9 replies to this topic

[Canada Rob]

Hello,

A few days ago, my mcafee kept popping up saying that it had removed a generic rootkit w trojan which eventually crashed my windows (now working). Below are my malware and hijackthis logs. I'm still getting the pop up, but not as often. Let me know what I should do next. Thanks!

Malwarebytes' Anti-Malware 1.36
Database version: 2036
Windows 5.1.2600 Service Pack 2

4/25/2009 8:40:03 AM
mbam-log-2009-04-25 (08-40-03).txt

Scan type: Quick Scan
Objects scanned: 99504
Time elapsed: 39 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati64si (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\BN4C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN50.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN54.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN58.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN65.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\BN69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:53 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\WINDOWS\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\update\update.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\Owner\.exe /i
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ieso.ca
O15 - Trusted Zone: http://peelapps.peelschools.org
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...95/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.11.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{C791800A-86E0-46D5-918D-62A88E992CEA}: NameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41CE48D-E5AC-4AEB-B14A-15ED136D5767}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41CE48D-E5AC-4AEB-B14A-15ED136D5767}: NameServer = 192.168.2.1
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 10842 bytes

[Maurice Naggar]

Hello,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a lurker, do NOT try this on your system!

If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O4 - HKCU\..\Run: [Owner] C:\Documents and Settings\Owner\Owner.exe /i

O4 - HKCU\..\Run: [] C:\Documents and Settings\Owner\.exe /i

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!
=

Download and save to your Dekstop: PrevX CSI: http://www.prevx.com/freescan.asp

Run Prevx CSI.
If it wants to reboot when finished, do so.
=

Download RootRepeal:
http://rootrepeal.go.../RootRepeal.zip

• Extract the archive to a folder you create such as C:\RootRepeal
  
• Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  
• Click the "File" tab (located at the bottom of the RootRepeal screen)
  
• Click the "Scan" button
  
• In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  
• Click OK and the file scan will begin
  
• When the scan is done, there will be files listed, but most if not all of them will be legitimate
  
• Click the "Save Report" Button
  
• Save the log file to your Documents folder
  
• Post the content of the RootRepeal file scan log in your next reply.

Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop.

Please include copies of the following logs in your next reply:
RootRepeal file scan log
DDS.txt
Attach.txt

[Canada Rob]

Thanks very much, I ran all the scans. Here are the three logs. Let me know what's next. FYI that I still get the rootkit popping up.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 21:40:14.26 on Sat 04/25/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.144 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
AV: Prevx 3.0 *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.ca/
uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar =
mSearch Bar =
uSearchAssistant =
uCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_16\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [IPInSightLAN 01] "c:\program files\visual networks\visual ip insight\sympatico consumer\IPClient.exe" -l
mRun: [IPInSightMonitor 01] "c:\program files\visual networks\visual ip insight\sympatico consumer\IPMon32.exe"
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [ViewMgr] "c:\program files\viewpoint\viewpoint manager\ViewMgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [PDUiP6700DMon] c:\program files\canon\memory card utility\ip6700d\PDUiP6700DMon.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_16\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_16\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: ieso.ca
Trusted Zone: peelschools.org\peelapps
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,95/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://costco.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://costco.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
TCP: {C791800A-86E0-46D5-918D-62A88E992CEA} = 207.164.234.193 207.164.234.129
TCP: {F41CE48D-E5AC-4AEB-B14A-15ED136D5767} = 192.168.2.1
Handler: crick - {B861500A-A326-11d3-A248-0080C8F7DE1E} - c:\windows\system32\CrickPro.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-4-25 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-4-25 27656]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-14 214024]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-4-25 4368440]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-12-14 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-14 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-14 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-14 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-14 40552]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 ksi32sk;ksi32sk;\??\c:\windows\system32\drivers\ksi32sk.sys --> c:\windows\system32\drivers\ksi32sk.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-14 34216]

=============== Created Last 30 ================

2009-04-25 21:34 <DIR> --d----- C:\rootrepeal
2009-04-25 21:24 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-04-25 21:24 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-04-25 21:24 <DIR> --d----- c:\program files\Prevx
2009-04-25 21:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-04-25 07:12 <DIR> --d----- c:\program files\Trend Micro
2009-04-24 19:29 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-04-24 19:29 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-04-24 19:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 19:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 19:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-24 19:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-22 18:47 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-04-22 18:44 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-04-22 18:37 2,180,480 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-22 18:37 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-22 18:37 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-22 18:37 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-22 18:26 135,168 a------- c:\windows\system32\igfxres.dll
2009-04-22 18:16 79,872 ac------ c:\windows\system32\dllcache\rwia330.dll
2009-04-22 18:15 9,216 ac------ c:\windows\system32\dllcache\kbdnecat.dll
2009-04-22 18:14 78,336 ac------ c:\windows\system32\dllcache\chajei.ime
2009-04-22 18:12 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-04-22 18:12 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-04-22 18:12 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-04-22 18:12 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-04-22 18:12 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-04-22 13:50 <DIR> --d----- c:\windows\dell
2009-04-18 10:06 118 a------- c:\windows\system32\MRT.INI
2009-04-17 22:01 20,961 ----h--- c:\documents and settings\owner\Owner.exe

