Trojan Horse Back Door, Buffer Overrun...

mikeredbank · 30th January 2008

I'm being overrun with pop ups. AVG Suite is running and "Threat detected while opening C:\windows\system32\drivers\RDPCDDD.sys Trojan Horse Back Doo Generic 9.OEP" but cannot heal. Also identified Adware Generic 2.AAUT while opening file C:\Windos\System32\qwnrytzgs.dll. AVG ystem Scan test results report 55 threats found, 0 cleaned, 43 moved to vault and 12 deleted. I'm getting "Buffer Overrun detected" system messages.

Here is my HJT log. Thanks for any suggestions.
____________________________________________
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:55:44 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\?ppPatch\??rvices.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\explorer.exe
C:\Hijack This\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EAED73F-573E-464C-BA99-075947DB1018} - C:\WINDOWS\system32\jkkjh.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D379CEA-2372-07AA-5767-5900BCC78891} - C:\WINDOWS\system32\qwnryzgs.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\urqrqon.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PersonalWeb] "C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iacequct] C:\WINDOWS\?ppPatch\??rvices.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Open PersonalWeb - {03F0E28F-1C51-4a56-A8F1-E8BF15AF8346} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Add to My Sites - {1BD60387-6806-4897-8002-0B855DFEAEEA} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\Software\..\Telephony: DomainName = efg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: urqrqon - urqrqon.dll (file missing)
O21 - SSODL: SysComponent - {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 10343 bytes

Blender · 30th January 2008

Hi and welcome,

Several issues here. Likely will take a few tools to clean up.
I notice too that you are running 2 antivirus programs.
AVG and McAfee.
Recommended to only run one because having 2 will conflict and cause alot of issues.
Your choice which one you want to keep. I can't see any point paying for 2 of the similar products.
Since your AVG has firewall and is lighter on resorces than McAfee -- you may wish to opt for keeping AVG and uninstalling McAfee.

-----------

I need more info to figure out what we do next.

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sect...eckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note
If you cannot attach files -- you can copy/paste here the contents of "extra.txt"

------

also -- any chance you can grab me the log from your AVG scan?

All requested logs might take a few posts to get all the info posted.
Long logs sometimes get cut off because of character limit in posts.

If you get any errors running dss -- please note as close as possible the error(s).

thanks

mikeredbank · 30th January 2008

Blender, Thanks - I'll get McAfee off. Our IT contractor installed the AVG and was supposed to have removed McAfee, and I figured it was somthing I needed.

Below is the DSS log you asked for. I am also posting separately the extra .txt file and finally, results of my AVG scan file. Thanks!

Deckard's System Scanner v20071014.68
Run by Mike on 2008-01-30 15:12:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
91: 2008-01-30 21:12:56 UTC - RP1449 - Deckard's System Scanner Restore Point
90: 2008-01-30 20:48:44 UTC - RP1448 - Removed McAfee VirusScan Enterprise
89: 2008-01-30 00:38:43 UTC - RP1447 - System Checkpoint
88: 2008-01-28 23:52:49 UTC - RP1446 - Installed AVG 7.5
87: 2008-01-28 20:52:26 UTC - RP1445 - Configured Questionmark Secure Browser

-- First Restore Point --
1: 2007-11-02 10:02:35 UTC - RP1359 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-30 15:16:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\MikeDowd.efg.000\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D379CEA-2372-07AA-5767-5900BCC78891} - C:\WINDOWS\system32\qwnryzgs.dll (file missing)
O2 - BHO: (no name) - {7D6ECC49-42AA-4CB0-853B-0A0F365EBF46} - C:\WINDOWS\SYSTEM32\jkkjh.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\urqrqon.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PersonalWeb] "C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iacequct] C:\WINDOWS\?ppPatch\??rvices.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Open PersonalWeb - {03F0E28F-1C51-4a56-A8F1-E8BF15AF8346} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Add to My Sites - {1BD60387-6806-4897-8002-0B855DFEAEEA} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O15 - Trusted Zone: https://hanapps.hanover-co.com (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} () - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\Software\..\Telephony: DomainName = efg.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = efg.local
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\system32\avgwlntf.dll
O20 - Winlogon Notify: urqrqon - C:\WINDOWS\system32\urqrqon.dll (file missing)
O21 - SSODL: SysComponent - {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 10918 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 RDPCDDD - c:\windows\system32\drivers\rdpcddd.sys
R3 DNE (Deterministic Network Enhancer Miniport) - c:\windows\system32\drivers\dne2000.sys <Not Verified; Deterministic Networks, Inc.; >

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NaiAvFilter101 (NAI Anti Virus) - \device\naiavfilter101.sys (file missing)
S3 NaiAvFilter102 (NAI Anti Virus) - \device\naiavfilter102.sys (file missing)
S3 ProcObsrv (Process creation detector.) - c:\program files\questionmark\qs\procobsrv.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-23 20:02:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-12-30 and 2008-01-30 -----------------------------

