Member Avatar for Soximus

Hello,

This is my second attempt at posting this problem (thanks to jholland for directing me to the appropriate place); hopefully this is the info needed to figure this out! My computer has essentially been broken for two weeks now, and I'm getting worried I'll have to wipe all the HD's and start fresh. I saw crunchie's recent reply to an Antivirus XP 2008 problem, but I seem to have a slightly different flavor of bug on my hands...

Here's what I'm encountering:

--Downloader.Mislead.app found by Symantec anti-virus (corporate) repeatedly, even after quarantine/delete (which it tells me is successful...)
--Spybot S&D finds nothing major (a couple of tracking cookies after the latest scan)
--The machine will randomly do something that appears to be a BSOD while it is idling (when booted into normal mode, XP Pro, SP2)
--However, these pseudo-BSOD's can be interrupted by hitting any key, at which point the machine resumes functioning as though nothing happened. If I don't hit a key, it reboots.
--A weird folder is continually created in the registry called rhc30bj0ej17.exe (the file associated with Downloader.Mislead.app, apparently
--Antivirus XP 2008 no longer launches on startup, or DL's anything when the machine is connected to the internet

Please let me know which mode I should boot into to execute the things you advise (safe mode, safe mode w/ networking, regular mode). Also, I disabled my media HD's to work on getting rid of this bug-- should I keep them unhooked from the mobo? Could the bug/worm be lurking in them somewhere (both drives are used purely for media storage)? Or perhaps I could clean the C: drive and then turn my attention to the other drives...?

Thank you for any help.


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:08 AM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Documents and Settings\All Users\Application Data\zqropqng\lszujixs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AS01_Netgear] "C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [A0SJfOQ9Hb] C:\Documents and Settings\All Users\Application Data\zqropqng\lszujixs.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125873213200
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O21 - SSODL: mntdbinfo - {0CB68836-D036-8F39-7D8D-0946CE6038A9} - C:\Program Files\ujbefxd\mntdbinfo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7193 bytes

  • 2 Contributors
  • 15 Replies
  • 123 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by jholland1964

Recommended Answers

All 15 Replies

Member Avatar for jholland1964

The first thing you need to do is to go into the Spybot S & D program and TURN OFF TeaTimer. It can interfere with any fixes which may need to be completed.
To turn it off open the program. Go to the Mode Button at the top and choose Advanced.
Next on the lower left side you should see Three buttons, settings, tools, info & license.
Choose Tools. When Tools Opens, there on the left side you will see a list. Click on Resident (icon looks like a red shield with a white stripe diagonally down the middle. When that opens REMOVE the checkmark from Resident TeaTimer. Close the program.
Reboot the computer.
Go HERE Please follow ALL the steps given. If the instructions for a particular step tell you to remove whatever is found then please do so.

Also, I disabled my media HD's to work on getting rid of this bug-- should I keep them unhooked from the mobo? Could the bug/worm be lurking in them somewhere (both drives are used purely for media storage)? Or perhaps I could clean the C: drive and then turn my attention to the other drives...?

I would say if these are normally connected then connect them. The scans can be set to scan all drives. All of this should be done in NORMAL mode unless you are later instructed otherwise
Once you have completed all the steps then post back here with the requested logs.

Member Avatar for Soximus

Thank you jholland!! That thread you sent me to was awesome (although I feel kind of dumb for not finding it in the first place).

A couple last questions:

Can I re-enable Tea Timer in Spybot S&D?

Also, can you tell me (or point me to the appropriate thread) about what combination of applications I should be using to ensure that this doesn't happen again? Perhaps the links in this thread are still good, even though it's from 2005?

http://www.daniweb.com/forums/thread27519.html

Thanks again,

Soximus

Member Avatar for jholland1964

First of all, the link I sent you requested that the scans be done, the logs saved and then those logs should be posted or attached back here in this thread so I can take a look at them. Could you do that so we can be sure your computer is clean?

