# Solved: Need help removing viruses



## GlennU (Jul 25, 2005)

Please assist...while attempting to run Norton, virus alerts come up from winantivirus. Also see bugs running across screen and while connected to the internet browser, frequently it's closed. HJT file below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:59 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\elizabeth unger\cftmon.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [18c7eaaf] rundll32.exe "C:\WINDOWS\system32\sksikxht.dll",b
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\elizabeth unger\cftmon.exe
O4 - HKCU\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B01CA61-B790-4ED3-8B2C-559CFD923BDC}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9650 bytes


----------



## Jintan (Oct 4, 2007)

Hello GlennU,

How many computers do you all have, and I reckon more importantly, how do they get so infected? Let's get more detailed and current information then start some repairs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Options, place a check next to the following:

*Backup Registry Hives*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.


----------



## GlennU (Jul 25, 2005)

Jintan. First, thanks for assisting. My daughter returned from college a few weeks ago. Before she retunred she was running her computer without any computer protection for at least a few weeks.

I've turned of all of the anti-spyware/anti-virus apps.

I downloaded DSS to her computer and copied "%userprofile%\desktop\dss.exe" /config as you instructed, but was not successful. Her computer (Dell laptop) responded with the following: "c:\documents and settings\elizabeth unger\desktop\dss.exe is not a valid win32 application. 

Thanks,
Glenn U.


----------



## Jintan (Oct 4, 2007)

Malware trick with a hook likely.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.

Download SDFix.exe and save it to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click *RunThis.bat* to start the script.

Next type *Y* to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file *Report.txt* back here.

=============================

After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, *uncheck* all the boxes except this one:

*Security Center*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log and the SDFix report.txt log please.


----------



## GlennU (Jul 25, 2005)

even in safe mode with the antivirus/antispyware disable


----------



## Jintan (Oct 4, 2007)

Delete the existing copy of SDFix.exe, and Download SDFix.exe again and save it to your desktop. However, this time I would like you to rename the file as you download it (do not download it directly without renaming it). Rename the download file to george.exe, so george.exe is downloaded and saved to your desktop. Then again click on george.exe to install SDFix in Safe Mode.


----------



## GlennU (Jul 25, 2005)

Didn't run. Also tried downloading file to another computer, renamed to george, copied to infected computer. Still didn't run.


----------



## Jintan (Oct 4, 2007)

The HijackThis log does not show the methods I know of that causes this invalid image error, so no brute force solutions right now. Attempt to instead run the Malwarebytes scan please.

Open HijackThis, and choose None of the above, just start the program. Click Config  Misc Tools  Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis.

*C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\rundll32.exe*

Not all these are necessarily infection (rundll32.exe is not) but may be in use by infection to support their processes.

Then try Malwarebytes.


----------



## GlennU (Jul 25, 2005)

After some playing around, I got SDfix to run in the safe mode. Report below.

*SDFix: Version 1.195 *
Run by elizabeth unger on Mon 06/23/2008 at 05:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper 
Restoring Default Schedule Service Path

Rebooting

*Checking Files *:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\79.TMP - Deleted
C:\Documents and Settings\elizabeth unger\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\elizabeth unger\Application Data\Install.dat - Deleted
C:\Documents and Settings\elizabeth unger\Local Settings\Temp\temDA.tmp.exe - Deleted
C:\Documents and Settings\elizabeth unger\Local Settings\Temp\temDE.tmp.exe - Deleted
C:\Documents and Settings\elizabeth unger\Local Settings\Temp\temE3.tmp.exe - Deleted
C:\Documents and Settings\elizabeth unger\Local Settings\Temp\temEA.tmp.exe - Deleted
C:\Documents and Settings\elizabeth unger\Local Settings\Temp\updE5.tmp.exe - Deleted
C:\WINDOWS\system32\blackster.scr - Deleted
C:\WINDOWS\system32\ctfmonb.bmp - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 18:04:49
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabledharos Com Task Master "
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabledharos Com Task Master "

*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Mon 23 Jun 2008 41,472 A.SH. --- "C:\WINDOWS\system32\Crypt_16.dll"
Thu 14 Feb 2008 24,576 ...H. --- "C:\Documents and Settings\elizabeth unger\Desktop\~WRL0758.tmp"
Sun 16 Sep 2007 12,866 ...H. --- "C:\Documents and Settings\elizabeth unger\My Documents\English\~WRL0003.tmp"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT4.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Tue 21 Aug 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

*Finished!*

MBAM REPORT

Malwarebytes' Anti-Malware 1.18
Database version: 883

6:31:31 PM 6/23/2008
mbam-log-6-23-2008 (18-31-31).txt

Scan type: Quick Scan
Objects scanned: 40429
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wvUKBTjG.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xfkqeofi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\baseiil32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c1e497f-d93a-48b1-a558-7eaa026f455b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8c1e497f-d93a-48b1-a558-7eaa026f455b} (Trojan.Vundo) -> Delete on reboot.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mirar (AdWare.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18c7eaaf (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\Zango 10.3.35.0 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvukbtjg -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvukbtjg -> Delete on reboot.