==================== Find3M ====================

2009-04-22 19:15 78,723 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-22 18:11 23,348 a------- c:\windows\system32\emptyregdb.dat
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 04:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 04:30 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-06 13:22 2,136,064 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 13:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 12:49 2,015,744 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 16:08 55,808 a------- c:\windows\system32\secur32.dll
2004-08-08 14:24 596 a------- c:\program files\INSTALL.LOG
2004-06-05 10:37 1 a------- c:\documents and settings\owner\scrcfg.dat

============= FINISH: 21:40:45.64 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/22/2009 6:17:53 PM
System Uptime: 4/25/2009 9:00:16 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0K0057
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 51.048 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/22/2009 6:27:22 PM - System Checkpoint
RP2: 4/22/2009 9:55:47 PM - Software Distribution Service 3.0
RP3: 4/24/2009 10:59:37 PM - System Checkpoint
RP4: 4/25/2009 1:47:24 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player ActiveX
Adobe GoLive 6.0
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.4
BACS
Banctec Service Agreement
Bonjour
Broadcom Advanced Control Suite
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon iP6700D
Canon iP6700D Memory Card Utility
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
CD-LabelPrint
Clicker 4
Collapse! Deluxe II
Colour@Home II
Conexant SmartHSFi V.9x 56K DF PCI Modem
Dell AIO Printer A920
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
DellSupport
Digital Line Detect
DS21Patch
DVDSentry
Easy-WebPrint
FaxTools
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HyperLoad - Candystand Billiards
Intel® Extreme Graphics 2 Driver
iPod for Windows 2005-09-23
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 16
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
LUMIX Simple Viewer
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Access 2000 SR-1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Links 2003
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
NetWaiting
PowerDVD
Prevx 3.0
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Shockwave
SimCity 4 Deluxe
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(Sympatico Consumer)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format Runtime
WinZip
WordPerfect Office 11
WorshipLeaderAssistant.com Viewer

==== Event Viewer Messages From Past Week ========

4/25/2009 5:37:41 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 7 for Windows XP.
4/24/2009 9:52:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440
4/24/2009 7:21:18 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/24/2009 7:21:18 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/23/2009 2:32:56 PM, error: SRService [104] - The System Restore initialization process failed.
4/23/2009 2:32:56 PM, error: Distributed Link Tracking Client [12502] - Service failed to start. Error = 80070862
4/23/2009 2:32:56 PM, error: Distributed Link Tracking Client [12500] - An internal error occured in Distributed Link Tracking. The error code was 80070862.
4/22/2009 6:27:20 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/22/2009 6:19:34 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
4/22/2009 6:13:14 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
4/18/2009 10:13:23 AM, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BA

==== End Of File ===========================

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/25 21:36
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF84E9000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2252800 File Visible: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF8A6A000 Size: 4384 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEEC27000 Size: 138368 File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF8598000 Size: 42368 File Visible: -
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xF8A80000 Size: 7488 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF84A1000 Size: 95360 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF8B8F000 Size: 3072 File Visible: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
Address: 0xF85B8000 Size: 42368 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A76000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8948000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8778000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF85E8000 Size: 49536 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF8578000 Size: 53248 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8568000 Size: 36352 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8608000 Size: 61440 File Visible: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF845B000 Size: 82496 File Visible: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xF8748000 Size: 38208 File Visible: -
Status: -

Name: dsunidrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Address: 0xF8A84000 Size: 5376 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEB41000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A86000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF8A10000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8B8D000 Size: 4096 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xED2C8000 Size: 143360 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF8708000 Size: 34944 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF8482000 Size: 124800 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A74000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF84B9000 Size: 125056 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF8321000 Size: 9984 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FD000 Size: 134400 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF88B8000 Size: 28672 File Visible: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
Address: 0xF6F43000 Size: 631680 File Visible: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
Address: 0xF6FDE000 Size: 1063936 File Visible: -
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
Address: 0xF7105000 Size: 202368 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEE343000 Size: 263040 File Visible: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF8A72000 Size: 8192 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF85C8000 Size: 52736 File Visible: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA3A000 Size: 925696 File Visible: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA05000 Size: 217088 File Visible: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000 Size: 139264 File Visible: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Address: 0xF716E000 Size: 1302208 File Visible: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000 Size: 57344 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF85D8000 Size: 41856 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF7BF4000 Size: 36096 File Visible: -
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xF86A8000 Size: 32896 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEEC71000 Size: 134912 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xEED39000 Size: 74752 File Visible: -
Status: -