Next, I, personally, and many others I might add, would advise AGAINST turning on that TeaTimer portion of Spybot. It CAN interfere with any fixes you have to do from time to time.

The link you posted does have current links to the various programs listed as far as I can tell.
My advice is continue to use the Malwarebytes-Anti-Malware program which is linked in the link that I gave you. Continue to use Spybot WITHOUT the TeaTimer enabled. The ONE other program I would recommend adding is SpywareBlaster which

Helps prevent the installation of spyware, adware, browser hijackers, dialers, and other unwanted software; blocks many spyware/tracking cookies, and restricts the actions of unwanted sites.

It is really a MUST HAVE. Plus it DOES NOT run in the background. Your Norton program, while a pretty good antivirus program does use a lot of system resources and therefore I wouldn't add a lot of other protection programs which can consume more resources.
Please post those logs for me so I can look through them and see what was removed and what other steps might be needed.
Judy

Member Avatar for Soximus

Apologies for not posting these logs in the first place.

So far, everything still looks good here; hopefully the logs will confirm this.

Lastly, here's my plan for anti-spy/malware/virus software:

AV:
Norton Symantec Corporate edition

Firewall:
Built-in XP
Zone Alarm

Anti-Spyware:
Spyware S&D (Tea Timer turned off)
SpywareBlaster

Anti-Malware:
Malwarebytes-Anti-Malware

I plan on uninstalling Ad-Aware and AVG.

Is this a good plan, or should I add/subtract from it? I bought a subscription to Spy Sweeper a few months ago, but it doesn't seem like that's a very popular app... ;(

Thank you for your help; this has been a great learning experience (every gray cloud...).

-Soximus

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1022.73 MiB / 477.98 MiB
Pagefile Memory (total/avail): 2462.19 MiB / 2181.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.27 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.32 GiB total, 28.33 GiB free. 
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 114.49 GiB total, 67.78 GiB free. 
G: is CDROM (No Media)
I: is Removable (No Media)
Z: is Fixed (NTFS) - 465.76 GiB total, 219.72 GiB free. 

\\.\PHYSICALDRIVE0 - Maxtor 6Y080P0 - 76.33 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 76.32 GiB - C:

\\.\PHYSICALDRIVE1 - Maxtor 6Y120M0 - 114.49 GiB - 1 partition
  \PARTITION0 - Installable File System - 114.49 GiB - F:

\\.\PHYSICALDRIVE2 - ST3500630AS - 465.76 GiB - 1 partition
  \PARTITION0 - Installable File System - 465.76 GiB - Z:

\\.\PHYSICALDRIVE3 - Canon MP470 series USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\orson\Application Data
CLASSPATH=.;
CLIENTNAME=Console
COLLECTIONID=COL8143
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ORSONS-COMP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\orson
ITEMID=dj-22741-15
LANG=1033
LOGONSERVER=\\ORSONS-COMP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
OSVER=winXPP
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONID=1125803256816htx60561b5a415:106279f1b5a:-158a
SESSIONNAME=Console
SWUTVER=1.0.18.30716
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\orson\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\orson\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
tvdumpflags=8
UPDATEDIR=C:\DOCUME~1\orson\LOCALS~1\Temp\rad7587A.tmp
USERDOMAIN=ORSONS-COMP
USERNAME=orson
USERPROFILE=C:\Documents and Settings\orson
VERSION=3.0.5.001
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