2008-01-29 15:32:05 4006 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-29 15:29:36 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-29 15:29:36 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-01-29 15:29:36 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-01-29 15:29:35 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-01-29 15:29:35 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-01-29 15:29:35 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-29 15:29:20 0 d-------- C:\SmitfraudFix
2008-01-29 14:58:40 0 d-------- C:\Hijack This
2008-01-28 18:00:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 17:53:55 0 d-------- C:\Documents and Settings\MikeDowd.efg.000\Application Data\AVG7
2008-01-28 17:53:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 14:29:11 427021 --ahs---- C:\WINDOWS\system32\hjkkj.ini2
2008-01-28 14:29:01 334336 --a------ C:\WINDOWS\system32\jkkjh.dll
2008-01-28 14:27:40 0 d-------- C:\Program Files\Dot1XCfg
2008-01-28 14:27:20 0 d-------- C:\Program Files\Temporary
2008-01-28 14:24:22 0 d-------- C:\Program Files\Outerinfo
2008-01-28 14:24:21 0 d-------- C:\WINDOWS\?ppPatch
2008-01-28 14:23:58 0 d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2008-01-28 14:23:52 0 d--hs---- C:\WINDOWS\TWlrZURvd2Qx
2008-01-28 14:23:35 86016 --a------ C:\WINDOWS\system32\drivers\RDPCDDD.sys
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\wnis6
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\nip4
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\ets1
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\comg9
2008-01-28 14:23:11 0 d-------- C:\WINDOWS\?asks
2008-01-28 14:23:08 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-28 14:23:07 0 d-------- C:\Temp
2008-01-17 16:15:41 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-01-17 16:00:41 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-17 16:00:37 0 d-------- C:\WINDOWS\aod
2008-01-17 16:00:35 0 d-------- C:\Program Files\aod
2008-01-14 09:17:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-14 09:14:04 0 d-------- C:\Documents and Settings\LocalService\Desktop

-- Find3M Report ---------------------------------------------------------------

2008-01-30 14:54:34 0 d-------- C:\Program Files\Network Associates
2008-01-29 11:26:15 0 d-------- C:\Program Files\Common Files
2008-01-28 15:34:24 0 d-------- C:\Program Files\Google
2008-01-28 15:31:40 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-28 14:52:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-17 16:03:09 0 d-------- C:\Documents and Settings\MikeDowd.efg.000\Application Data\Real
2008-01-17 16:00:42 723 --a------ C:\Program Files\INSTALL.LOG
2008-01-17 16:00:33 0 d-------- C:\Program Files\Common Files\Real

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D379CEA-2372-07AA-5767-5900BCC78891}]
C:\WINDOWS\system32\qwnryzgs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D6ECC49-42AA-4CB0-853B-0A0F365EBF46}]
01/28/2008 02:29 PM 334336 --a------ C:\WINDOWS\system32\jkkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
C:\WINDOWS\system32\urqrqon.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D35980CB-66DF-477B-BF63-64EB8F48CB3A}]
08/07/2006 08:43 AM 615936 --a------ C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 01:01 AM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 10:27 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03/25/2004 07:00 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 08:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 08:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 08:36 AM]
"PersonalWeb"="C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe" [08/07/2006 08:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 04:45 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/17/2008 04:00 PM]
"lsass"="C:\WINDOWS\lsass.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/28/2008 05:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Iacequct"="C:\WINDOWS\?ppPatch\??rvices.exe" []

C:\Documents and Settings\MikeDowd.efg.000\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]
PowerReg Scheduler V3.exe [6/7/2004 3:59:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [4/28/2004 12:34:08 PM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
PDF-Capture.lnk - C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe [6/21/2004 12:12:24 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/22/2004 2:47:02 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [3/30/2004 10:34:55 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\urqrqon.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"SysComponent"= {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 01/28/2008 05:53 PM 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 04:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqon]
urqrqon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-01-30 15:17:46 ------------

mikeredbank · 30th January 2008

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 509.98 MiB / 186.5 MiB
Pagefile Memory (total/avail): 1246.59 MiB / 874.01 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.2 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.47 GiB total, 51.46 GiB free.
D: is CDROM (No Media)
G: is Network (Unformatted)
H: is Network (Unformatted)
I: is Network (Unformatted)
J: is Network (Unformatted)
L: is Network (Unformatted)
M: is Network (Unformatted)
Y: is Network (Unformatted)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - IC35L090AVV207-0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: AVG Firewall 7.5.500 v7.5.500 (@Company_Name)
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*

isabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\trueplay.exe"="C:\\Program Files\\Real\\RealPlayer\\trueplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\STC\\QA_07_05\\wwwroot\\cbt.exe"="C:\\Program Files\\STC\\QA_07_05\\wwwroot\\cbt.exe:*:Enabled:Local Web Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mike.efg.000\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MXD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mike.efg.000
JAVA_PLUGIN_WEBCONTROL_ENABLE=1
LOGONSERVER=\\EFG-SRV-1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Express\ESP402\;C:\Express\EOWIN402\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MIKEDO~1.000\LOCALS~1\Temp
TMP=C:\DOCUME~1\MIKEDO~1.000\LOCALS~1\Temp
USERDNSDOMAIN=EFG.LOCAL
USERDOMAIN=efg
USERNAME=mike
USERPROFILE=C:\Documents and Settings\mike.efg.000
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