Folders Infected:
C:\Program Files\WinAntivirusPro3.8 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nehvijhb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bhjivhen.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUKBTjG.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\GjTBKUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GjTBKUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xfkqeofi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ifoeqkfx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylanards.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdranaly.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00B370C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C4C39.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00C70A4.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\0HQB8TYR\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\W1QJS1UV\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WinAntivirusPro3.8\Winviruspro.exe (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baseecscn32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baseiil32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Start Menu\Programs\WinAntivirusPro.lnk (Rogue.SpyRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\elizabeth unger\Desktop\WinAntivirusPro.lnk (Rogue.Link) -> Quarantined and deleted successfully.


----------



## GlennU (Jul 25, 2005)

Main Text below

Deckard's System Scanner v20071014.68
Run by elizabeth unger on 2008-06-23 18:45:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.

-- HijackThis (run as elizabeth unger.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:19 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\elizabeth unger\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\elizabeth unger.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
O2 - BHO: {bf4dd4be-ae58-febb-33e4-15bc43c54dc0} - {0cd45c34-cb51-4e33-bbef-85eaeb4dd4fb} - C:\WINDOWS\system32\epvauxbs.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E77C516-10E9-4773-B3AD-B0D03DCA0F70}: NameServer = 71.242.0.12 71.252.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B01CA61-B790-4ED3-8B2C-559CFD923BDC}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9836 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>

S3 catchme - c:\docume~1\elizab~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

S3 sdAuxService (PC Tools Auxiliary Service) - c:\program files\spyware doctor\pctsauxs.exe (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 18:01:14 642 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - elizabeth unger.job

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 18:33:56 3977 --ahs---- C:\WINDOWS\system32\GjTBKUvw.ini2
2008-06-23 18:24:38 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Malwarebytes
2008-06-23 18:24:30 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 18:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 17:41:19 0 d-------- C:\WINDOWS\ERUNT
2008-06-22 20:38:46 108544 --a------ C:\WINDOWS\system32\epvauxbs.dll
2008-06-21 14:40:55 108544 --a------ C:\WINDOWS\system32\creblhtk.dll
2008-06-21 13:50:01 99328 --a------ C:\WINDOWS\system32\myucaall.dll
2008-06-21 13:48:15 41472 --ahs---- C:\WINDOWS\system32\Crypt_16.dll
2008-06-21 13:48:14 33837 --a------ C:\WINDOWS\system32\Crypt16.exe
2008-06-21 13:47:01 108544 --a------ C:\WINDOWS\system32\tattsloj.dll
2008-06-10 19:09:48 108544 --a------ C:\WINDOWS\system32\wuyuabpe.dll
2008-06-10 18:41:01 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 18:40:35 0 d-------- C:\Program Files\Spyware Doctor
2008-06-10 18:40:35 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\PC Tools
2008-06-09 19:32:27 0 d-------- C:\VundoFix Backups
2008-06-09 19:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-09 19:08:30 108544 --a------ C:\WINDOWS\system32\ebehcgun.dll
2008-06-08 14:45:19 108544 --a------ C:\WINDOWS\system32\cjuuvhok.dll
2008-06-07 14:17:19 108544 --a------ C:\WINDOWS\system32\ddtoaijr.dll
2008-06-07 13:37:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-07 13:07:36 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Symantec
2008-06-07 13:02:55 0 d-------- C:\Program Files\Windows Sidebar
2008-06-07 13:01:07 0 d-------- C:\Program Files\Norton Internet Security
2008-06-07 12:39:21 0 d-------- C:\Program Files\NetFilter
2008-05-28 14:18:26 372736 -----n--- C:\WINDOWS\system32\wvUKBTjG.dll
2008-05-26 17:45:34 276 --a------ C:\xcrashdump.dat

