Exception Processing Message - ready to throw computer at brick wall - Page 3

Berna · #31 January 9th, 2008, 06:19 PM

Log #4, DSS extra continued:

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type7269 / Error
Event Submitted/Written: 01/10/2008 10:03:10 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 804f216b.

Event Record #/Type7268 / Error
Event Submitted/Written: 01/10/2008 10:03:10 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 000000d8, parameter2 00000002, parameter3 00000000, parameter4 804dbc95.

Event Record #/Type7267 / Error
Event Submitted/Written: 01/10/2008 10:03:09 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 804dbc95.

Event Record #/Type7266 / Error
Event Submitted/Written: 01/10/2008 10:03:08 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000f85, parameter2 00000002, parameter3 00000000, parameter4 804dbc95.

Event Record #/Type7265 / Error
Event Submitted/Written: 01/10/2008 10:03:06 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 000000d8, parameter2 00000002, parameter3 00000000, parameter4 804dbc95.

-- End of Deckard's System Scanner: finished at 2008-01-10 11:13:52 ------------

**Jintan** · #32 January 9th, 2008, 10:37 PM

Very non-standard changes have been made there. I can never keep on top of which of those online gambling gaming programs are on the up and up, but I do know it is a very, very short list indeed. And you have a very many showing as installed there - more than most I have seen. I would recommend at some point uninstalling the lot, then slowly and carefully choose which to use again based on thorough web search info.

Code:

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-------------------------------

Then let's make another run at these bad services and files- the logs show many running processes "hooked" but some other hidden function so far.

Open Notepad (Start-Run, type notepad and then OK) and copy the following text into a new file:

Code:

@echo off
net start gmer
gmer.exe -del service NATServices
gmer.exe -del service roawiy
gmer.exe -del service snhuqt
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\NATServices"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\roawiy"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\snhuqt"
gmer.exe -del file "C:\WINDOWS\system32\mschkdsk.exe"
gmer.exe -del file "C:\Program Files\Internet Explorer\3776.EXE"
gmer.exe -reboot

Save the file to the desktop as remg.bat and make sure the "Save as type" field says "All files".

================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

Then click on the remg.bat file you created earlier. If you get error popups just okay each one. When the fix completes the computer will reboot.

------------------------

After the reboot run the same CFScript as provided earlier again, and if successful post back that ComboFix.txt log. If you get the same truncated log file run ComboFix after without using CFScript and post it instead please.

Berna · #33 January 10th, 2008, 12:11 AM

I followed your instructions and was delighted not to see that blue screen system error when the computer rebooted. In fact, since I ran those last three scans and posted back the four logs, I haven't received any error messages.

As for the combofix log, it looks similar to before but again, the errors seem to be gone (thank goodness). As far as I'm concerned, you're a genius and I can't thank you enough for your help.

If the log posted below is satisfactory, then I guess my next step is to go to the Add/Remove Programs list and remove any and all unnecessary programs so I can keep my computer free from those annoying errors.

ComboFix 08-01-04.1 - Nee Dobbs 2008-01-10 16:58:20.18 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1171 [GMT -6:00]
Running from: C:\Documents and Settings\Nee Dobbs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nee Dobbs\Desktop\CFScript
* Created a new restore point