mike.efg (admin)
mike.efg.000 (admin)
administrator.efg (admin)
mike (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{410438A3-B591-4028-B70A-3CC0B33FBCD1}\Setup.exe" -l0x9 -L0x9anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACT! --> C:\WINDOWS\IsUninstAct.exe -f"C:\Program Files\Symantec\ACT\Uninst6.isu" -c"C:\Program Files\Symantec\ACT\UNINSTAL.DLL"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Ancestral Quest 11 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A54ED9AE-5677-4B05-9C7F-F0B1C78FB1F7}
Ancestral Quest 11 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A54ED9AE-5677-4B05-9C7F-F0B1C78FB1F7}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Burlington Tax Extract --> C:\PROGRA~1\TAXEXT~1\UNWISE.EXE C:\PROGRA~1\TAXEXT~1\INSTALL.LOG
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Express Options --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{39A2AF0D-F623-41CD-AB40-36A8E196AC26}
Express Stock Purchase --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{0117156A-1AEE-46B6-BCCC-3DF7723E997A}
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
HijackThis 2.0.0 --> "C:\Hijack This\HijackThis.exe" /uninstall
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
LiveUpdate --> C:\Program Files\Symantec\LiveUpdate\Uninst.exe -u
MetaFrame Presentation Server Client --> MsiExec.exe /I{2C42ED1E-6315-4E63-89E6-057EA114EBB8}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\80\Tools\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\80\Tools\sqlsun.dll" -msql.mif
NETGEAR Print Server Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FirstGear for Print Server\Uninst.isu"
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-5) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}\Setup.exe" -uninst
PDF-XChange 2.5 Driver Install --> C:\Program Files\PDF-XChange SDK EndUser\uninstx.exe C:\Program Files\PDF-XChange SDK EndUser\PDF-XChange & Tools SDK's.log
PersonalWeb --> C:\Program Files\Claria\PersonalWeb\PWUninstall.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickBooks Pro 2005 --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2005" ADDREMOVE=1
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\setup.exe" -l0x9 -L0x9 /SMAINT
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
STC Series 66 Q&&A Final Exam v2.6.9 --> C:\PROGRA~1\STC\ILQA_6~1\UNWISE.EXE C:\PROGRA~1\STC\ILQA_6~1\INSTALL.LOG
STC Series 7 Q and A Final 2006 --> C:\PROGRA~1\STC\QA_07_05\UNWISE.EXE C:\PROGRA~1\STC\QA_07_05\INSTALL.LOG
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
WebEx --> C:\PROGRA~1\WebEx\atcliun.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

-- Application Event Log -------------------------------------------------------

Event Record #/Type25132 / Error
Event Submitted/Written: 01/30/2008 02:54:09 PM / 01/30/2008 02:54:10 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-01-30 20:54:09,562 MXD [001488:001752] ERROR 000 AVG7.CORE CreateFile(pipe) failed, err=121

Event Record #/Type25131 / Error
Event Submitted/Written: 01/30/2008 02:53:37 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type25130 / Error
Event Submitted/Written: 01/30/2008 02:52:47 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type25129 / Error
Event Submitted/Written: 01/30/2008 02:52:32 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type25119 / Error
Event Submitted/Written: 01/30/2008 09:51:51 AM / 01/30/2008 09:51:52 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-01-30 15:51:51,656 MXD [001488:001704] ERROR 000 AVG7.CORE CreateFile(pipe) failed, err=231

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type60108 / Error
Event Submitted/Written: 01/30/2008 03:07:49 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.

Event Record #/Type60107 / Warning
Event Submitted/Written: 01/30/2008 03:07:49 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.

Event Record #/Type60106 / Warning
Event Submitted/Written: 01/30/2008 03:07:46 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:

Adapter Name : {78B176DA-FED7-44C7-AF96-16296DE68F78}

Host Name : MXD

Primary Domain Suffix : efg.local

DNS server list :

66.80.130.23, 66.80.131.5

Sent update to server : <?>

IP Address(es) :

192.168.1.84

The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.

To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type60086 / Error
Event Submitted/Written: 01/30/2008 02:52:51 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type60085 / Warning
Event Submitted/Written: 01/30/2008 02:52:51 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

-- End of Deckard's System Scanner: finished at 2008-01-30 15:17:46 ------------

mikeredbank · 30th January 2008

Blender: Thanks for your help. I tried to post a reply with this file but it doesn't appear to have posted. Here is another try:

Deckard's System Scanner v20071014.68
Run by mike on 2008-01-30 15:12:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
91: 2008-01-30 21:12:56 UTC - RP1449 - Deckard's System Scanner Restore Point
90: 2008-01-30 20:48:44 UTC - RP1448 - Removed McAfee VirusScan Enterprise
89: 2008-01-30 00:38:43 UTC - RP1447 - System Checkpoint
88: 2008-01-28 23:52:49 UTC - RP1446 - Installed AVG 7.5
87: 2008-01-28 20:52:26 UTC - RP1445 - Configured Questionmark Secure Browser

-- First Restore Point --
1: 2007-11-02 10:02:35 UTC - RP1359 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-30 15:16:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\mike.efg.000\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: (no name) - {6D379CEA-2372-07AA-5767-5900BCC78891} - C:\WINDOWS\system32\qwnryzgs.dll (file missing)
O2 - BHO: (no name) - {7D6ECC49-42AA-4CB0-853B-0A0F365EBF46} - C:\WINDOWS\SYSTEM32\jkkjh.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\urqrqon.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PersonalWeb] "C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iacequct] C:\WINDOWS\?ppPatch\??rvices.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Open PersonalWeb - {03F0E28F-1C51-4a56-A8F1-E8BF15AF8346} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Add to My Sites - {1BD60387-6806-4897-8002-0B855DFEAEEA} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\nwprovau.dll
O15 - Trusted Zone: https://hanapps.hanover-co.com (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} () - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\Software\..\Telephony: DomainName = efg.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = efg.local
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\system32\avgwlntf.dll
O20 - Winlogon Notify: urqrqon - C:\WINDOWS\system32\urqrqon.dll (file missing)
O21 - SSODL: SysComponent - {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 10918 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 RDPCDDD - c:\windows\system32\drivers\rdpcddd.sys
R3 DNE (Deterministic Network Enhancer Miniport) - c:\windows\system32\drivers\dne2000.sys <Not Verified; Deterministic Networks, Inc.; >

