped

C:\RECYCLER\NPROTECT\desktop.ini Object is locked skipped

C:\RECYCLER\NPROTECT\Folder.jpg Object is locked skipped

C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{BC7C1E67-444A-4ED4-B1A9-DCF9D35C096A}\RP906\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{4831E198-E805-4EF1-A063-7EFD751E4BC0}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Link to post
Share on other sites

Well, there is a detection from Kaspersky's, certainly not a root kit. There is nothing to show a root kit in any scans we have run.

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX: infected - 1 skipped

C:\Program Files\AWS\WxBugSetup60b6.04.0.9m.EXE WiseSFX Dropper: infected - 1 skipped

Those files are from WeatherBug I'm guessing? You can get similar programs that don't give you AdWare etc. You should be able to uninstall the program via Add/Remove programs and delete any leftover files. Do the uninstall first then delete or you may have trouble uninstalling.

The other thing that is best to be rid of is the file I had you scan at Virus Total. Even though nothing was found there I did find it in some other logs and it was considered something to remove. I also consulted with a MS MVP and they agree it should go.

You should update your Adobe Reader to version 8. There is a known security flaw in version 7.

After you do these things above we need to reset your System Restore points and since you have GoBack that also. Any infection will be stored in that file, if you ever use it you will reinfect yourself. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

For an excellent list of reliable free firewalls and antivirus programs see here .

Did you ever have symptoms of infection? Popups, browser redirects, slow performance? I would also give a word of caution about the P2P program Limewire. P2P file sharing is risky and often illegal.

Link to post
Share on other sites

I am glad to hear you aren't detecting a root kit. I did look to see if weatherbug was on our system again and it is not. The reason I tell you I had to look and see is that my son has a tendency to want to change his cursor and gets on that Cursormania site, which I ordered him to stop quite some time ago. That site brings so much garbage onto our computer. Included is that weatherbug. I have several times gone onto Ad-aware and Spybot and had all the "extras" removed and then I check my add/remove programs and make sure nothing is listed there. Is it possible the files you listed are ones left behind when I remove those programs? And do you recommend I remove those?

I will also go remove the file you told me to and I will update my Adobe.

I also at one time purchased a firewall from Norton and after a year it expired and would no longer work. I'm not the smartest person on a computer, but I thought once you installed an extra firewall, it remained installed. I didn't know it would quit working after a year. It expired a few months ago and I haven't replaced it with anything. I will read your recommendations.

As for wondering if my system ever acts like it has a virus, it does run slow. But only sometimes. But my son is also hooked to his Xbox Live through this computer and I never knew if they played a part or not. I never have a problem with popups.

I did install Internet Explorer 7 recently (or I should say my computer automatically did- I had to change that setting) and it was a nightmare. I had constant problems and my Intenet Settings no longer worked. I could not access anything. So I uninstalled Internet Explorer 7 and within a couple of days I realized I could not use my disk defragmenter and I could not run msconfig. It told me I had a file missing. mfc42.dll, I believe it was. After reading for several days online I finally figured out that the file was missing from system32. The file was on my computer in several different places but not where it belonged. So I copied the file and pasted it into system32 and I can use both the defragmenter and msconfig again. I have no idea why those things happened.

The other problem is how slow the computer starts up. I ran msconfig and thought I might know what I was looking at to see if too many things were trying to open during startup but I had no clue what I was looking at so I did nothing to change any of it. That still remains a problem.

I do use Norton Antivirus and update it each year. I also have Norton Systemworks and have several programs scheduled to run. I run windows defender, spybot and adaware. Is that enough or do you recommend something different? I can also read through the recommendations you gave me. Also, is it possible to try to run too many programs?

As for the Limewire, that has been a fight in our house, so I am glad to hear you do not recommend using it because I have been telling him that I was concerned what that site may be bringing onto our computer. Once he realizes someone else said not to use it, he won't have much of an argument. Plus I have been concerned over the legality of the site myself. They claim they are legal, but I believe Napster claimed the same, and we all know what happened there.

I'll take care of these things and perhaps you can tell me what we need to do to reset my system restore points and anything else you think I need to do.

I really appreciate all your time and effort in trying to resolve all of this.