FILE
C:\HTGD0002.bmp
C:\HTGD0003.exe
C:\HTGD0005.exe
C:\HTGD0006.ini
C:\Program Files\Internet Explorer\3776.EXE
C:\test.exe
C:\WINDOWS\SYSTEM32\00044f77.inf
C:\WINDOWS\SYSTEM32\0004c49d.inf
C:\WINDOWS\SYSTEM32\a.jpg
C:\WINDOWS\SYSTEM32\arsneo.DRV
c:\windows\system32\azftzw.dll
C:\WINDOWS\SYSTEM32\azftzw.KEY
C:\WINDOWS\SYSTEM32\Down(0).exe
C:\WINDOWS\SYSTEM32\Down(1).exe
C:\WINDOWS\SYSTEM32\Down(10).exe
C:\WINDOWS\SYSTEM32\Down(11).exe
C:\WINDOWS\SYSTEM32\Down(13).exe
C:\WINDOWS\SYSTEM32\Down(14).exe
C:\WINDOWS\SYSTEM32\Down(15).exe
C:\WINDOWS\SYSTEM32\Down(16).exe
C:\WINDOWS\SYSTEM32\Down(17).exe
C:\WINDOWS\SYSTEM32\Down(18).exe
C:\WINDOWS\SYSTEM32\Down(19).exe
C:\WINDOWS\SYSTEM32\Down(2).exe
C:\WINDOWS\SYSTEM32\Down(20).exe
C:\WINDOWS\SYSTEM32\Down(21).exe
C:\WINDOWS\SYSTEM32\Down(22).exe
C:\WINDOWS\SYSTEM32\Down(23).exe
C:\WINDOWS\SYSTEM32\Down(24).exe
C:\WINDOWS\SYSTEM32\Down(25).exe
C:\WINDOWS\SYSTEM32\Down(26).exe
C:\WINDOWS\SYSTEM32\Down(27).exe
C:\WINDOWS\SYSTEM32\Down(28).exe
C:\WINDOWS\SYSTEM32\Down(29).exe
C:\WINDOWS\SYSTEM32\Down(3).exe
C:\WINDOWS\SYSTEM32\Down(30).exe
C:\WINDOWS\SYSTEM32\Down(31).exe
C:\WINDOWS\SYSTEM32\Down(4).exe
C:\WINDOWS\SYSTEM32\Down(5).exe
C:\WINDOWS\SYSTEM32\Down(6).exe
C:\WINDOWS\SYSTEM32\Down(7).exe
C:\WINDOWS\SYSTEM32\Down(8).exe
C:\WINDOWS\SYSTEM32\Down(9).exe
C:\WINDOWS\SYSTEM32\Flower.dll
C:\WINDOWS\SYSTEM32\Flower.exe
C:\WINDOWS\SYSTEM32\gxobza.KEY
C:\WINDOWS\SYSTEM32\IE_ASSII.exe
C:\WINDOWS\SYSTEM32\snhuqt.DRV
C:\WINDOWS\SYSTEM32\svchst.exe
.

**Jintan** · #34 January 10th, 2008, 05:08 AM

How about the C:\avenger.txt log please.

Berna · #35 January 10th, 2008, 06:40 AM

I don't have C:\avenger.txt log listed. Can you tell me where I could find it or what I need to download in order to generate a log?

**Jintan** · #36 January 10th, 2008, 04:27 PM

The running of Avenger itself would have created that log output, so again no logs being generated. Unfortunately this means using more than one tool and more logs to get info for our next steps.

Please run new Deckards, GMER and Reglooks scans and post those logs for review.

Berna · #37 January 11th, 2008, 12:11 AM

I'm still a little confused about Avenger. I don't recall downloading that program. Is it something that I should have running on my system?

In any case, here is log #1, reglooks:

REGLOOKS logfile

version 0.977
2008-01-11 17:06:35.15
running from: "C:\Documents and Settings\Nee Dobbs\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found

--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found

--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"

--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"

--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""

--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found

--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager
BootExecute= autocheck autochk *\0\0

--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDr vCheck.exe -CheckReg"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.ex e"
"DetectorApp"="C:\\Program Files\\Roxio\\MyDVD\\MyDVD\\DetectorApp.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE ~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"PCLEPCI"="C:\\PROGRA~1\\PINNAC~1\\PPE\\PPE.EX E"
"GoogleUpdate"="C:\\Program Files\\Internet Explorer\\3776.EXE"
[Run\OptionalComponents]
[Run\OptionalComponents\IMAIL]
"Installed"="1"
[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[Run\OptionalComponents\MSFS]
"Installed"="1"

--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
no HKLM RunOnce keys found

--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx
no HKLM RunOnceEx keys found

--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices
no HKLM RunServices keys found

--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce
regkey does not exist

--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
[Run\AdobeUpdater]
@=""

--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce
no HKCU RunOnce keys found

--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnceEx
regkey does not exist

--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices
no HKCU RunServices keys found

--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce
no HKCU RunServicesOnce keys found

--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run
no HKU\.DEFAULT\Run keys found