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NaiAvFilter101 (NAI Anti Virus) - \device\naiavfilter101.sys (file missing)
S3 NaiAvFilter102 (NAI Anti Virus) - \device\naiavfilter102.sys (file missing)
S3 ProcObsrv (Process creation detector.) - c:\program files\questionmark\qs\procobsrv.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-23 20:02:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-12-30 and 2008-01-30 -----------------------------

2008-01-29 15:32:05 4006 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-29 15:29:36 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-29 15:29:36 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-01-29 15:29:36 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-01-29 15:29:35 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-01-29 15:29:35 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-01-29 15:29:35 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-29 15:29:20 0 d-------- C:\SmitfraudFix
2008-01-29 14:58:40 0 d-------- C:\Hijack This
2008-01-28 18:00:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 17:53:55 0 d-------- C:\Documents and Settings\mike.efg.000\Application Data\AVG7
2008-01-28 17:53:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 14:29:11 427021 --ahs---- C:\WINDOWS\system32\hjkkj.ini2
2008-01-28 14:29:01 334336 --a------ C:\WINDOWS\system32\jkkjh.dll
2008-01-28 14:27:40 0 d-------- C:\Program Files\Dot1XCfg
2008-01-28 14:27:20 0 d-------- C:\Program Files\Temporary
2008-01-28 14:24:22 0 d-------- C:\Program Files\Outerinfo
2008-01-28 14:24:21 0 d-------- C:\WINDOWS\?ppPatch
2008-01-28 14:23:58 0 d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2008-01-28 14:23:52 0 d--hs---- C:\WINDOWS\TWlrZURvd2Qx
2008-01-28 14:23:35 86016 --a------ C:\WINDOWS\system32\drivers\RDPCDDD.sys
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\wnis6
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\nip4
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\ets1
2008-01-28 14:23:30 0 d-------- C:\WINDOWS\system32\comg9
2008-01-28 14:23:11 0 d-------- C:\WINDOWS\?asks
2008-01-28 14:23:08 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-28 14:23:07 0 d-------- C:\Temp
2008-01-17 16:15:41 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-01-17 16:00:41 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-17 16:00:37 0 d-------- C:\WINDOWS\aod
2008-01-17 16:00:35 0 d-------- C:\Program Files\aod
2008-01-14 09:17:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-14 09:14:04 0 d-------- C:\Documents and Settings\LocalService\Desktop

-- Find3M Report ---------------------------------------------------------------

2008-01-30 14:54:34 0 d-------- C:\Program Files\Network Associates
2008-01-29 11:26:15 0 d-------- C:\Program Files\Common Files
2008-01-28 15:34:24 0 d-------- C:\Program Files\Google
2008-01-28 15:31:40 0 d-------- C:\Program Files\MSN Gaming Zone
2008-01-28 14:52:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-17 16:03:09 0 d-------- C:\Documents and Settings\mike.efg.000\Application Data\Real
2008-01-17 16:00:42 723 --a------ C:\Program Files\INSTALL.LOG
2008-01-17 16:00:33 0 d-------- C:\Program Files\Common Files\Real

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D379CEA-2372-07AA-5767-5900BCC78891}]
C:\WINDOWS\system32\qwnryzgs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D6ECC49-42AA-4CB0-853B-0A0F365EBF46}]
01/28/2008 02:29 PM 334336 --a------ C:\WINDOWS\system32\jkkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
C:\WINDOWS\system32\urqrqon.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D35980CB-66DF-477B-BF63-64EB8F48CB3A}]
08/07/2006 08:43 AM 615936 --a------ C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 01:04 AM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 01:01 AM]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 10:27 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03/25/2004 07:00 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 08:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 08:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 08:36 AM]
"PersonalWeb"="C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe" [08/07/2006 08:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [01/12/2007 04:45 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/17/2008 04:00 PM]
"lsass"="C:\WINDOWS\lsass.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/28/2008 05:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Iacequct"="C:\WINDOWS\?ppPatch\??rvices.exe" []

C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]
PowerReg Scheduler V3.exe [6/7/2004 3:59:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [4/28/2004 12:34:08 PM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
PDF-Capture.lnk - C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe [6/21/2004 12:12:24 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/22/2004 2:47:02 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [3/30/2004 10:34:55 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\urqrqon.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"SysComponent"= {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 01/28/2008 05:53 PM 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 01/12/2007 04:45 PM 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqon]
urqrqon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-01-30 15:17:46 ------------