-- Find3M Report ---------------------------------------------------------------

2008-06-23 16:32:24 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Wave Systems Corp
2008-06-21 13:55:04 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-07 14:13:01 0 d-------- C:\Program Files\SurfingSoftware
2008-06-07 13:31:42 0 d-------- C:\Program Files\Symantec
2008-06-07 13:02:26 0 d-------- C:\Program Files\Common Files
2008-04-23 17:09:02 0 d-------- C:\Program Files\Pharos
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F4.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F3.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F2.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F1.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F0.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EF.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EE.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7ED.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EC.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 17:08:55 0 d-------- C:\Program Files\PharosSystems

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0cd45c34-cb51-4e33-bbef-85eaeb4dd4fb}]
06/22/2008 08:38 PM	108544	--a------	C:\WINDOWS\system32\epvauxbs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
02/06/2008 11:05 PM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/07/2008 01:02 PM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [02/06/2008 11:05 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 08:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 01:49 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" []
"WinAntivirusPro"="C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/21/2007 2:33:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Crypt16.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{718fbbe6-3683-11dd-a78f-001c230b755b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-06-23 18:46:55 ------------


----------



## GlennU (Jul 25, 2005)

Extra Text below

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1014.04 MiB / 605.04 MiB
Pagefile Memory (total/avail): 2441.05 MiB / 2052.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.72 MiB

C: is Fixed (NTFS) - 74.44 GiB total, 50.83 GiB free. 
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST980813AS - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 94.1 MiB
\PARTITION1 (bootable) - Installable File System - 74.44 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.5.0.23 (Symantec Corporation) Disabled
AV: Norton Internet Security v15.5.0.23 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabledharos Com Task Master "

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"="C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe:*:Enabledharos Com Task Master "
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\elizabeth unger\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DD1NKHD1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\elizabeth unger
LOGONSERVER=\\DD1NKHD1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\PharosSystems\OutputManagement;C:\Program Files\PharosSystems\Core
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp
USERDOMAIN=DD1NKHD1
USERNAME=elizabeth unger
USERPROFILE=C:\Documents and Settings\elizabeth unger
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

elizabeth unger _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office system --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom ASF Management Applications --> MsiExec.exe /I{27E25625-DB51-42E6-BEB7-0C8DC878770C}
Broadcom Management Programs --> MsiExec.exe /X{C99C0593-3B48-41D9-B42F-6E035B320449}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
Business Contact Manager for Outlook 2007 --> "C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 --> MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Conexant HDA D330 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Dell Touchpad --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Digital Line Detect --> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033 
EMBASSY Security Center --> C:\Program Files\InstallShield Installation Information\{EEAFE1E5-076B-430A-96D9-B567792AFA88}\setup.exe -runfromtemp -l0x0409
EMBASSY Security Setup --> C:\Program Files\InstallShield Installation Information\{53333479-6A52-4816-8497-5C52B67ED339}\setup.exe -runfromtemp -l0x0409
EMBASSY Trust Suite by Wave Systems --> C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe -runfromtemp -l0x0009 -removeonly
ESC Home Page Plugin --> C:\Program Files\InstallShield Installation Information\{E738A392-F690-4A9D-808E-7BAF80E0B398}\setup.exe -runfromtemp -l0x0409
ETS Upgrade --> C:\Program Files\InstallShield Installation Information\{72FECEA1-E87F-4192-89FA-D0FBF92885BB}\setup.exe -runfromtemp -l0x0409
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelliSonic Speech Enhancement --> MsiExec.exe /X{D9FCA292-1186-421F-8D93-9A5D272AD5D0}
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007 --> MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Diagnostic Tool --> MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\elizabeth unger\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_5_0_23\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
Norton Security Scan --> MsiExec.exe /I{DA15D535-5E1D-4076-B520-8571346D6238}
NTRU TCG Software Stack --> MsiExec.exe /I{A618BB0D-8B88-45FF-83CD-783B4AE59AA0}
O2Micro USB Smart Card Reader --> MsiExec.exe /I{9556CFD4-3F7E-4D1C-958B-759703E9CC21}
Pharos --> C:\PROGRA~1\Pharos\bin\Local.EXE
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Preboot Manager --> MsiExec.exe /I{3A6BE9F4-5FC8-44BB-BE7B-32A29607FEF6}
Private Information Manager --> C:\Program Files\InstallShield Installation Information\{0B0A2153-58A6-4244-B458-25EDF5FCD809}\setup.exe -runfromtemp -l0x0409
QuickSet --> C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
SearchAssist --> C:\DELL\SearchAssist\UninstSA.bat
Secure Update --> C:\Program Files\InstallShield Installation Information\{D1E829E9-88B8-47C6-A75E-0D40E2C09D50}\setup.exe -runfromtemp -l0x0409
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Wizards --> C:\Program Files\InstallShield Installation Information\{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4}\setup.exe -runfromtemp -l0x0409
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SurfingSoftware --> C:\Program Files\SurfingSoftware\uninstall.exe
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
Symantec Technical Support Web Controls --> MsiExec.exe /X{20C53FA2-4307-4671-A93F-9463B29DFCF1}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
upekmsi --> MsiExec.exe /I{FBEC50B7-537C-4A0E-8B0B-F7A8F8BF13CE}
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Wave Infrastructure Installer --> MsiExec.exe /I{D31F958E-7353-4DEB-83E8-35B02F2EE20A}
Wave Support Software --> C:\Program Files\InstallShield Installation Information\{07D618CD-B016-438A-ADC9-A75BD23F85CE}\setup.exe -runfromtemp -l0x0409
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\pbadrv_40CD90DE1AD5BDAF5E2676750520DB94FDE3886E\pbadrv.inf
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\oz776_ECA62BF451D0A6F7B3E38E62F6FA5166CAF54FCE\oz776.inf
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type17185 / Error
Event Submitted/Written: 06/23/2008 06:39:07 PM
Event ID/Source: 4691 / COM+
Event Description:
The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d027)