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-18\Run keys found

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-19\Run keys found

--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-20\Run keys found

--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found

--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found

--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll"
"{53707962-6F74-2D53-2644-206D7942484F}" FILE ="C:\\Program Files\\Spybot - Search & Destroy\\SDHelper.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}" FILE ="C:\\WINDOWS\\system32\\dla\\tfswshx.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\ssv.dll"
"{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}" regkey not found (ERROR)

--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
no toolbars found

--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found

--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"AceFTP" CLSID ={1EBC3533-B289-409F-9924-B84B3F0717D2} FILE ="C:\\PROGRA~1\\VISICO~1\\ACEFTP~1\\FTPCntxt.dl l"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHan dlers
"AceFTP" CLSID ={1EBC3533-B289-409F-9924-B84B3F0717D2} FILE ="C:\\PROGRA~1\\VISICO~1\\ACEFTP~1\\FTPCntxt.dl l"
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandle rs
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot
"AlternateShell"="cmd.exe"

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal
no unknown services found

--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network
no unknown services found

--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\aeaudio
system32\drivers\aeaudio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\arsneo
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\AspiXNT
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BENDER
"DisplayName"="Pinnacle AV/DV2 Capture"
system32\drivers\bender.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\bvrp_pci
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\drvmcdb
system32\drivers\drvmcdb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\drvncdb
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\drvnddm
system32\drivers\drvnddm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ILADFtmi
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mohfilt
System32\DRIVERS\mohfilt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\omci
"DisplayName"="OMCI WDM Device Driver"
System32\DRIVERS\omci.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SQTECH905C
"DisplayName"="DB CIF Cam"
System32\Drivers\Capt905c.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sscdbhk5
system32\drivers\sscdbhk5.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ssrtln
system32\drivers\ssrtln.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\swwd
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnboio
system32\dla\tfsnboio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsncofs
system32\dla\tfsncofs.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsndrct
system32\dla\tfsndrct.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsndres
system32\dla\tfsndres.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnifs
system32\dla\tfsnifs.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnopio
system32\dla\tfsnopio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnpool
system32\dla\tfsnpool.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnudf
system32\dla\tfsnudf.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\tfsnudfa
system32\dla\tfsnudfa.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\wanatw
"DisplayName"="WAN Miniport (ATW)"
System32\DRIVERS\wanatw4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WebPost
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{82FF0C3E-0D36-4B68-86B0-B67BA3BD1AD3}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{D0A146A3-12D5-45D7-A360-25D5791140CA}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{EB88B259-6D58-4F07-A392-4891C7B04A03}
no imagepath value found

--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServ er\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCom patibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServ er\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntm ssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\ 0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedacc ess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0 WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuaus erv\0BITS\0ShellHWDetection\0helpsvc\0WmdmPmSN\0xm lprov\0wscsvc\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
HTTPFilter: HTTPFilter\0\0
DcomLaunch: DcomLaunch\0TermService\0\0

--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- DNS SERVER regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{D0A146A3-12D5-45D7-A360-25D5791140CA}
"NameServer"="192.168.2.1"

--- STARTUP FOLDERS ---

C:\Documents and Settings\Nee Dobbs\SendTo\Start Menu\Programs\Startup\DESKTOP.INI
C:\Documents and Settings\Nee Dobbs\SendTo\Start Menu\Programs\Startup\Morpheus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1092363366.job
C:\WINDOWS\tasks\Symantec NetDetect.job

--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

FINISHED

Berna · #38 January 11th, 2008, 01:15 AM

Log #2, gmer:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-11 18:13:12
Windows 5.1.2600 Service Pack 2

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af164764 4e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2e cedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023 a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be0 6337561aa48 0x86 0x8C 0x21 0x01 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d96 86d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b7 4b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e 232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb 204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a 51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe 080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a 6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616 fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.13 ----

Berna · #39 January 11th, 2008, 01:19 AM

Log #3, dss scan - main

Deckard's System Scanner v20071014.68
Run by Nee Dobbs on 2008-01-11 18:49:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Nee Dobbs.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49, on 2008-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nee Dobbs\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NEEDOB~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.knology.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default...n-us&venid=sym
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE
O4 - HKLM\..\Run: [GoogleUpdate] C:\Program Files\Internet Explorer\3776.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135319494359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A146A3-12D5-45D7-A360-25D5791140CA}: NameServer = 192.168.2.1
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O24 - Desktop Component 0: (no name) - http://www.webkinz.com/assets/images...bkinz_fill.png