orson [I](admin)[/I]
Administrator [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program Files\Creative\SBAudigy2ZS\Program\SETUP.EXE" /S /U /W 
 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9 
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Amazon MP3 Downloader 1.0.3 --> C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
ASUS Probe V2.21.07 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
AsusUpdate --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASUS\AsusUpdate\Uninst.isu"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x575c 
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Auctioneer AddOns --> C:\Program Files\World of Warcraft\Auctioneer Uninstaller.exe
Avid Xpress Pro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE858D4-4C6B-4454-9A99-811AC3C476A8}\setup.exe" -l0x9 
Azureus --> C:\Program Files\Azureus\Uninstall.exe
BitTornado 0.3.17 --> C:\Program Files\BitTornado\uninst.exe
Bonjour --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1033 
Canon MP Navigator EX 1.0 --> "C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP470 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP470_series /L0x0009
Canon MP470 series User Registration --> C:\Program Files\Canon\IJEREG\MP470 series\UNINST.EXE
Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon S300 --> C:\WINDOWS\system32\CNMCP38.EXE -@C:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon S300 Installer\Inst\DeIsL1.isu" -pCanon S300-c"C:\BJPrinter\CNMWINDOWS\Canon S300 Installer\Inst\bjinst.dll
Canon Utilities Easy-PhotoPrint EX --> C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu --> C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
cleaner XL --> C:\WINDOWS\unvise32.exe C:\Program Files\discreet\cleaner XL\uninstal.log
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9  /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9  /remove
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
FilmScribe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EE9ADF2-6FD5-4EF6-9041-B8CFADD431BE}\setup.exe" -l0x9 
Final Draft 6 --> MsiExec.exe /I{CC8B19D1-91D2-4D5B-B331-F885F432745E}
Gizmo Project 3.1 --> C:\Program Files\Gizmo Project\uninst.exe
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 5700 --> msiexec /x{85B1BEF2-2357-4C27-ABBE-15A1AE3AF78D}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033 
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java 2 Runtime Environment Standard Edition v1.3.0_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.0_02\Uninst.isu"
LightScribe Applications --> MsiExec.exe /X{7373184D-8E8F-4308-912A-3901071FA1AD}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NETGEAR WG311 Wireless PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6BA6111-75DF-426D-9230-91C42425219F}\Setup.exe" -l0x9 
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
OfotoNow --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3350 (20080812)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c5749c56d1f85146a9ed2b6faa423a62
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-12 10:49:20
# local_time=2008-08-12 06:49:20 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=444917
# found=0
# scan_time=5380
Deckard's System Scanner v20071014.68
Run by orson on 2008-08-13 00:09:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-13 04:10:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as orson.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:55 AM, on 8/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\orson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\orson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AS01_Netgear] "C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125873213200
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6655 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080120-061040-543 O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
backup-20080120-061040-572 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080120-061040-626 O4 - HKCU\..\Run: [OfotoNow USB Detection] "C:\WINDOWS\system32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
backup-20080120-061041-756 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080120-061041-894 O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080220-064902-126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080220-064902-397 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080220-064902-590 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080220-064902-909 O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
backup-20080220-064902-922 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080220-064903-314 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080220-064903-713 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080220-064903-900 O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
backup-20080811-213909-293 O4 - HKLM\..\Run: [SMrhc30bj0ej17] C:\Program Files\rhc30bj0ej17\rhc30bj0ej17.exe
backup-20080811-213909-604 O4 - HKLM\..\Policies\Explorer\Run: [A0SJfOQ9Hb] C:\Documents and Settings\All Users\Application Data\zqropqng\lszujixs.exe
backup-20080811-213909-845 O4 - HKLM\..\Run: [lphc70bj0ej17] C:\WINDOWS\system32\lphc70bj0ej17.exe
backup-20080811-215605-150 O4 - HKCU\..\Run: [MonUi] C:\WINDOWS\system32\opanqjyx.exe
backup-20080811-215605-327 O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
backup-20080811-215605-417 O21 - SSODL: mntdbinfo - {0CB68836-D036-8F39-7D8D-0946CE6038A9} - C:\Program Files\ujbefxd\mntdbinfo.dll
backup-20080811-215605-513 O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
backup-20080811-221317-156 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