Event Record #/Type17184 / Error
Event Submitted/Written: 06/23/2008 06:39:07 PM
Event ID/Source: 4427 / MSDTC Client
Event Description:
Failed to initialize the needed name objects. Error Specifics: d:\qxp_slp\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 1992
No Callstack,
CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Event Record #/Type17121 / Error
Event Submitted/Written: 06/23/2008 06:03:04 PM
Event ID/Source: 4691 / COM+
Event Description:
The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d027)

Event Record #/Type17120 / Error
Event Submitted/Written: 06/23/2008 06:03:04 PM
Event ID/Source: 4427 / MSDTC Client
Event Description:
Failed to initialize the needed name objects. Error Specifics: d:\qxp_slp\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 2800
No Callstack,
CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Event Record #/Type17119 / Error
Event Submitted/Written: 06/23/2008 06:02:55 PM
Event ID/Source: 0 / Broadcom ASF IP and SMBIOS Mailbox Monitor
Event Description:
!ERROR 53 Refreshing BMAPI data

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type46600 / Error
Event Submitted/Written: 06/23/2008 06:43:46 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer ATHOMEUSER
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{17E70E8A-D562-4EB.
The master browser is stopping or an election is being forced.

Event Record #/Type46599 / Warning
Event Submitted/Written: 06/23/2008 06:42:11 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type46577 / Error
Event Submitted/Written: 06/23/2008 06:39:03 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The PC Tools Auxiliary Service service failed to start due to the following error: 
%%2

Event Record #/Type46566 / Warning
Event Submitted/Written: 06/23/2008 06:21:32 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type46556 / Error
Event Submitted/Written: 06/23/2008 06:07:44 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer ATHOMEUSER
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{17E70E8A-D562-4EB.
The master browser is stopping or an election is being forced.

-- End of Deckard's System Scanner: finished at 2008-06-23 18:46:55 ------------


----------



## Jintan (Oct 4, 2007)

I would like the details on what changes you made that allowed SDFix to run successfully please. Tough infection, and more of the same remaining, though made vulnerable to removal now. There is some risk involved in the next procedure, since it will aggressively remove the visible infection items, but may effect any we cannot yet see in logs. Although tools already used, like Deckards, created some backup options for emergencies, it would be a good idea to offload any personal data to save as well, just as a backup precaution.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select "Fix Checked" and close HijackThis.

*F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
O4 - HKCU\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe*

Then re-open HijackThis, run a new scan and check if those items do not appear again. If they do, repeat the previous step one additional time, then check again. If they still appear DO NOT move on to the next steps, and instead post back here and we will review other methods to use.

----------------------------------------

Download The Avenger by Swandog from here and save it to your Desktop.

Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


```
Begin copying here:
Files to delete:
C:\WINDOWS\system32\GjTBKUvw.ini2
C:\WINDOWS\system32\epvauxbs.dll
C:\WINDOWS\system32\creblhtk.dll
C:\WINDOWS\system32\myucaall.dll
C:\WINDOWS\system32\Crypt_16.dll
C:\WINDOWS\system32\Crypt16.exe
C:\WINDOWS\system32\tattsloj.dll
C:\WINDOWS\system32\wuyuabpe.dll
C:\WINDOWS\system32\ebehcgun.dll
C:\WINDOWS\system32\cjuuvhok.dll
C:\WINDOWS\system32\ddtoaijr.dll
C:\WINDOWS\system32\wvUKBTjG.dll
C:\xcrashdump.dat
Folders to Delete:
C:\Program Files\Zango
C:\Program Files\SurfingSoftware
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\NetFilter
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cd45c34-cb51-4e33-bbef-85eaeb4dd4fb}
```
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

----------------------------

Then open and run a new scan with Malwarebytes again.

-----------------------------

Once that has completed reconnect to net access and Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the *Preferences* button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

*Start-up Options:*
*Start SUPERAntiSpyware when Windows starts

*Automatic Updates:*
*Check for program updates when the application starts.
*Start-up Scanning:*
*Check for updates before scanning on startup.

Then click the *Scan your Computer* button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.

SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.

--------------------------------------------

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the C:\avenger.txt log, and the SUPERAntiSpyware log please.


----------



## Jintan (Oct 4, 2007)

Assuming that all goes as planned I would also like to check the files Avenger removed. If you would, once all those steps have been completed navigate to the C:\avenger\*backup.zip*. Then just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. Once you have done the upload you will not be able to see the file you just posted, which is okay.


----------



## GlennU (Jul 25, 2005)

I right-clicked ion the SDfix (a.k.a George) file and chose the "run as" option. A window appeared with a circle selected with the following wording "Current User (DD1NKd1/elizabeth unger)". Under that was a box that was checked with the following wording... Protect my computer and data from unauthorized program activity". I unchecked the box and Sdfix ran. Afterword I did check to see if the window popped up for all the applications, but don't remember which apps had that window.

Before I do as you've instructed, I must speak with my daughter about what should be backed-up. Hopefully I'll have a response for you by tomorrow.

For some reason, I'm not always getting alerted by email when you respond. Any suggestions?

Thanks
GlennU


----------



## GlennU (Jul 25, 2005)

have been uploaded. Avenger backup.zip should be received in the spykiller forum.

Thanks,
GlennU


----------



## Jintan (Oct 4, 2007)

Good - I will check the upload soon. Go ahead with the posts if you would.


----------



## GlennU (Jul 25, 2005)

In your last post you wrote to goahead with the posts. I thought I did. If not, please let me know.


----------



## Jintan (Oct 4, 2007)

Probably some communication issues here. I was waiting on the log files to be posted here for review. I see now you indicated they were "uploaded"? Either way if you would go ahead and post the logs here now, and we will keep moving forward.

I did receive the avenger.zip, thanks. The Crypt16.exe startup definitely had a means of recreating that startup setting, as well as itself and other files, and was creating a backdoor means of communicating there as well.


----------



## GlennU (Jul 25, 2005)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\GjTBKUvw.ini2" deleted successfully.
File "C:\WINDOWS\system32\epvauxbs.dll" deleted successfully.
File "C:\WINDOWS\system32\creblhtk.dll" deleted successfully.
File "C:\WINDOWS\system32\myucaall.dll" deleted successfully.
File "C:\WINDOWS\system32\Crypt_16.dll" deleted successfully.
File "C:\WINDOWS\system32\Crypt16.exe" deleted successfully.
File "C:\WINDOWS\system32\tattsloj.dll" deleted successfully.
File "C:\WINDOWS\system32\wuyuabpe.dll" deleted successfully.
File "C:\WINDOWS\system32\ebehcgun.dll" deleted successfully.
File "C:\WINDOWS\system32\cjuuvhok.dll" deleted successfully.
File "C:\WINDOWS\system32\ddtoaijr.dll" deleted successfully.
File "C:\WINDOWS\system32\wvUKBTjG.dll" deleted successfully.
File "C:\xcrashdump.dat" deleted successfully.