mikeredbank · 30th January 2008

Here is the AVG scan you requested

"General properties",""
"Report name","Complete Test"
"Start time","1/30/2008 8:13:23 AM"
"End time","1/30/2008 10:26:47 AM (total: 2:13:23.10 hrs)"
"Launch method","Scanning launched by scheduler"
"Scanning result","Threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","117092"
"Threats Found","55"
"Cleaned","0"
"Moved to vault","43"
"Deleted","12"
"Errors","0"
"Trojan.Small Family","Trojan.Small","Spyware Family"
"C:\Documents and Settings\mike.efg.000\Local Settings\Temporary Internet Files\Content.IE5\9WW391OX\_bm1fbWRfcmlke3JpZH1fcm9uM191c19lbl9tYTU_aHR0cA_ bm1fNjg0NzRfZDc0MjY0NGFjZGUwMTFkYzkyMDVmNjg0NzRkZWZmZmZfODVkOTk5MzVmNDM4NGR lMjljYzI3MzY5OTI3ZjY2NDQ_[1].exe","","Deleted"
"C:\Documents and Settings\mike.efg.000\Local Settings\Temporary Internet Files\Content.IE5\G9M3WD6N\ptch[1]","","Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Local Settings\Temporary Internet Files\Content.IE5\G9M3WD6N\tr[1]","","Deleted"
"C:\Documents and Settings\mike.efg.000\Local Settings\Temporary Internet Files\Content.IE5\SXQ3WLIV\gamadril20071203[1]","","Deleted"
"C:\Documents and Settings\mike.efg.000\Local Settings\Temporary Internet Files\Content.IE5\SXQ3WLIV\hctp[1]","","Moved to Vault"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0164998.exe","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165001.exe","","Moved to Vault"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165002.exe","","Moved to Vault"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165003.vbs","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165004.dll","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165005.dll","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165006.exe","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165007.vbs","","Deleted"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165008.exe","","Deleted"
"C:\SmitfraudFix.exe:\SmitfraudFix\Reboot.exe","Potentially harmful program HackTool.BVR","Potentially Unwanted Program, Embedded object, Deleted"
"C:\Hijack This\SmitfraudFix.exe:\SmitfraudFix\Reboot.exe","Potentially harmful program HackTool.BVR","Potentially Unwanted Program, Embedded object, Deleted"
"Not-A-Virus.Adware.PurityScan Family","Not-A-Virus.Adware.PurityScan","Spyware Family"
"TrackingCookie.Yieldmanager Family","TrackingCookie.Yieldmanager","Spyware Family"
"TrackingCookie.Adbrite Family","TrackingCookie.Adbrite","Spyware Family"
"TrackingCookie.Adrevolver Family","TrackingCookie.Adrevolver","Spyware Family"
"TrackingCookie.Adengage Family","TrackingCookie.Adengage","Spyware Family"
"TrackingCookie.Pointroll Family","TrackingCookie.Pointroll","Spyware Family"
"TrackingCookie.Advertising Family","TrackingCookie.Advertising","Spyware Family"
"TrackingCookie.Tacoda Family","TrackingCookie.Tacoda","Spyware Family"
"TrackingCookie.Atdmt Family","TrackingCookie.Atdmt","Spyware Family"
"TrackingCookie.Serving-sys Family","TrackingCookie.Serving-sys","Spyware Family"
"TrackingCookie.Burstnet Family","TrackingCookie.Burstnet","Spyware Family"
"TrackingCookie.Casalemedia Family","TrackingCookie.Casalemedia","Spyware Family"
"TrackingCookie.Doubleclick Family","TrackingCookie.Doubleclick","Spyware Family"
"TrackingCookie.Fastclick Family","TrackingCookie.Fastclick","Spyware Family"
"TrackingCookie.Findwhat Family","TrackingCookie.Findwhat","Spyware Family"
"TrackingCookie.2o7 Family","TrackingCookie.2o7","Spyware Family"
"TrackingCookie.Mediaplex Family","TrackingCookie.Mediaplex","Spyware Family"
"TrackingCookie.Questionmarket Family","TrackingCookie.Questionmarket","Spyware Family"
"TrackingCookie.Realmedia Family","TrackingCookie.Realmedia","Spyware Family"
"TrackingCookie.Revenue Family","TrackingCookie.Revenue","Spyware Family"
"TrackingCookie.Revsci Family","TrackingCookie.Revsci","Spyware Family"
"TrackingCookie.Information Family","TrackingCookie.Information","Spyware Family"
"TrackingCookie.Netflame Family","TrackingCookie.Netflame","Spyware Family"
"TrackingCookie.Tradedoubler Family","TrackingCookie.Tradedoubler","Spyware Family"
"TrackingCookie.Trafficmp Family","TrackingCookie.Trafficmp","Spyware Family"
"TrackingCookie.Tribalfusion Family","TrackingCookie.Tribalfusion","Spyware Family"
"TrackingCookie.Abcsearch Family","TrackingCookie.Abcsearch","Spyware Family"
"TrackingCookie.Burstbeacon Family","TrackingCookie.Burstbeacon","Spyware Family"
"TrackingCookie.Zedo Family","TrackingCookie.Zedo","Spyware Family"
"C:\SmitfraudFix.exe","","Potentially Unwanted Program, Moved to Vault, Archive"
"C:\Hijack This\SmitfraudFix.exe","","Potentially Unwanted Program, Moved to Vault, Archive"
"C:\SmitfraudFix\Reboot.exe","","Potentially Unwanted Program, Moved to Vault"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0164999.exe","","Potentially Unwanted Program, Moved to Vault"
"C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1446\A0165000.dll","","Potentially Unwanted Program, Moved to Vault"
"C:\WINDOWS\SYSTEM32\qwnryzgs.dll","","Potentially Unwanted Program, Deleted"
"C:\WINDOWS\?ppPatch\??rvices.exe","","Potentially Unwanted Program, Deleted"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@ad.yieldmanager[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@adbrite[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@adrevolver[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@ads.adbrite[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@ads.adengage[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@ads.pointroll[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@advertising[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@anad.tacoda[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@atdmt[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@bs.serving-sys[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@burstnet[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@casalemedia[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@doubleclick[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@fastclick[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@findwhat[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@heavycom.122.2o7[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@media.adrevolver[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@mediaplex[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@msnportal.112.2o7[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@questionmarket[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@realmedia[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@revenue[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@revsci[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@searchportal.information[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@serving-sys[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@ssl-hints.netflame[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@tradedoubler[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@trafficmp[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@tribalfusion[2].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@www.abcsearch[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@www.burstbeacon[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@www.burstnet[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@yieldmanager[1].txt","","Potentially Unwanted Program, Moved to Vault"
"C:\Documents and Settings\mike.efg.000\Cookies\mike@zedo[2].txt","","Potentially Unwanted Program, Moved to Vault"