Link to post
Share on other sites

:) Pardon me for a snicker or two. I was thinking Stephanie, might be at fault here. Let's take one thing at at time. Change jr's account settings to non-administrator and he can't install anything, no junk period. He can still surf, use Xbox etc just not install programs. To do that:

Start> Control Panel> User Accounts, If you don't have user accounts set up, say everyone just turns on the PC and uses it. Set up user accounts. You make yourself the administrator, say Mom is the account name, set it to password sign on, don't tell the kids the password, be sure you remember it or write it down and hide it. You can also make yourself a non admin account and some recommend this because nothing can install, ie no bad stuff. CursorMania is a hotbed of malware, yes you should delete those leftover files.

The firewall, I am not a Symantec fan at all. I used to use it, changed once the subscription ran out to try something else, it discovered 3 trojans that had been on my system for months! And my performance improved dramatically. I honestly don't know if your firewall is still working or not. I wouldn't take the chance it's not if I were you. Get a free one like ZoneAlarm uninstall the old one, make sure the Windows SP2 one is off and use ZoneAlarm, or any other decent free one. There is no need to pay for any antivirus program either. Next time your subscription is due go out for a nice dinner instead and get a free program.... :P

When IE7 first came out there were major problems with it. I think they have been fixed now, I don't use it, unless I'm forced. It does have some parental control features you might like. You can restrict sites in it. (Your son is going to hate me.)

Reset System Restore: To erase all restore points, right click on My Computer,choose properties, then click on the System Restore tab put a check in the turn off System Restore points, then click OK. It will delete all restore points set by Windows. GoBack I can't remember, you will have to look at the program and maybe the Symantec Knowledge Base. It is probably not crucial in your case either since we didn't really find anything bad.

To set a new point: Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

OK, now LimeWire. LimeWire is a software program used for P2P file sharing and the program itself is legal, it's what can be done with the program that gets into the gray area. There is no disputing that. You mention a website. I don't know what that might be, it could be a torrent site, which there are many, not many are legal.

Bottom line, movies, music etc are all copyrighted materials and obtaining them any way other than paying the given price, is illegal. Who pays in the end when Jr is caught? Mom. To download free legal music etc, a program like LimeWire is not needed. Just going to some of these sites that claim to have free media can give you an extra payload not worth the "free" thing. When it sounds too good to be true, it usually is. This is where a host file and a program like SpyWare Blaster will save your bacon. They keep the site from ever loading. RogueRemover is another and it is made right here, there is a free version with many bad sites to block.

Your pretty sharp I would say to figure out what file was missing and to copy it into the needed location. Don't sell yourself short. You also ran these fixes we did and I can't count how many people I have tried to help, and they just can't seem to do them . Don't sell yourself short.

The best protection you can do is keep everything up to date in your software and scan at least weekly. Keep your Windows updated and programs like Java and Adobe. Don't allow kids administrative rights. It also saves them. These miscreants prey on the innocent and lure them into doing dangerous things.

If there is anything else I can help you with don't hesitate to ask. I am more than happy to help you.

Link to post
Share on other sites

You can join the club in my son hating people! He'll be mad at me when this is all over. He'll get over it. But to explain... I have always been administrator on the computer and he was not. I can't give you any specific details, simply because I can't remember, but by his not having administrator rights, the computer was stopping him from doing more than I thought it should. He had games, etc he was trying to play and he was being stopped on a lot of things. For the most part, he is a very trustworthy kid. He actually doesn't even use the computer for much at all. Generally to look up cheats for XBox 360 games! If he ever gets asked a question or something is asking for his permission before it downloads, etc., he always comes and asks me to look at it. So I really had no concern giving him the administrator rights. Actually the only thing that was ever causing problems, that I knew of, was the cursor mania and I made him stop that a long time ago. And when I looked today, those files you mentioned were definitely leftover from weatherbug even though the program was uninstalled. And recently the limewire has had me concerned so I knew I wanted to ask you about it. His cousin got him started on it and said she had been using it for a long time and it was "fine". I knew I would be uninstalling it. I just didn't trust it. It has already been uninstalled as we speak. And truthfully we have had this computer since 2000 and have never had a virus. Not any that have ever been detected, anyway.