Error: folder "C:\Program Files\Zango" not found!
Deletion of folder "C:\Program Files\Zango" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Program Files\SurfingSoftware" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\TEMP" deleted successfully.
Folder "C:\Program Files\NetFilter" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cd45c34-cb51-4e33-bbef-85eaeb4dd4fb}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## GlennU (Jul 25, 2005)

Deckard's System Scanner v20071014.68
Run by elizabeth unger on 2008-06-25 21:15:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as elizabeth unger.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:07 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\elizabeth unger\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ELIZAB~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B01CA61-B790-4ED3-8B2C-559CFD923BDC}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9242 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080625-183807-224 O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
backup-20080625-183807-306 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
backup-20080625-183807-461 O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
backup-20080625-183807-472 O4 - HKCU\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
backup-20080625-194211-693 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>

S3 catchme - c:\docume~1\elizab~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

S3 sdAuxService (PC Tools Auxiliary Service) - c:\program files\spyware doctor\pctsauxs.exe (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 21:00:00 642 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - elizabeth unger.job

-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-25 20:19:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 20:19:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 20:19:35 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\SUPERAntiSpyware.com
2008-06-25 20:19:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 19:24:38 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Malwarebytes
2008-06-23 19:24:30 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 19:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:41:19 0 d-------- C:\WINDOWS\ERUNT
2008-06-10 19:40:35 0 d-------- C:\Program Files\Spyware Doctor
2008-06-10 19:40:35 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\PC Tools
2008-06-09 20:32:27 0 d-------- C:\VundoFix Backups
2008-06-09 20:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-07 14:37:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-07 14:07:36 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Symantec
2008-06-07 14:02:55 0 d-------- C:\Program Files\Windows Sidebar
2008-06-07 14:01:07 0 d-------- C:\Program Files\Norton Internet Security

-- Find3M Report ---------------------------------------------------------------

2008-06-25 20:19:03 0 d-------- C:\Program Files\Common Files
2008-06-25 20:15:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-25 19:50:39 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Wave Systems Corp
2008-06-07 14:31:42 0 d-------- C:\Program Files\Symantec
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F4.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F3.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F2.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F1.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F0.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EF.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EE.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7ED.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EC.DLL <Not Verified; Pharos Systems International; PHAROS>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
06/17/2008 03:23 PM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/07/2008 02:02 PM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [06/17/2008 03:23 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 02:10 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/21/2007 3:33:34 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{718fbbe6-3683-11dd-a78f-001c230b755b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-06-25 21:16:41 ------------


----------



## GlennU (Jul 25, 2005)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2008 at 08:41 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:17:18

Memory items scanned : 495
Memory threats detected : 0
Registry items scanned : 5886
Registry threats detected : 34
File items scanned : 15559
File threats detected : 236

Adware.Zango Toolbar/Hb
HKLM\Software\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\InprocServer32
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\InprocServer32#ThreadingModel
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ProgID
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\Programmable
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\TypeLib
HKCR\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\VersionIndependentProgID
C:\PROGRAM FILES\ZANGO\BIN\10.3.35.0\HOSTIE.DLL

Adware.Tracking Cookie
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][4].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected]oll[2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][3].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][3].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][5].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected]_4d4t[1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][1].txt
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.xos.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application


----------



## GlennU (Jul 25, 2005)

Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.xos.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.roiservice.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tripod.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tremor.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tremor.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.sitestat.mayoclinic.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.prospect.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.track.acclaimnetwork.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.track.acclaimnetwork.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.track.acclaimnetwork.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.track.acclaimnetwork.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.track.acclaimnetwork.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.partner2profit.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.findinternettv.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.findinternettv.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.findarticles.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.findarticles.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.findarticles.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.media.mtvnservices.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.media.mtvnservices.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.sitestat.mayoclinic.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.anat.tacoda.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.cgm.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.apartmentfinder.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.apartmentfinder.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eas.apm.emediate.eu [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eas.apm.emediate.eu [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eas.apm.emediate.eu [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.atlas.fixionmedia.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.eb.adbureau.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.clickbank.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.clicket.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.clicket.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.ads3.blastro.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.ads.mediamayhemcorp.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.a.findarticles.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.a.findarticles.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.ad1.clickhype.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.adopt.euroclick.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.accessexcellence.org [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.accessexcellence.org [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.accessexcellence.org [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.ads.gamesbannernet.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
.ads.gamesbannernet.com [ C:\Documents and Settings\elizabeth unger\Application Data\Mozilla\Firefox\Profiles\xgxmllab.default\cookies.txt ]
C:\Documents and Settings\elizabeth unger\Cookies\elizabeth [email protected][2].txt

Adware.Zango/ShoppingReport
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\InprocServer32
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\InprocServer32#ThreadingModel
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\ProgID
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\Programmable
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\TypeLib
HKCR\CLSID\{3788E535-897B-463d-B6D6-FEE5B86EC144}\VersionIndependentProgID
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\Control
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\InprocServer32
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\InprocServer32#ThreadingModel
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\MiscStatus
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\MiscStatus\1
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\ProgID
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\Programmable
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\ToolboxBitmap32
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\TypeLib
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\Version
HKCR\CLSID\{D3F940EA-4E87-423b-9091-934E1E4FCEAE}\VersionIndependentProgID
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\0
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\0\win32
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\FLAGS
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\HELPDIR