Name: IPVNMon.sys
Image Path: IPVNMon.sys
Address: 0xF8356000 Size: 101376 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8538000 Size: 35840 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF8880000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8A38000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xED29E000 Size: 171776 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF70E2000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8444000 Size: 92032 File Visible: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
Address: 0xEE075000 Size: 9920 File Visible: -
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xED9A7000 Size: 73152 File Visible: -
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xF8800000 Size: 28544 File Visible: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xEEB59000 Size: 207296 File Visible: -
Status: -

Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xED5BD000 Size: 33824 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8A78000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF8878000 Size: 30080 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF8888000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8548000 Size: 42240 File Visible: -
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xEECBA000 Size: 159744 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xEE696000 Size: 181248 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEEB8C000 Size: 453632 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF88D0000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF8648000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF830D000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF836F000 Size: 107904 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF838A000 Size: 182912 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF8319000 Size: 9600 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xEEA09000 Size: 12928 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6E66000 Size: 91776 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8668000 Size: 38016 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF86C8000 Size: 34560 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xEEC49000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF88D8000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF83B7000 Size: 574592 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2252800 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8BE2000 Size: 2944 File Visible: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\omci.sys
Address: 0xF88A8000 Size: 17152 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6F2F000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF87C0000 Size: 18688 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8A7C000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF84D8000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8B00000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF87B8000 Size: 28672 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2252800 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6E7D000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6E55000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF8898000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8588000 Size: 35712 File Visible: -
Status: -

Name: pxscan.sys
Image Path: C:\WINDOWS\System32\drivers\pxscan.sys
Address: 0xED717000 Size: 36864 File Visible: -
Status: -

Name: pxsec.sys
Image Path: C:\WINDOWS\System32\drivers\pxsec.sys
Address: 0xED4AB000 Size: 40960 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF89E0000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF8618000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF8628000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF8638000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF88A0000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2252800 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xEEBFB000 Size: 176512 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A7A000 Size: 4224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF85F8000 Size: 57472 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDB31000 Size: 45056 File Visible: No
Status: -

Name: sfloppy.sys
Image Path: C:\WINDOWS\System32\DRIVERS\sfloppy.sys
Address: 0xF72BC000 Size: 11392 File Visible: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF6EA1000 Size: 578176 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF8470000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xEE2F1000 Size: 333184 File Visible: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF8A68000 Size: 5568 File Visible: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF88C0000 Size: 23168 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF8A6C000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEE7DB000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xEECE1000 Size: 360320 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF8890000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF8658000 Size: 40704 File Visible: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xF8938000 Size: 25632 File Visible: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xF8758000 Size: 34784 File Visible: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xF8C46000 Size: 4064 File Visible: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xF8C45000 Size: 2176 File Visible: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xEE9EC000 Size: 83232 File Visible: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xEEA6D000 Size: 14176 File Visible: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xF8AAC000 Size: 6304 File Visible: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xEE9D4000 Size: 98016 File Visible: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xEE9BB000 Size: 100320 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6E21000 Size: 209408 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A6E000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF8870000 Size: 26624 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8688000 Size: 57600 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7137000 Size: 143360 File Visible: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF88B0000 Size: 26496 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF8868000 Size: 20480 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF88C8000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF715A000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8558000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF86B8000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8900000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEE659000 Size: 82944 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8A3A000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2252800 File Visible: -
Status: -

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member Canada Rob only. If you are a lurker, do NOT try this on your system!
If you are not Canada Rob and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.


1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

=
Next, I need for you to download and get the latest version of Combofix, SAVE it to your DESKTOP, and RENAME it
It is critical that the Combofix be on your desktop because we will be doing a special scripted run with it.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

Now, disconnect this pc from the internet; unplug the connection to this pc's modem.


Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

KILLALL::

File::
c:\windows\system32\drivers\acpi32.sys 
c:\windows\system32\drivers\ati64si.sys 
c:\windows\system32\drivers\ksi32sk.sys 
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys
c:\windows\system32\drivers\systemntmi.sys

Driver::
acpi32
ati64si
ksi32sk
port135sik
securentm
systemntmi

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

• :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your next reply.