-- File Associ
Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 3

5:14:42 PM 8/12/2008
mbam-log-8-12-2008 (17-14-42).txt

Scan type: Full Scan (C:\|F:\|Z:\|)
Objects scanned: 127252
Time elapsed: 39 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Ad-Aware SE Personal
Adobe Flash Player Plugin
Adobe Photoshop CS
Adobe Reader 8.1.2
Amazon MP3 Downloader 1.0.3
ASUS Probe V2.21.07
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Auctioneer AddOns
Avid Xpress Pro
Azureus
BitTornado 0.3.17
Bonjour
Canon MP Navigator EX 1.0
Canon MP470 series
Canon MP470 series User Registration
Canon My Printer
Canon S300
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CDBurnerXP Pro 3
cleaner XL
Creative Audio Console
Creative System Information
DivX
DivX Player
ESET Online Scanner
FilmScribe
Final Draft 6
Gizmo Project 3.1
Google Earth
Google Talk (remove only)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
HP Deskjet 5700
HP Software Update
iTunes
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment Standard Edition v1.3.0_02
LightScribe Applications
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NETGEAR WG311 Wireless PCI Adapter
Nikon Message Center
OfotoNow
Picasa 2
PictureProject
PictureProject In Touch Downloader 1.0
Quicken 2006
QuickTime
RealPlayer
Retrospect 6.5
Rhapsody Player Engine
ScanSoft OmniPage SE 4
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Sentinel System Driver 5.41.0 (32-bit)
Sid Meier's Civilization 4
Skype 3.5
Sound Blaster Audigy 2 ZS
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SureThing CD Labeler Deluxe 5
Symantec AntiVirus Client
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
TurboTax Premier 2005
TurboTax Premier 2007
Ulead DVD Workshop 2
Update for Windows XP (KB951978)
Ventrilo Client
WD Diagnostics
Winamp
Windows Genuine Advantage v1.3.0254.0
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
ZoneAlarm
ZoneAlarm Spy Blocker
Member Avatar for jholland1964

Security plans look pretty good with the exception of the firewalls....rule is ONLY ONE OF THOSE also. Your choice but just pick one.
Am looking at your logs now and will get back with you on those ASAP.
Judy

Member Avatar for jholland1964

I think you had better do one more program to be safe. Download Combofix to the desktop.
When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on the desktop.
Once that appears then do the following

Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Double-click on the ComboFix icon found on your desktop. You will be asked if you are sure you want to run the program. Click the RUN button. Follow any prompts given and be sure to agree to the disclaimer. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Be aware that ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
When all is complete post back here with the combofix log.

Member Avatar for Soximus

Here it is...

Thanks.

ComboFix 08-08-12.01 - orson 2008-08-13  9:44:21.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.573 [GMT -4:00]
Running from: C:\Documents and Settings\orson\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-07-13 to 2008-08-13  )))))))))))))))))))))))))))))))
.