--
End of file - 8634 bytes

-- Files created between 2007-12-11 and 2008-01-11 -----------------------------

2008-01-06 19:37:17 3045 --a------ C:\Documents and Settings\Nee Dobbs\CFScript
2008-01-06 11:19:35 198 --a------ C:\Documents and Settings\Nee Dobbs\servstop.bat
2008-01-06 11:18:42 92 --a------ C:\Documents and Settings\Nee Dobbs\servstart.bat
2008-01-06 10:14:46 219728 --a------ C:\WINDOWS\system32\Down(31).exe
2008-01-05 11:57:00 196608 --a------ C:\WINDOWS\system32\Down(30).exe
2008-01-05 11:56:51 196608 --a------ C:\WINDOWS\system32\Down(29).exe
2008-01-05 11:56:10 196608 --a------ C:\WINDOWS\system32\Down(28).exe
2008-01-05 11:56:00 196608 --a------ C:\WINDOWS\system32\Down(27).exe
2008-01-05 10:44:09 196608 --a------ C:\WINDOWS\system32\Down(26).exe
2008-01-05 10:43:58 196608 --a------ C:\WINDOWS\system32\Down(25).exe
2008-01-05 10:16:01 196608 --a------ C:\WINDOWS\system32\Down(24).exe
2008-01-05 10:15:09 196608 --a------ C:\WINDOWS\system32\Down(23).exe
2008-01-05 10:15:03 196608 --a------ C:\WINDOWS\system32\Down(22).exe
2008-01-05 10:14:51 196608 --a------ C:\WINDOWS\system32\Down(21).exe
2008-01-05 09:18:15 196608 --a------ C:\WINDOWS\system32\Down(20).exe
2008-01-05 09:18:06 196608 --a------ C:\WINDOWS\system32\Down(19).exe
2008-01-05 08:57:36 196608 --a------ C:\WINDOWS\system32\Down(18).exe
2008-01-05 08:57:27 196608 --a------ C:\WINDOWS\system32\Down(17).exe
2008-01-05 08:41:45 196608 --a------ C:\WINDOWS\system32\Down(16).exe
2008-01-05 08:41:38 196608 --a------ C:\WINDOWS\system32\Down(15).exe
2008-01-05 08:32:02 196608 --a------ C:\WINDOWS\system32\Down(14).exe
2008-01-05 08:31:40 196608 --a------ C:\WINDOWS\system32\Down(13).exe
2008-01-05 07:02:36 196608 --a------ C:\WINDOWS\system32\Down(11).exe
2008-01-05 06:58:06 196608 --a------ C:\WINDOWS\system32\Down(10).exe
2008-01-05 06:57:57 196608 --a------ C:\WINDOWS\system32\Down(9).exe
2008-01-05 06:47:54 196608 --a------ C:\WINDOWS\system32\Down(8).exe
2008-01-05 06:47:52 196608 --a------ C:\WINDOWS\system32\Down(7).exe
2008-01-03 07:25:39 389120 --a------ C:\WINDOWS\system32\IE_ASSII.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2008-01-02 20:42:21 36864 --a------ C:\HTGD0005.exe
2008-01-02 20:42:21 40960 --a------ C:\HTGD0003.exe
2008-01-02 15:23:26 0 d-------- C:\Program Files\Trend Micro
2008-01-02 14:34:12 0 d-------- C:\Program Files\Apple Software Update
2008-01-02 14:34:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-01 23:18:00 0 dr-h----- C:\Documents and Settings\Nee Dobbs\Recent
2008-01-01 10:03:55 57036 --a------ C:\WINDOWS\system32\Down(6).exe
2008-01-01 09:21:27 61678 --a------ C:\WINDOWS\system32\Down(5).exe
2008-01-01 09:14:07 61678 --a------ C:\WINDOWS\system32\Down(4).exe
2008-01-01 09:12:24 61678 --a------ C:\WINDOWS\system32\Down(3).exe
2008-01-01 09:10:40 61678 --a------ C:\WINDOWS\system32\Down(2).exe
2007-12-30 09:49:07 196608 --a------ C:\WINDOWS\system32\Down(1).exe
2007-12-30 09:07:58 196608 --a------ C:\WINDOWS\system32\Down(0).exe
2007-12-29 19:23:57 178688 --a------ C:\WINDOWS\system32\svchst.exe
2007-12-29 19:23:02 20229 ---hs---- C:\test.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-12-29 19:22:09 20229 ---hs---- C:\WINDOWS\system32\Flower.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
2007-12-28 18:28:39 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\Ulead Systems
2007-12-28 18:28:34 0 d-------- C:\WINDOWS\ulead.dat
2007-12-26 20:58:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-26 20:58:23 0 d-------- C:\Program Files\Web Publish
2007-12-16 19:54:31 0 d-------- C:\Program Files\Magic Photo Editor