I've also recently been told that many people do not have the trust in Symantec as they used to. This is where I have lack of knowledge and just do not know what to get that is considered great antivirus, spyware, etc. I plan on using your recommendations for all of it.

I was told to wait for a patch following Explorer 7 and I haven't seen one. At least nothing appears when I run Windows update. An IP Tech told me he has spent countless hours uninstalling that version for people because of all the problems it caused and he didn't recommend it until all the "bugs" were worked out. I'll look into it further.

I ran spybot again today and it seems every time I run it, it finds some problem relating to my Firewall and windows security center. If I tell it to fix it, it says it does. But then next time I look, my firewall says it is turned off. Is Spybot doing this when it fixes the problem, or do you think something else it turning the firewall off and spybot detects it?

This is what I got from Spybot today if you would consider helping me with it. The following are the results from two things it claimed it found:

Microsoft.WindowsSecurityCenter_disabled: [sBI $2E20C9A9] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Microsoft.Windows.IEFirewallBypass: [sBI $1721401B] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: [sBI $4F6FBB06] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)

2007-08-31 SDMain.exe (1.0.0.4)

2007-08-31 SDUpdate.exe (1.0.6.4)

2007-08-31 SDWinSec.exe (1.0.0.8)

2007-08-31 SpybotSD.exe (1.5.1.15)

2007-08-31 TeaTimer.exe (1.5.0.9)

2007-09-15 unins000.exe (51.46.0.0)

2007-08-31 Update.exe (1.4.0.5)

2007-08-31 advcheck.dll (1.5.3.0)

2007-04-02 aports.dll (2.1.0.0)

2007-04-02 DelZip179.dll (1.79.5.3)

2007-08-31 SDHelper.dll (1.5.0.8)

2007-08-31 Tools.dll (2.1.2.0)

2007-09-12 Includes\Cookies.sbi (*)

2007-07-25 Includes\Dialer.sbi (*)

2007-09-12 Includes\DialerC.sbi (*)

2007-08-29 Includes\Hijackers.sbi (*)

2007-09-12 Includes\HijackersC.sbi (*)

2007-07-25 Includes\Keyloggers.sbi (*)

2007-09-12 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2007-09-12 Includes\Malware.sbi (*)

2007-09-12 Includes\MalwareC.sbi (*)

2007-09-05 Includes\PUPS.sbi (*)

2007-09-12 Includes\PUPSC.sbi (*)

2007-09-12 Includes\Revision.sbi (*)

2007-05-30 Includes\Security.sbi (*)

2007-09-12 Includes\SecurityC.sbi (*)

2007-09-12 Includes\Spybots.sbi (*)

2007-09-12 Includes\SpybotsC.sbi (*)

2007-08-21 Includes\Tracks.uti

2007-09-12 Includes\Trojans.sbi (*)

2007-09-12 Includes\TrojansC.sbi (*)

2008-12-24 Plugins\TCPIPAddress.dll

2nd problem found:

Microsoft.WindowsSecurityCenter_disabled: [sBI $2E20C9A9] Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Microsoft.Windows.IEFirewallBypass: [sBI $1721401B] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: [sBI $4F6FBB06] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)

2007-08-31 SDMain.exe (1.0.0.4)

2007-08-31 SDUpdate.exe (1.0.6.4)

2007-08-31 SDWinSec.exe (1.0.0.8)

2007-08-31 SpybotSD.exe (1.5.1.15)

2007-08-31 TeaTimer.exe (1.5.0.9)

2007-09-15 unins000.exe (51.46.0.0)

2007-08-31 Update.exe (1.4.0.5)

2007-08-31 advcheck.dll (1.5.3.0)

2007-04-02 aports.dll (2.1.0.0)

2007-04-02 DelZip179.dll (1.79.5.3)

2007-08-31 SDHelper.dll (1.5.0.8)

2007-08-31 Tools.dll (2.1.2.0)

2007-09-12 Includes\Cookies.sbi (*)

2007-07-25 Includes\Dialer.sbi (*)

2007-09-12 Includes\DialerC.sbi (*)