2008-08-13 00:09 . 2008-08-13 00:09	<DIR>	d--------	C:\Deckard
2008-08-12 12:37 . 2008-08-12 17:19	<DIR>	d--------	C:\Program Files\EsetOnlineScanner
2008-08-12 00:12 . 2008-08-12 00:12	<DIR>	d--------	C:\WINDOWS\system32\scripting
2008-08-12 00:12 . 2008-08-12 00:12	<DIR>	d--------	C:\WINDOWS\system32\en
2008-08-12 00:12 . 2008-08-12 00:12	<DIR>	d--------	C:\WINDOWS\l2schemas
2008-08-11 23:27 . 2008-04-13 20:12	712,704	---------	C:\WINDOWS\system32\windowscodecs.dll
2008-08-11 23:27 . 2008-04-13 20:12	346,112	---------	C:\WINDOWS\system32\windowscodecsext.dll
2008-08-11 23:27 . 2008-04-13 20:12	276,992	---------	C:\WINDOWS\system32\wmphoto.dll
2008-08-11 23:27 . 2008-04-13 20:12	69,120	---------	C:\WINDOWS\system32\wlanapi.dll
2008-08-11 23:27 . 2008-04-13 20:12	53,248	---------	C:\WINDOWS\system32\tsgqec.dll
2008-08-11 23:27 . 2008-04-13 20:12	50,688	---------	C:\WINDOWS\system32\tspkg.dll
2008-08-11 23:25 . 2008-04-13 20:11	650,752	---------	C:\WINDOWS\system32\dot3ui.dll
2008-08-11 22:52 . 2008-08-13 09:46	23,730,208	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-11 22:52 . 2008-08-13 00:42	280,532	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-11 22:50 . 2008-08-11 22:50	<DIR>	d--------	C:\Program Files\ZoneAlarmSB
2008-08-11 22:48 . 2008-08-11 22:48	<DIR>	d--------	C:\Program Files\Zone Labs
2008-08-11 22:48 . 2008-08-11 22:48	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-11 22:47 . 2008-08-13 09:33	<DIR>	d--------	C:\WINDOWS\Internet Logs
2008-08-11 20:53 . 2008-08-11 20:53	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 20:53 . 2008-08-11 20:53	<DIR>	d--------	C:\Documents and Settings\orson\Application Data\Malwarebytes
2008-08-11 20:53 . 2008-08-11 20:53	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-11 20:53 . 2008-07-30 20:07	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-11 20:53 . 2008-07-30 20:07	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 17:50 . 2008-08-06 17:50	<DIR>	d--------	C:\Documents and Settings\Administrator
2008-07-23 22:04 . 2008-07-23 22:04	<DIR>	d--------	C:\Program Files\Symantec_Client_Security
2008-07-23 22:04 . 2008-07-23 22:03	124,167	--a------	C:\WINDOWS\system32\SYMEVNT.386
2008-07-23 22:04 . 2008-07-23 22:03	83,208	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-23 22:04 . 2008-07-23 22:03	73,432	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 16:44	---------	d-----w	C:\Documents and Settings\All Users\Application Data\zqropqng
2008-08-12 13:09	---------	d-----w	C:\Program Files\ATI Technologies
2008-07-24 02:04	---------	d-----w	C:\Program Files\Symantec
2008-07-24 02:04	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-07-24 02:04	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-24 02:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 01:26	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-07-24 01:07	---------	d-----w	C:\Program Files\Symantec AntiVirus
2008-07-21 15:36	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Retrospect
2008-07-12 16:54	164	----a-w	C:\install.dat
2008-07-09 13:05	75,248	----a-w	C:\WINDOWS\zllsputility.exe
2008-07-09 13:05	1,086,952	----a-w	C:\WINDOWS\system32\zpeng24.dll
2008-06-24 12:22	---------	d-----w	C:\Program Files\Warcraft III
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 14:30	196,608	----a-w	C:\Program Files\W3XCustomKick12001.exe
2008-05-28 12:58	339,968	----a-w	C:\WINDOWS\system32\WDBtnMgr.exe
2006-10-01 16:38	3,167,744	----a-w	C:\Documents and Settings\orson\gosetup.exe
2006-08-18 04:42	1,516,060	----a-w	C:\Program Files\vsp300.exe
2006-03-29 00:06	1,223,168	----a-w	C:\Program Files\winscp.exe
2005-05-06 21:49	2,843,788	----a-w	C:\Program Files\ip-to-country.csv
2002-06-18 12:04	1,783	----a-w	C:\Program Files\Enhancements_Import_1_0.dtd
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-12-19 13:49 446464]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-14 21:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-03-04 21:50 1603152]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"WD Button Manager"="WDBtnMgr.exe" [2008-05-28 08:58 339968 C:\WINDOWS\system32\WDBtnMgr.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.AVRn"= AvidAVICodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
--a------ 2002-12-06 16:07 617984 C:\Program Files\ASUS\Probe\AsusProb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 10:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 10:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-31 10:08 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--a------ 2008-05-28 08:58 339968 C:\WINDOWS\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-
Member Avatar for jholland1964

Looks pretty good. Do things seem back to normal?