-- Find3M Report ---------------------------------------------------------------

2008-01-11 18:24:35 0 d-------- C:\Program Files\musichallv2
2008-01-07 15:23:31 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\AdobeUM
2008-01-05 20:58:25 0 d-------- C:\Program Files\Personalised Letters
2008-01-05 20:49:54 0 d-------- C:\Program Files\Canon
2008-01-05 20:47:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 19:39:03 0 d-------- C:\Program Files\exPressit S.E. 2.1
2008-01-02 16:46:13 0 d-------- C:\Program Files\Common Files
2007-12-26 21:39:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 19:03:21 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-12 19:03:06 0 d-------- C:\Program Files\Symantec
2007-12-05 21:14:52 6367 --a------ C:\Documents and Settings\Nee Dobbs\Application Data\Hewlett-PackardHP Photosmart 2570 series1146795559_UI.log
2007-12-05 21:14:52 2228 --a------ C:\Documents and Settings\Nee Dobbs\Application Data\Hewlett-PackardHP Photosmart 2570 series1146795559_PROTOCOL.log
2007-12-05 19:50:25 0 d-------- C:\Program Files\Club World Casinos
2007-11-23 09:09:29 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\uTorrent
2007-11-19 17:45:03 0 --a------ C:\WINDOWS\system32\ISHARE

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 02:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCh eck.exe" [2004-03-10 16:26]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 04:33]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 05:15]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"nwiz"="nwiz.exe" [2005-12-10 02:06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2005-12-10 02:06]
"PCLEPCI"="C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" [2003-09-23 10:04]
"GoogleUpdate"="C:\Program Files\Internet Explorer\3776.EXE" []

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Nee Dobbs\SendTo\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 11:58:38]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

-- End of Deckard's System Scanner: finished at 2008-01-11 18:50:17 ------------

Berna · #40 January 11th, 2008, 01:52 AM

I'm not sure why, but that was the only dss log. There wasn't an "extra" like there was last time.

**Jintan** · #41 January 11th, 2008, 04:59 AM

It only does the Extra log the first go round, as it is more info about your system setup than ongoing checking of things. One reason you are having difficulties locating the Avenger log is because you have yet to use it. My mind was thinking two solutions when we went with the Gmer tool, but now we will use Avenger there.

Download The Avenger from here to your Desktop and unzip it.

You should now have an Avenger folder on the desktop, with Avenger.exe inside (this is important for the next steps).

Then open Notepad (Start Menu > Run > Type notepad and press OK)

Copy and Paste the contents of the code box below into Notepad.

Code:

Files to delete:
C:\WINDOWS\SYSTEM32\snhuqt.DRV
C:\WINDOWS\SYSTEM32\arsneo.DRV
C:\WINDOWS\SYSTEM32\gxobza.KEY
C:\WINDOWS\SYSTEM32\Down(6).exe
C:\WINDOWS\SYSTEM32\Down(5).exe
C:\WINDOWS\SYSTEM32\Down(4).exe
C:\WINDOWS\SYSTEM32\Down(3).exe
C:\WINDOWS\SYSTEM32\Down(2).exe
C:\WINDOWS\SYSTEM32\0004c49d.inf
C:\WINDOWS\SYSTEM32\Down(1).exe
C:\WINDOWS\SYSTEM32\Down(0).exe
C:\WINDOWS\SYSTEM32\svchst.exe
C:\test.exe
C:\WINDOWS\SYSTEM32\Flower.dll
C:\WINDOWS\SYSTEM32\Flower.exe
C:\WINDOWS\SYSTEM32\Down(31).exe
C:\WINDOWS\SYSTEM32\Down(30).exe
C:\WINDOWS\SYSTEM32\Down(29).exe
C:\WINDOWS\SYSTEM32\Down(28).exe
C:\WINDOWS\SYSTEM32\Down(27).exe
C:\WINDOWS\SYSTEM32\Down(26).exe
C:\WINDOWS\SYSTEM32\Down(25).exe
C:\WINDOWS\SYSTEM32\Down(24).exe
C:\WINDOWS\SYSTEM32\Down(23).exe
C:\WINDOWS\SYSTEM32\Down(22).exe
C:\WINDOWS\SYSTEM32\Down(21).exe
C:\WINDOWS\SYSTEM32\Down(20).exe
C:\WINDOWS\SYSTEM32\Down(19).exe
C:\WINDOWS\SYSTEM32\Down(18).exe
C:\WINDOWS\SYSTEM32\Down(17).exe
C:\WINDOWS\SYSTEM32\azftzw.KEY
C:\WINDOWS\SYSTEM32\Down(16).exe
C:\WINDOWS\SYSTEM32\Down(15).exe
C:\WINDOWS\SYSTEM32\Down(14).exe
C:\WINDOWS\SYSTEM32\Down(13).exe
C:\WINDOWS\SYSTEM32\00044f77.inf
C:\WINDOWS\SYSTEM32\Down(11).exe
C:\WINDOWS\SYSTEM32\Down(10).exe
C:\WINDOWS\SYSTEM32\Down(9).exe
C:\WINDOWS\SYSTEM32\Down(8).exe
C:\WINDOWS\SYSTEM32\Down(7).exe
C:\WINDOWS\SYSTEM32\a.jpg
C:\WINDOWS\SYSTEM32\IE_ASSII.exe
C:\HTGD0003.exe
C:\HTGD0005.exe
C:\HTGD0002.bmp
C:\HTGD0006.ini
c:\windows\system32\azftzw.dll
C:\Program Files\Internet Explorer\3776.EXE
C:\WINDOWS\system32\Flower.exe
C:\WINDOWS\system32\Down(6).exe
C:\WINDOWS\system32\Down(5).exe
C:\WINDOWS\system32\Down(4).exe
C:\WINDOWS\system32\Down(3).exe
C:\WINDOWS\system32\Down(2).exe
C:\WINDOWS\system32\Down(1).exe
C:\WINDOWS\system32\Down(0).exe
C:\WINDOWS\system32\svchst.exe
C:\test.exe
registry values to delete:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | "mschkdsk.exe"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | "GoogleUpdate"

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, name it pirate.txt then save it to your C drive (it should now be C:\pirate.txt)

Open Task Manager (Ctrl - Alt - Delete). Then on the list locate and double-click explorer.exe, then click End Process (and okay the warning). This will temporarily cause your desktop to disappear.

Still in Task Manager go to File - New Task, type the following then OK.

%userprofile%\desktop\avenger\avenger.exe

The Avenger display should now open.

Make sure "Load script from file" is checked, then type into the box just beneath that the following:

C:\pirate.txt

and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer.

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Run a Deckard's scan and post that back here along with the C:\avenger.txt please.

Berna · #42 January 11th, 2008, 05:56 AM

I've tried doing this twice and keep receiving a syntax line error whenever I type in the C:\pirate.txt and hit the green light. I checked my c drive and the text file is indeed where it should be and I copied and pasted %userprofile%\desktop\avenger\avenger.exe into new task so I know it wasn't a typing error. What am I doing wrong?