2007-08-29 Includes\Hijackers.sbi (*)

2007-09-12 Includes\HijackersC.sbi (*)

2007-07-25 Includes\Keyloggers.sbi (*)

2007-09-12 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2007-09-12 Includes\Malware.sbi (*)

2007-09-12 Includes\MalwareC.sbi (*)

2007-09-05 Includes\PUPS.sbi (*)

2007-09-12 Includes\PUPSC.sbi (*)

2007-09-12 Includes\Revision.sbi (*)

2007-05-30 Includes\Security.sbi (*)

2007-09-12 Includes\SecurityC.sbi (*)

2007-09-12 Includes\Spybots.sbi (*)

2007-09-12 Includes\SpybotsC.sbi (*)

2007-08-21 Includes\Tracks.uti

2007-09-12 Includes\Trojans.sbi (*)

2007-09-12 Includes\TrojansC.sbi (*)

2008-12-24 Plugins\TCPIPAddress.dll

Link to post
Share on other sites

SB S&D is detecting that your Windows firewall is turned off and the Security Center. wscsvc <=== is Windows Security Center service. You just need to tell SB S&D to ignore it next time it scans. Open the program, make sure it is in advanced mode (click on mode to see), and click on the Settings then the Ignore Products, look for SecurityC.sbi in there you will see several Windows services etc. the second one is the firewall. You can also right click on the item or any item in the scan results and choose to ignore. http://www.safer-networking.org/en/index.html This is the home site of SB S&D, you will find all the information for configuring the program there.

I just gave you the admin account info in case you needed it. You know your son. LOL I don't care if he hates me. I do care if he is exploited because he is an innocent child. I know of too many horrors. You can tell his cousin that what she is doing is no different than shop lifting. Game cheat sites can be bad also, because they know kids will be there and they plant malware.

Good free antivirus, AntiVir is what I use, I really like it. Avast is also good and I have used it. AVG is good. Those are just 3. I can guarantee you will get better performance without the Symantec. :P You will lose GoBack and System Doctor but you can replace what they do with other free programs. GoBack is essentially what is already built into XP in SystemRestore. SystemDoctor is a combination of some built in Windows functions, disk error check, disk defragment and a registry cleaner. They always run and use resources though, so it affects your performance.

Let me know if you have further questions.

Link to post
Share on other sites

I have another question on top of my last one. I have tried to download Zone Alarm and I get this message as soon as it should start downloading:

Setup was unable to find the msi package or patch

'http://redirect.zonelabs.com/redirect/route?mode=1&app=inclient&date=1&dest=stub&oem=1001∏=0〈=en&link_id=1'

Have any idea what this means? I have tried to download it from several different sites and it gives me the same message each time.

Link to post
Share on other sites

Hi sorry this is a slow reply, I'm a bit under the weather with a bug. I would try disabling Symantec and see if you can download. It could be stopping the download as a threat because it contains an executable file.

A quick Google search came up with two hits at the ZoneAlarm forums. MSI is the Microsoft Installer also so that might be it. http://forum.zonelabs.org/zonelabs/board/m...essage.id=72126 and here http://forums.zonelabs.com/zonelabs/board/...essage.id=72127

Thought you might want to see these too I often hear from readers who are worried about the repercussions of

downloading music and movies from file-sharing sites or P2P services

such as LimeWire and Bittorrent. It is true that some individuals

have been sued for downloading and/or sharing copyrighted materials.

But now there's something new to worry about. The MPAA (Motion

Picture Association of America) is filing suit against TorrentSpy, a

search engine that helps people find and download movies. Although

TorrentSpy does not host, sell or distribute any files, the MPAA

contends that they are violating copyright law by helping people

find links to pirated movies.

Read on to learn why this might lead to a knock on your door by the

MPAA, and what it will mean to your Internet privacy if the MPAA

prevails in court...

<a href="http://askbobrankin.com/sued_for_searching.html">

SUED - http://askbobrankin.com/sued_for_searching.html </a>

And if you missed the companion article, here's the link:

<a href="http://askbobrankin.com/sued_for_downloading.html">

SAFE - http://askbobrankin.com/sued_for_downloading.html </a>

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.