Member Avatar for Soximus

I was all set to answer 'yes,' but then suddenly I hit a snag: For some reason, I can't get Symantec to load. I also can't uninstall it (I figured I could just do a fresh installation). Not sure if this topic deserves a new thread, since it's kind of off-topic...?

Here's what happens:

I go to Start>programs>symantec antivirus client
Then, once the app has started, I can see "load service" under the 'File' tab, but it's grayed out. When I select "live update," also under the file tab, I get, "All LiveUpdate packages for Symantec Antivirus have been disabled. Please contact your system administrator."

The user (me) definitely has sys-admin privileges (I verified this by going to user accounts in the control panel). Furthermore, I could successfully load/unload Symantec just a few days ago (when the virus was still present).

When I go to start>settings>control panel>administrative tools>services, I can see "Symantec Antivirus Client," but when I try to start it, I get the message: "Could not start the Symantec Antivirus Client service on Local Computer. Error 5: Access is denied."

I don't know if this is pertinent, but earlier today when I was trying to fix this, I thought I'd just go with AVG Free. That didn't work, either, as AVG was unable to access the internet to check for updates.

Again, I apologize is this is the wrong thread for this question! Thank you for any insight you can give. At this point, I don't really care what AV software I use, just so long as I have something that works...

Best,

Soximus

Member Avatar for jholland1964

Try doing this;
Run checkdisk checking both options,
Automatically fix file system errors
Scan for an attempt recovery of bad sectors

Member Avatar for Soximus

I did the Chkdsk procedure, via My Computer (it ran the process after restart), but nothing seems to have changed.

Is it possible a crucial file has been inadvertently erased over the past couple of days...? The fact that I can't manipulate Symantec, and that AVG couldn't access the web for updates, makes me think there's a common problem they're both having...

So close! It would be a shame to have to reinstall windows at this point, but the alternative (operating without any anti-virus software running) is pretty unappealing.

Thoughts?

-Soximus

Member Avatar for jholland1964

can't manipulate Symantec, and that AVG couldn't access the web for updates

Are you saying you have both of these on the system at the same time? Did you turn off one of those firewalls?

Member Avatar for Soximus

At one point, I did have them both on the system at the same time. However, when I realized I was having problems loading Norton, I uninstalled AVG immediately. I also uninstalled zone alarm, and turned off Windows firewall.

Basically, I've been uninstalling everything I can think of! I've been rebooting fairly often (most recently to run Chkdsk). I removed the password to the (one) user account. I've tried completely removing Symantec numerous times, with no luck.

I also rolled back to SP2 (before I sought help, I thought maybe upgrading to SP3 would fix things), but this didn't do anything. Perhaps going from SP2 to SP3 broke something somewhere...? There's not much left to uninstall, although if you think it would help, I could take out a bunch of seemingly unrelated apps (bit torrent, games, etc).

Thanks for your patience.

-Soximus

Member Avatar for jholland1964

You didn't need to disable the Windows Firewall if you removed Zone Alarm, the rule means only one firewall should be used on the system.
If you have your Norton Install Disk, or if you downloaded it and you have your Product Key so that you can install it again, then go HERE for instructions on the removal of your Corporate Edition. You will have to choose the correct version and follow their steps.

Member Avatar for jholland1964

Do you happen to still have the ORIGINAL logs? Not the ones you posted yesterday, they were obviously run yesterday, but the first Malwarebyte's log which must have removed "something". The log you posted showed as clean. Same with the ESET Scanner log. I would really like to know exactly what was removed, since combofix didn't remove or fix anything.

Plus, stop installing and uninstalling programs for now, except the actual program you want to remove, Norton. This won't help really and may confuse things more.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.