Berna · #43 January 11th, 2008, 06:06 AM

Wait, third time's a charm. Still received the syntax line error (does not appear to be a valid registry path) but this time I got around it and the avenger did the system reboot. The scariest part was upon reboot, although I could see the log being created, the much dreaded "exception processing message" popped up once.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run | "mschkdsk.exe

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run | "GoogleUpdate

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\yvmeslom

*******************

Script file located at: \??\C:\Program Files\njxshgua.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\snhuqt.DRV deleted successfully.
File C:\WINDOWS\SYSTEM32\arsneo.DRV deleted successfully.
File C:\WINDOWS\SYSTEM32\gxobza.KEY deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(6).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(5).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(4).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(3).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(2).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\0004c49d.inf deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(1).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(0).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\svchst.exe deleted successfully.
File C:\test.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Flower.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\Flower.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(31).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(30).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(29).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(28).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(27).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(26).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(25).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(24).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(23).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(22).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(21).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(20).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(19).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(18).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(17).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\azftzw.KEY deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(16).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(15).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(14).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(13).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\00044f77.inf deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(11).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(10).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(9).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(8).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Down(7).exe deleted successfully.
File C:\WINDOWS\SYSTEM32\a.jpg deleted successfully.
File C:\WINDOWS\SYSTEM32\IE_ASSII.exe deleted successfully.
File C:\HTGD0003.exe deleted successfully.
File C:\HTGD0005.exe deleted successfully.
File C:\HTGD0002.bmp deleted successfully.
File C:\HTGD0006.ini deleted successfully.
File c:\windows\system32\azftzw.dll deleted successfully.

File C:\Program Files\Internet Explorer\3776.EXE not found!
Deletion of file C:\Program Files\Internet Explorer\3776.EXE failed!

Could not process line:
C:\Program Files\Internet Explorer\3776.EXE
Status: 0xc0000034

File C:\WINDOWS\system32\Flower.exe not found!
Deletion of file C:\WINDOWS\system32\Flower.exe failed!

Could not process line:
C:\WINDOWS\system32\Flower.exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(6).exe not found!
Deletion of file C:\WINDOWS\system32\Down(6).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(6).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(5).exe not found!
Deletion of file C:\WINDOWS\system32\Down(5).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(5).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(4).exe not found!
Deletion of file C:\WINDOWS\system32\Down(4).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(4).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(3).exe not found!
Deletion of file C:\WINDOWS\system32\Down(3).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(3).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(2).exe not found!
Deletion of file C:\WINDOWS\system32\Down(2).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(2).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(1).exe not found!
Deletion of file C:\WINDOWS\system32\Down(1).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(1).exe
Status: 0xc0000034

File C:\WINDOWS\system32\Down(0).exe not found!
Deletion of file C:\WINDOWS\system32\Down(0).exe failed!

Could not process line:
C:\WINDOWS\system32\Down(0).exe
Status: 0xc0000034

File C:\WINDOWS\system32\svchst.exe not found!
Deletion of file C:\WINDOWS\system32\svchst.exe failed!

Could not process line:
C:\WINDOWS\system32\svchst.exe
Status: 0xc0000034

File C:\test.exe not found!
Deletion of file C:\test.exe failed!

Could not process line:
C:\test.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Berna · #44 January 11th, 2008, 06:11 AM

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Nee Dobbs on 2008-01-10 23:09:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Nee Dobbs.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:09, on 2008-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Nee Dobbs\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NEEDOB~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.knology.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://security.symantec.com/default...n-us&venid=sym
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE
O4 - HKLM\..\Run: [GoogleUpdate] C:\Program Files\Internet Explorer\3776.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135319494359
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0A146A3-12D5-45D7-A360-25D5791140CA}: NameServer = 192.168.2.1
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O24 - Desktop Component 0: (no name) - http://www.webkinz.com/assets/images...bkinz_fill.png

--
End of file - 8634 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-06 19:37:17 3045 --a------ C:\Documents and Settings\Nee Dobbs\CFScript
2008-01-06 11:19:35 198 --a------ C:\Documents and Settings\Nee Dobbs\servstop.bat
2008-01-06 11:18:42 92 --a------ C:\Documents and Settings\Nee Dobbs\servstart.bat
2008-01-02 15:23:26 0 d-------- C:\Program Files\Trend Micro
2008-01-02 14:34:12 0 d-------- C:\Program Files\Apple Software Update
2008-01-02 14:34:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-01 23:18:00 0 dr-h----- C:\Documents and Settings\Nee Dobbs\Recent
2007-12-28 18:28:39 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\Ulead Systems
2007-12-28 18:28:34 0 d-------- C:\WINDOWS\ulead.dat
2007-12-26 20:58:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-26 20:58:23 0 d-------- C:\Program Files\Web Publish
2007-12-16 19:54:31 0 d-------- C:\Program Files\Magic Photo Editor
2007-12-10 15:09:56 0 d-------- C:\Documents and Settings\Nee Dobbs\.housecall6.6