Adware.180solutions/Seekmo/Zango
C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPCLNTAX_ZANGOSA.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001696.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001705.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001707.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001708.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001709.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001710.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001711.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001714.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001715.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001716.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001718.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001719.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001720.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001721.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001722.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\1112.DAT

Trace.Known Threat Sources
C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\0HQB8TYR\index.zp[1].htm
C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\C96FO163\rd-fakeout2-720x300[1].gif


----------



## Jintan (Oct 4, 2007)

Good, but that startup appears to have recreated. Let's check that before we move on.


```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{718fbbe6-3683-11dd-a78f-001c230b755b}]
```
Open Notepad (Start - Run, type *notepad* and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as *"river.reg"*

Be sure to include the "" quotes in the name. Then right click river.reg and Merge that with the Registry.

----------------------------------------

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select Fix Checked and close HijackThis.

*F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,*

After closing HijackThis open it and scan again to verify that stayed removed - if not repeat once more to check.

------------------------------------

Without making any other changes or rebooting, Go to Start > Run and type:

*cmd.exe*

and ok. Copy and paste the below string after the prompt >

*dir /s /a "Crypt16*.*" > c:\find.txt & start notepad c:\find.txt*

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

--------------------------------------

Also Go here and download Autoruns.zip to your Desktop. Doubleclick on the file to unzip the contents and open the Autoruns folder. Doubleclick on Autoruns.exe to run it. Click on the Everything tab and then go to File > Export and click on Save. Close Autoruns and open Autoruns.txt (this file will be in the same folder). Try to avoid using this tool for any changes at this time - you will see it is quite comprehensive in detail.


----------



## GlennU (Jul 25, 2005)

After closing and rerunning, HJT file was free of F2 stuff.

Not sure the "dir /s /a "Crypt16*.*" > c:\find.txt & start notepad c:\find.txt" command executed properly. Below is the response to the find.txt file:

Volume in drive C has no label.
Volume Serial Number is 18C7-EA00.

will await your reply before proceeding.

GlennU


----------



## Jintan (Oct 4, 2007)

:up: No finds indicates so far the startup was just a remnant - no bad files behind it. Good you checked back - let's redirect right into a scan now.

Instead of using Autoruns, Go here and run the Kaspersky online scan, and post back the log it creates.

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under *Scan* in the left colum click *My Computer* to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.

When the scan completes click View Scan Report. Then click *Save Report As*, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.

Then locate that log and copy/paste those contents back here please.


----------



## GlennU (Jul 25, 2005)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 15:38:27
Records in database: 895473
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 50769
Threat name: 6
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 00:52:26

File name / Threat name / Threats count
C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\0HQB8TYR\kb767887[1]	Infected: Trojan.Win32.Monder.zj	1
C:\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll	Infected: not-a-virus:AdTool.Win32.Zango.n	1
C:\SDFix\backups\backups.zip	Infected: Trojan-Downloader.Win32.Small.wxi	1
C:\SDFix\backups\backups.zip	Infected: not-a-virus:AdWare.Win32.Agent.jb	2
C:\SDFix\backups\backups.zip	Infected: not-a-virus:AdWare.Win32.Agent.ahl	2
C:\SDFix\backups\backups.zip	Infected: not-virus:Hoax.Win32.Renos.fi	1
C:\SDFix\backups\catchme.zip	Infected: Trojan-Downloader.Win32.Small.wxi	1

The selected area was scanned.


----------



## Jintan (Oct 4, 2007)

Very good - only some stragglers you can delete now.

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Close all browsers and open windows, and do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\Documents and Settings\elizabeth unger\Local Settings\Temporary Internet Files\Content.IE5\*0HQB8TYR* <-- the entire folder

C:\Program Files\Mozilla Firefox\plugins\*npclntax_ZangoSA.dll*

Then one more Deckards log as well to verify things. How is the computer running at this time?

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Process Modules*

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)


----------



## GlennU (Jul 25, 2005)

Found and deleted the npcintax_zangosa.dll file. As before, your assistance has been excellent. The computer is running much better. I've given my daughter a strong suggestion to never run the computer with out protection. The main.txt report follow.