**PeteC** · 30th January 2008

mikeredbank

Quote:

I tried to post a reply with this file but it doesn't appear to have posted.

As you are a new member here with less than 10 posts every post you make which includes a URL will be sent to the Moderating queue for a Moderator to approve. Until the post has been approved you will not see it

Blender · 31st January 2008

Hey Mike,

Ok ..
As for your McAfee it does look as if some of it was uninstalled.
If troubled removing the rest -- let me know what version it was & I'll see about rounding up a cleanup tool for it.

I wanna nail this junk-fest fair quick cus I'm afraid of this vundo updating to a nastier one.

Please carefully follow instructions at this site for downloading/using Combofix.
http://www.bleepingcomputer.com/comb...o-use-combofix

Please don't skip the Recovery Console step.

Once you get the combofix/txt log posted in reply here we'll see what is left to clean up.

If you run into any errors/issues -- please be accurate as possible describing the problem.

Thanks

mikeredbank · 31st January 2008

Hi Blender, here is the txt log....

ComboFix 08-01-31.1 - mike 2008-01-30 18:01:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.187 [GMT -6:00]
Running from: C:\Documents and Settings\mike.efg.000\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkjh.dll
C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Outerinfo
C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asks~1
C:\WINDOWS\asks~1\?asks\
C:\WINDOWS\pppatc~1
C:\WINDOWS\pppatc~1\??rvices.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\SYSTEM32\hjkkj.ini
C:\WINDOWS\SYSTEM32\hjkkj.ini2
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 18:11 . 2008-01-30 18:11 <DIR> d-------- C:\Temp\tn3
2008-01-30 17:57 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-30 17:57 . 2004-09-07 07:39 211 --a------ C:\Boot.bak
2008-01-30 15:12 . 2008-01-30 15:12 <DIR> d-------- C:\Deckard
2008-01-29 15:32 . 2008-01-29 15:32 4,006 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-29 15:29 . 2008-01-30 10:26 <DIR> d-------- C:\SmitfraudFix
2008-01-29 15:29 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-29 15:29 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-29 15:29 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-29 15:29 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-29 15:29 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-29 15:29 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-29 14:58 . 2008-01-30 15:25 <DIR> d-------- C:\Hijack This
2008-01-28 18:00 . 2008-01-28 18:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 17:53 . 2008-01-30 08:13 <DIR> d-------- C:\Documents and Settings\mike.efg.000\Application Data\AVG7
2008-01-28 17:53 . 2008-01-28 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:53 . 2008-01-28 17:53 110,592 --a------ C:\WINDOWS\SYSTEM32\avgfwafu.dll
2008-01-28 17:53 . 2008-01-28 17:53 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2008-01-28 14:27 . 2008-01-28 15:31 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-28 14:23 . 2008-01-29 11:26 <DIR> d--hs---- C:\WINDOWS\TWlrZURvd2Qx
2008-01-28 14:23 . 2008-01-28 15:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\wnis6
2008-01-28 14:23 . 2008-01-28 15:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\nip4
2008-01-28 14:23 . 2008-01-29 11:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-28 14:23 . 2008-01-28 14:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\ets1
2008-01-28 14:23 . 2008-01-28 15:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\comg9
2008-01-28 14:23 . 2008-01-28 14:23 <DIR> d-------- C:\Temp\gTiis19
2008-01-28 14:23 . 2008-01-28 14:23 <DIR> d-------- C:\Temp\cXzz9
2008-01-28 14:23 . 2008-01-30 18:11 <DIR> d-------- C:\Temp
2008-01-28 14:23 . 2008-01-28 14:23 167,545 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-28 14:23 . 2008-01-28 14:23 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RDPCDDD.sys
2008-01-17 16:15 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\WINDOWS\aod
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\Program Files\aod
2008-01-14 09:17 . 2008-01-29 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-28 08:09 . 2008-01-03 15:17 <DIR> d-------- C:\Lee
2007-12-27 18:26 . 2007-12-27 18:38 <DIR> d-------- C:\Todd
2007-12-04 14:20 . 2007-12-04 14:21 26,755 --a------ C:\p1281.pdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 00:11 --------- d-----w C:\Program Files\Network Associates
2008-01-30 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-01-28 21:34 --------- d-----w C:\Program Files\Google
2008-01-28 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 22:00 723 ----a-w C:\Program Files\INSTALL.LOG
2008-01-17 22:00 --------- d-----w C:\Program Files\Common Files\Real
2007-03-15 19:13 722,176 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_428.exe
2006-08-10 13:01 483,401 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_314.exe
2006-08-10 13:00 563,712 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_370.exe
2006-06-12 13:08 3,167,744 ----a-w C:\Documents and Settings\mike.efg.000\gosetup.exe
2006-02-05 15:04 563,712 ----a-w C:\Documents and Settings\mike.efg.000\370_gotomypc.exe
2005-09-27 15:29 483,401 ----a-w C:\Documents and Settings\mike.efg.000\314_gotomypc.exe
2005-08-23 00:20 462,919 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc.exe
2005-03-10 22:15 28,672 ----a-w C:\Documents and Settings\mike.efg.000\atwbxdet.dll
2004-05-25 15:49 454,656 ----a-w C:\Documents and Settings\mike.efg.000\chatlnk.exe
2004-05-14 02:34 462,919 ----a-w C:\Documents and Settings\mike.efg\gotomypc.exe
2004-04-26 17:05 462,919 ----a-w C:\Documents and Settings\mike\gotomypc.exe
2004-03-23 23:52 2,142,279 ----a-w C:\Documents and Settings\mike\gosetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D379CEA-2372-07AA-5767-5900BCC78891}]
C:\WINDOWS\system32\qwnryzgs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D35980CB-66DF-477B-BF63-64EB8F48CB3A}]
2006-08-07 08:43 615936 --a------ C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Iacequct"="C:\WINDOWS\?ppPatch\??rvices.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"PersonalWeb"="C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe" [2006-08-07 08:43 1279488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 16:45 249904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-17 16:00 151597]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-28 17:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-28 17:53 219136]