-- Find3M Report ---------------------------------------------------------------

2008-01-07 15:23:31 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\AdobeUM
2008-01-05 20:58:25 0 d-------- C:\Program Files\Personalised Letters
2008-01-05 20:49:54 0 d-------- C:\Program Files\Canon
2008-01-05 20:47:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 19:39:03 0 d-------- C:\Program Files\exPressit S.E. 2.1
2008-01-02 16:46:13 0 d-------- C:\Program Files\Common Files
2007-12-26 21:39:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 19:03:21 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-12 19:03:06 0 d-------- C:\Program Files\Symantec
2007-12-05 21:14:52 6367 --a------ C:\Documents and Settings\Nee Dobbs\Application Data\Hewlett-PackardHP Photosmart 2570 series1146795559_UI.log
2007-12-05 21:14:52 2228 --a------ C:\Documents and Settings\Nee Dobbs\Application Data\Hewlett-PackardHP Photosmart 2570 series1146795559_PROTOCOL.log
2007-12-05 19:50:25 0 d-------- C:\Program Files\Club World Casinos
2007-11-23 09:09:29 0 d-------- C:\Documents and Settings\Nee Dobbs\Application Data\uTorrent
2007-11-19 17:45:03 0 --a------ C:\WINDOWS\system32\ISHARE
2007-10-30 12:15:42 139264 --a------ C:\WINDOWS\system32\nsx35.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 02:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 19:15]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCh eck.exe" [2004-03-10 16:26]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 04:33]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 05:15]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"nwiz"="nwiz.exe" [2005-12-10 02:06 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2005-12-10 02:06]
"PCLEPCI"="C:\PROGRA~1\PINNAC~1\PPE\PPE.EXE" [2003-09-23 10:04]
"GoogleUpdate"="C:\Program Files\Internet Explorer\3776.EXE" []

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Nee Dobbs\SendTo\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 11:58:38]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

-- End of Deckard's System Scanner: finished at 2008-01-10 23:10:22 ------------

**Jintan** · #45 January 11th, 2008, 06:46 PM

Progress each step of the way - always a good thing. I have checked the Gmer log again, and sense the entries showing in it are related to Pinnacle software, which this system has.

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\WINDOWS\system32\nsx35.dll

---------------------------

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O4 - HKLM\..\Run: [GoogleUpdate] C:\Program Files\Internet Explorer\3776.EXE
O24 - Desktop Component 0: (no name) - http://www.webkinz.com/assets/images...bkinz_fill.png

----------------------------------

Open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:

Code:

cd %windir%
attrib -s -h -r system32\cmd.com
attrib -s -h -r system32\netstat.com
attrib -s -h -r system32\ping.com
attrib -s -h -r system32\regedit.com
attrib -s -h -r system32\taskkill.com
attrib -s -h -r system32\tasklist.com
attrib -s -h -r system32\tracert.com
del system32\cmd.com
del system32\netstat.com
del system32\ping.com
del system32\regedit.com
del system32\taskkill.com
del system32\tasklist.com
del system32\tracert.com

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Then double-click on remove.bat. A window should open and close fairly quickly --- this is normal.

------------------------

Right click Here and select Save Target As (Firefox Save Link As) and save UnHookExec.inf to your Desktop.

Then right-click on UnHookExec.inf and select Install.

------------------------

Then try it again - delete the existing copy of HijackThis, and download a fresh copy from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as a new HijackThis log please.

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Ready to throw Laptop Into Wall	thejoz	Hardware	14	November 24th, 2011 04:02 PM
Exception Processing Message	DianeVKb	Windows XP	0	June 6th, 2007 11:25 PM
exception error message c0000013 parametes	zeb	Windows XP	5	April 23rd, 2007 07:09 PM
An exception occured while trying to run -- error message at start up	laxgod81	Windows XP	1	February 2nd, 2006 02:46 PM
exception error message	rmartin	Windows XP	2	December 25th, 2004 09:43 AM