Thanks,
GlennU

Deckard's System Scanner v20071014.68
Run by elizabeth unger on 2008-06-29 09:50:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.

-- HijackThis (run as elizabeth unger.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:27 AM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\elizabeth unger\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ELIZAB~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2070821
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E77C516-10E9-4773-B3AD-B0D03DCA0F70}: NameServer = 71.242.0.12 71.252.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B01CA61-B790-4ED3-8B2C-559CFD923BDC}: NameServer = 192.168.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{17E70E8A-D562-4EB3-AB4D-380924CCAD4D}: NameServer = 192.168.2.1,4.2.2.2
O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9423 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080625-183807-224 O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.35.0\HostIE.dll (file missing)
backup-20080625-183807-306 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
backup-20080625-183807-461 O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
backup-20080625-183807-472 O4 - HKCU\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
backup-20080625-194211-693 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,
backup-20080627-101249-423 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\Crypt16.exe,

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; Application Driver>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DXEC01 - c:\windows\system32\drivers\dxec01.sys <Not Verified; Knowles Acoustics; DXEC.01 Speech Enhancement>

S3 catchme - c:\docume~1\elizab~1\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 Pharos Systems ComTaskMaster - "c:\progra~1\pharos~1\core\ctskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
R2 tcsd_win32.exe (NTRU TSS v1.2.1.12 TCS) - "c:\program files\ntru cryptosystems\ntru tcg software stack\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

S3 sdAuxService (PC Tools Auxiliary Service) - c:\program files\spyware doctor\pctsauxs.exe (file missing)
S3 SecureStorageService - "c:\program files\wave systems corp\secure storage manager\securestorageservice.exe" <Not Verified; Wave Systems Corp.; Secure Storage Manager>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 21:00:00 642 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - elizabeth unger.job

-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-25 20:19:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-25 20:19:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-25 20:19:35 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\SUPERAntiSpyware.com
2008-06-25 20:19:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 19:24:38 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Malwarebytes
2008-06-23 19:24:30 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 19:24:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:41:19 0 d-------- C:\WINDOWS\ERUNT
2008-06-10 19:40:35 0 d-------- C:\Program Files\Spyware Doctor
2008-06-10 19:40:35 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\PC Tools
2008-06-09 20:32:27 0 d-------- C:\VundoFix Backups
2008-06-09 20:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-07 14:37:49 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-07 14:07:36 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Symantec
2008-06-07 14:02:55 0 d-------- C:\Program Files\Windows Sidebar
2008-06-07 14:01:07 0 d-------- C:\Program Files\Norton Internet Security

-- Find3M Report ---------------------------------------------------------------

2008-06-29 09:50:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 12:01:51 0 d-------- C:\Documents and Settings\elizabeth unger\Application Data\Wave Systems Corp
2008-06-25 20:19:03 0 d-------- C:\Program Files\Common Files
2008-06-07 14:31:42 0 d-------- C:\Program Files\Symantec
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F4.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F3.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F2.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F1.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7F0.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EF.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EE.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7ED.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-04-23 18:08:59 11264 --a------ C:\WINDOWS\system32\PSSCC7EC.DLL <Not Verified; Pharos Systems International; PHAROS>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
06/17/2008 03:23 PM	349552	--a------	C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/07/2008 02:02 PM	116088	--a------	C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [06/17/2008 03:23 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 09:47 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [02/07/2008 02:49 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 02:10 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/21/2007 3:33:34 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-06-29 09:51:14 ------------


----------



## Jintan (Oct 4, 2007)

Always glad to assist. She really just needs to stay in the mainstream of the internet. No downloads suggested at places like YouTube, My Space etc. Always some malware coder's work being placed in those as bait. Before we clean up there any other issues now?


----------



## GlennU (Jul 25, 2005)

Hi Jintan...sorry to keep you waiting. Didn't get the email response. Not sure why. No issues. Let's proceed with the cleanup.

GlennU


----------



## Jintan (Oct 4, 2007)

Good. As in the past work we did, softwares like Kaspersky and SUPERAntiSpyware, if you don't plan to use them again, uninstall through Add/Remove Programs. Though you may opt to keep SUPERAntiSpyware for periodic updated scans there.

You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.

Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.

Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I again would like to recommend reviewing the information Here to make sure you stay malware free.


----------



## GlennU (Jul 25, 2005)

Thanks!!!


----------



## Jintan (Oct 4, 2007)

:up:

(Hmmm - that looks more like hitchhiking than a thumbs up, actually). Thumbs Up!


----------