C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-06-07 15:59:35 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2004-04-28 12:34:08 1269836]
PDF-Capture.lnk - C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe [2004-06-21 12:12:24 61440]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 02:47:02 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-03-30 10:34:55 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"SysComponent"= {8eac7861-0efc-47ab-a396-c85fc04cc75f} - C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}\SysComponent.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-28 17:53 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 16:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqon]
urqrqon.dll

R1 RDPCDDD;RDPCDDD;C:\WINDOWS\system32\drivers\RDPCDDD.sys [2008-01-28 14:23]
R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-10-28 17:02]
S3 ProcObsrv;Process creation detector.;C:\Program Files\Questionmark\QS\ProcObsrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 02:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 18:11:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-01-30 18:17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 00:17:36
.
2008-01-10 09:06:17 --- E O F ---

Blender · 1st February 2008

Hi,

Thanks for the log.
Looking much better but still work to do.

Copy the following text to a new notepad file.
Save as file name CFScript.txt
Save it to the desktop. It must be on desktop to work

Code:

Driver::
RDPCDDD

Folder::
C:\Temp\tn3
C:\Program Files\Dot1XCfg
C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}
C:\WINDOWS\TWlrZURvd2Qx
C:\WINDOWS\SYSTEM32\wnis6
C:\WINDOWS\SYSTEM32\nip4
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\ets1
C:\WINDOWS\SYSTEM32\comg9
C:\Temp\gTiis19
C:\Temp\cXzz9

File::
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\system32\drivers\RDPCDDD.sys 

REgistry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D379CEA-2372-07AA-5767-5900BCC78891}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iacequct"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SysComponent"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqrqon]

Once you get it saved, close all running applications including antivirus/antispyware programs.

Drag CFScript on top of ComboFix.exe then drop it.

Like this:

http://i100.photobucket.com/albums/m...i/CFScript.gif

Combofix should start --
Follow its prompts and post the log when it completes.

C:\combofix.txt

*note*
Do not click on the combofix window while its running or it will stall.

Please also post fresh hijackthis log.

Thanks

mikeredbank · 1st February 2008

ComboFix 08-01-31.1 - mike 2008-01-31 18:01:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.275 [GMT -6:00]
Running from: C:\Documents and Settings\mike.efg.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mike.efg.000\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
C:\WINDOWS\system32\drivers\RDPCDDD.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\RDPCDDD.sys
C:\Program Files\Dot1XCfg
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\Installer\{8eac7861-0efc-47ab-a396-c85fc04cc75f}
C:\WINDOWS\SYSTEM32\comg9
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\RDPCDDD.sys
C:\WINDOWS\SYSTEM32\ets1
C:\WINDOWS\SYSTEM32\ets1\ovstadcom2.exe
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nip4
C:\WINDOWS\SYSTEM32\wnis6
C:\WINDOWS\TWlrZURvd2Qx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RDPCDDD
-------\RDPCDDD