Do not run ComboFix more than once :!:

Once Complete, logoff and Restart Windows for a fresh start :!:

Reconnect the pc to the internet

Next, locate using My Computer {Windows Explorer} the MalwareBytes' AntiMalware exe file (mbam.exe) which is typically located here
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
..... right-Click mbam.exe and select Rename and RENAME it to Bravo.exe

Now, Double-click on Bravo.exe to start MBAM
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2043 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

=
RE-Enable your AntiVirus and AntiSpyware applications.

Now, start HijackThis. Do a new Scan and Save log.

Reply with copies of C:\Combofix.txt
the MBAM scan log
the HijackThis scan log
and tell us, How is your system now ?

[Canada Rob]

The Mbam (Bravo) log didn't have any infected items, so things seem better. The logs are below. Let me know what you think and thanks for everything so far!!

ComboFix 09-04-25.A3 - Owner 04/26/2009 21:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.203 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
AV: Prevx 3.0 *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\ksi32sk.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys
c:\windows\system32\drivers\systemntmi.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Owner.exe
c:\program files\INSTALL.LOG
C:\recycler
c:\recycler\08252008\P1010721.JPG
c:\recycler\08252008\P1010722.JPG
c:\recycler\08252008\Thumbs.db
c:\recycler\S-1-5-21-2556497274-1143759109-1053296114-1003\desktop.ini
c:\recycler\S-1-5-21-2556497274-1143759109-1053296114-1003\INFO2
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_SECURENTM
-------\Service_acpi32
-------\Service_ati64si
-------\Service_ksi32sk
-------\Service_port135sik
-------\Service_securentm
-------\Service_systemntmi


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-26 01:34 . 2009-04-26 01:34 -------- d-----w C:\rootrepeal
2009-04-26 01:24 . 2009-04-26 01:24 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-04-26 01:24 . 2009-04-26 01:24 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-04-26 01:24 . 2009-04-26 01:24 -------- d-----w c:\program files\Prevx
2009-04-26 01:24 . 2009-04-26 02:20 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-04-25 11:12 . 2009-04-25 11:12 -------- d-----w c:\program files\Trend Micro
2009-04-24 23:29 . 2009-04-25 17:46 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-24 23:29 . 2009-04-24 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-04-24 23:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 23:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 23:29 . 2009-04-24 23:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 23:29 . 2009-04-24 23:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 22:47 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-22 22:44 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-22 22:37 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-22 22:37 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-22 22:37 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-22 22:37 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-22 22:26 . 2005-09-20 13:31 135168 ----a-w c:\windows\system32\igfxres.dll
2009-04-22 22:16 . 2004-08-12 14:04 79872 -c--a-w c:\windows\system32\dllcache\rwia330.dll
2009-04-22 22:15 . 2004-08-12 13:58 9216 -c--a-w c:\windows\system32\dllcache\kbdnecat.dll
2009-04-22 22:14 . 2004-08-12 13:58 78336 -c--a-w c:\windows\system32\dllcache\chajei.ime
2009-04-22 22:12 . 2009-04-22 22:12 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-22 22:12 . 2009-04-22 22:12 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-22 22:12 . 2009-04-22 22:12 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-22 22:12 . 2009-04-22 22:12 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-22 22:12 . 2009-04-22 22:12 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-22 17:50 . 2009-04-22 17:50 -------- d-----w c:\windows\dell
2009-04-18 14:06 . 2009-04-18 14:06 118 ----a-w c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 01:00 . 2006-12-15 00:53 -------- d-----w c:\program files\McAfee
2009-04-25 02:01 . 2004-01-02 15:50 60960 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 23:15 . 2002-09-03 14:58 78723 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-04-22 22:11 . 2002-09-03 14:56 23348 ----a-w c:\windows\SYSTEM32\emptyregdb.dat
2009-03-25 15:06 . 2006-12-15 00:56 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2006-12-15 00:56 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2006-12-15 00:56 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:06 . 2006-12-15 00:56 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:05 . 2006-12-15 00:56 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-06 14:44 . 2004-08-12 14:03 283648 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-02-20 08:30 . 2004-08-12 14:09 659456 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-20 08:30 . 2004-08-12 13:58 81920 ----a-w c:\windows\SYSTEM32\ieencode.dll
2009-02-09 10:20 . 2004-08-12 14:04 399360 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 10:20 . 2004-08-12 13:59 723456 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 10:20 . 2004-08-12 14:02 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 10:20 . 2004-08-12 13:55 616960 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 10:19 . 2004-08-12 14:09 1846272 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-06 17:22 . 2004-08-12 14:02 2136064 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-12 14:05 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 16:54 . 2004-08-12 14:04 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2015744 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-12 14:04 55808 ----a-w c:\windows\SYSTEM32\secur32.dll
2004-06-05 14:37 . 2004-06-05 14:37 1 ----a-w c:\documents and settings\Owner\scrcfg.dat
2004-01-02 15:50 . 2005-02-16 23:06 40080 ----a-w c:\documents and settings\Princess\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" [2002-04-20 364544]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" [2002-04-20 102400]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"ViewMgr"="c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [2004-11-11 111816]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"PDUiP6700DMon"="c:\program files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-10-03 75376]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_16\bin\jusched.exe" [2008-05-28 75256]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-1-2 24576]
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-6-14 57344]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Adobe\\GoLive 6.0_ENG\\GoLive.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\WINDOWS\\SYSTEM32\\netsh.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcupdui.exe"=
"c:\\WINDOWS\\System32\\DSentry.exe"=
"c:\\Program Files\\Dell\\Media Experience\\PCMService.exe"=
"c:\\Program Files\\Visual Networks\\Visual IP InSight\\Sympatico Consumer\\IPMon32.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe"=
"c:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Canon\\Memory Card Utility\\iP6700D\\PDUiP6700DMon.exe"=
"c:\\Program Files\\Dell AIO Printer A920\\dlbkbmon.exe"=
"c:\\Program Files\\Java\\jre1.5.0_16\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\Panasonic\\LUMIXSimpleViewer\\PhLeAutoRun.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\System32\\ssmarque.scr"=
"c:\\Program Files\\Visual Networks\\Visual IP InSight\\Sympatico Consumer\\IPClient.exe"=
"c:\\WINDOWS\\system32\\dla\\tfswctrl.exe"=