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 17:57 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-30 17:57 . 2004-09-07 07:39 211 --a------ C:\Boot.bak
2008-01-30 15:12 . 2008-01-30 15:12 <DIR> d-------- C:\Deckard
2008-01-29 15:32 . 2008-01-29 15:32 4,006 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-29 15:29 . 2008-01-30 10:26 <DIR> d-------- C:\SmitfraudFix
2008-01-29 15:29 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-29 15:29 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-29 15:29 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-29 15:29 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-29 15:29 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-29 15:29 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-29 14:58 . 2008-01-30 15:25 <DIR> d-------- C:\Hijack This
2008-01-28 18:00 . 2008-01-28 18:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 17:53 . 2008-01-31 08:00 <DIR> d-------- C:\Documents and Settings\mike.efg.000\Application Data\AVG7
2008-01-28 17:53 . 2008-01-28 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:53 . 2008-01-28 17:53 110,592 --a------ C:\WINDOWS\SYSTEM32\avgfwafu.dll
2008-01-28 17:53 . 2008-01-28 17:53 9,216 --a------ C:\WINDOWS\SYSTEM32\avgwlntf.dll
2008-01-28 14:23 . 2008-01-31 18:05 <DIR> d-------- C:\Temp
2008-01-17 16:15 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\WINDOWS\aod
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-17 16:00 . 2008-01-17 16:00 <DIR> d-------- C:\Program Files\aod
2008-01-14 09:17 . 2008-01-29 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 00:11 --------- d-----w C:\Program Files\Network Associates
2008-01-30 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-01-28 21:34 --------- d-----w C:\Program Files\Google
2008-01-28 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 22:00 723 ----a-w C:\Program Files\INSTALL.LOG
2008-01-17 22:00 --------- d-----w C:\Program Files\Common Files\Real
2007-03-15 19:13 722,176 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_428.exe
2006-08-10 13:01 483,401 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_314.exe
2006-08-10 13:00 563,712 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc_370.exe
2006-06-12 13:08 3,167,744 ----a-w C:\Documents and Settings\mike.efg.000\gosetup.exe
2006-02-05 15:04 563,712 ----a-w C:\Documents and Settings\mike.efg.000\370_gotomypc.exe
2005-09-27 15:29 483,401 ----a-w C:\Documents and Settings\mike.efg.000\314_gotomypc.exe
2005-08-23 00:20 462,919 ----a-w C:\Documents and Settings\mike.efg.000\gotomypc.exe
2005-03-10 22:15 28,672 ----a-w C:\Documents and Settings\mike.efg.000\atwbxdet.dll
2004-05-25 15:49 454,656 ----a-w C:\Documents and Settings\mike.efg.000\chatlnk.exe
2004-05-14 02:34 462,919 ----a-w C:\Documents and Settings\mike.efg\gotomypc.exe
2004-04-26 17:05 462,919 ----a-w C:\Documents and Settings\mike\gotomypc.exe
2004-03-23 23:52 2,142,279 ----a-w C:\Documents and Settings\mike\gosetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D35980CB-66DF-477B-BF63-64EB8F48CB3A}]
2006-08-07 08:43 615936 --a------ C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36 114688]
"PersonalWeb"="C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe" [2006-08-07 08:43 1279488]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 16:45 249904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-17 16:00 151597]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-28 17:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-28 17:53 219136]

C:\Documents and Settings\mike.efg.000\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-06-07 15:59:35 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe [2004-04-28 12:34:08 1269836]
PDF-Capture.lnk - C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe [2004-06-21 12:12:24 61440]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 02:47:02 806912]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-03-30 10:34:55 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-28 17:53 9216 C:\WINDOWS\SYSTEM32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 16:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

R2 CVPNDRV;Cisco Systems IPsec Driver;C:\WINDOWS\System32\Drivers\CVPNDRV.sys [2002-10-28 17:02]
S3 ProcObsrv;Process creation detector.;C:\Program Files\Questionmark\QS\ProcObsrv.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 02:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 18:09:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-01-31 18:14:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 00:14:21
ComboFix2.txt 2008-01-31 00:17:41
.
2008-01-10 09:06:17 --- E O F ---

mikeredbank · 1st February 2008

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:23, on 2008-01-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack This\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PersonalWebBHO - {D35980CB-66DF-477B-BF63-64EB8F48CB3A} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PersonalWeb] "C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Open PersonalWeb - {03F0E28F-1C51-4a56-A8F1-E8BF15AF8346} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Add to My Sites - {1BD60387-6806-4897-8002-0B855DFEAEEA} - C:\Program Files\Claria\PersonalWeb\PersonalWebIE_v1310.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\Software\..\Telephony: DomainName = efg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = efg.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{78B176DA-FED7-44C7-AF96-16296DE68F78}: NameServer = 66.80.130.23,66.80.131.5
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 8465 bytes

Blender · 1st February 2008

Hi,

That sure looks better.
How is the machine running?

I still see some McAfee leftovers.
Let's get rid of those so they don't cause issues.

Please follow step 1 & 2 on this page to remove McAfee products:

http://service.mcafee.com/FAQDocumen...107083&lc=4105

Let me know if any issues arising out of that.

---------------

One application you have installed -- you might want to review the privacy pilicy for. You may wish to uninstall the program.
it seems they do do a fair bit of tracking...

Info:

http://www.bleepingcomputer.com/star...exe-16996.html

Once done with McAfee and regardless wether or not you uninstalled PersonalWeb please post a fresh hijackthis log.
I need you to update it first though please.

Uninstall current version of Hijackthis
Install this version:

Download HijackThis from either of these sites:

http://hijack1.trend-braintree.com/h...HJTInstall.exe
http://download.bleepingcomputer.com...HJTInstall.exe
http://www.trendsecure.com/portal/en...HJTinstall.exe

Save the setup file on your desktop
Double click on it and by default it should install to C:\Program Files\Trend Micro\HijackThis
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start HijackThis
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad

Go to Edit, Select All and then Edit, Paste to paste the contents of the log here
Make sure you DO NOT fix anything with Hijack This yet. Most of the things in the log are normal or required.

Thanks