S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2009-04-26 22024]
S0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [2009-04-26 27656]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-04-26 4368440]


--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ca39c1a-52d5-11dd-b4b4-000bdb886c91}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2006-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-15 14:53]

2006-12-15 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-12-15 14:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.ca/
mSearch Bar =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: ieso.ca
Trusted Zone: peelschools.org\peelapps
TCP: {F41CE48D-E5AC-4AEB-B14A-15ED136D5767} = 192.168.2.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2444)
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-27 22:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 02:12

Pre-Run: 54,725,582,848 bytes free
Post-Run: 54,985,449,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

248 --- E O F --- 2009-04-25 21:37

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 2

4/26/2009 10:21:22 PM
mbam-log-2009-04-26 (22-21-22).txt

Scan type: Quick Scan
Objects scanned: 81343
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:14 PM, on 4/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_16\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.ieso.ca
O15 - Trusted Zone: http://peelapps.peelschools.org
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...95/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.11.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{C791800A-86E0-46D5-918D-62A88E992CEA}: NameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41CE48D-E5AC-4AEB-B14A-15ED136D5767}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41CE48D-E5AC-4AEB-B14A-15ED136D5767}: NameServer = 192.168.2.1
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 10688 bytes

[Maurice Naggar]

This system has a few old versions of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/...loads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

• Tip: Choose Custom install to select only the part(s) you need/want.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.
=

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html

Using Internet Explorer browser only, go to ESET Online Scanner website:
http://www.eset.com/onlinescan/

• Accept the Terms of Use and press Start button;
  
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
  
• Enable (check) the Remove found threats option, and run the scan.
  
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/...c4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

>
Reply with a copy of the Eset scan log.

Depending on the results of this Eset scan, we can well be proceeding to close this case. But do not go away.
I want to see the scan results, and I'll also guide you to removing all the tools I had you use.

[Canada Rob]

Here's the log - thanks again!

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4038 (20090427)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=0bab6aa3c5832448a7fe5029f5ba22b4
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-04-28 03:19:05
# local_time=2009-04-27 11:19:05 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=293906
# found=2
# scan_time=6411
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Owner.exe.vir Win32/TrojanDownloader.Wigon.CB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0003059.exe Win32/TrojanDownloader.Wigon.CB trojan (unable to clean - deleted) 00000000000000000000000000000000

[Maurice Naggar]

Well done. The Eset scan only tagged a couple of items already in quarantine. Nothing else found.

Rename Bravo.exe back to MBAM.exe

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
Do the same for Eset online scan
Also de-install PREVX CSI

When done, OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix :!, put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste combo-fix /u and then click OK.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
  
• Check in at Windows Update and install any Critical Updates offered.
  
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
  
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan?
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html

We are finished here. Best regards.

[Canada Rob]

Thanks for everything, I really appreciate it!!

[Maurice Naggar]

You're very welcome. Keep safe.