36 replies to this topic

[Maggie]

I've been working for two days trying to remove malware. I've manually removed SystemErrorFixer, SpyHunter, microsoft.windows.disablesystemrestore but still I have this malware. It looks like a microsoft product but it isn't. It hijacks the system task list as well as the internet connections, throws false errors constantly and many other systems, including gmail seem to prevent it from accessing them but of course that limits my access. Symantec doesn't catch it and it disables symantec in some way.
Here are my logs.....please recognize that I've run several utilities already to sweep and clean so it may not look bad but I'm still stuck.

MBAM scan:
Malwarebytes' Anti-Malware 1.11
Database version: 651

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 160493
Time elapsed: 45 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HiJack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46, on 2008-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\NMSSvc.exe
C:\oracle9\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: setwrite.amsrackley.com (HKLM)
O15 - Trusted Zone: http://trackit.amsworld.com (HKLM)
O15 - Trusted Zone: http://vertashare.vertafore.com (HKLM)
O15 - Trusted IP range: http://192.168.21.104 (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.amsworld.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O20 - Winlogon Notify: uuyvtlfa - C:\WINDOWS\SYSTEM32\uuyvtlfa.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CVSNT Locking Service 2.5.03.2151 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2151 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle9\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle9\ora92\BIN\ONRSD.EXE
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 9465 bytes

Panda Scan Log:

Still running but I'll update shortly.

[AdvancedSetup]

Hi Maggie,

Hi there, and welcome to Malwarebytes. You should probably print these instructions for easier reading and access during this process. It is very important you have your email set to receive replies to your thread and that you are allowing email from Malwarebytes.org. This is how you will know someone has answered your posts.
Be thorough, follow exactly what you are told to do and in the order you are told. Ask questions if you are uncertain and give feedback on how your machine is performing after steps in the process. We are here to help you, but we need you to help us to do that.

Okay I can see you've done a few things already so let's do the following. If you're uncertain or need more information please post and let us know and we'll help you.


Disable Spybot Search & Destroys' TEA TIMER:

• Run Spybot-S&D in Advanced Mode.
  
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  
• On the left hand side, Click on Tools
  
• Then click on the Resident Icon in the List
  
• Uncheck "Resident TeaTimer" and OK any prompts.
  
• Restart your computer.

____________________________________________________

Run HijackThis and choose "Scan Only". Now put a check mark in
O20 - Winlogon Notify: uuyvtlfa - C:\WINDOWS\SYSTEM32\uuyvtlfa.dll
Once you have the check marks in place, choose "Fix Checked" and restart the computer when prompted.

• Follow these instructions carefully.
  
• Download ATF-Cleaner from Snapfiles.com to remove unneeded temporary files from your computer that may contain malware.
  
• You can also download it from Majorgeeks.com
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
• Then click on "Empty Selected".

.

____________________________________________________


Copy and Paste the following information to NOTEPAD and then save the file by selecting
Save and in the save-as type: change it to ALL FILES and save to your desktop as NOPOLICIES.REG
Then double-click on it and select YES to remove all the Windows policies.
Then restart your computer and post another HijackThis Log for us to look at.

Quote

REGEDIT4


[HKEY_CLASSES_ROOT\CLSID\{D82BE2B0-5764-11D0-A96E-00C04FD705A2}]
@="IShellFolderBand"

[HKEY_CLASSES_ROOT\CLSID\{D82BE2B0-5764-11D0-A96E-00C04FD705A2}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,48,00,\
45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2\]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop\]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\BarSize\]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"LockTaskbar"=dword:00000000
"NoTrayContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\]
"BarSize"=-
"Media Band"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Then when completed come back here and post a new HiJackThis log and let us know how things are going with your computer.

.

[Maggie]

Ok. I've been trying to do the spybot check but I can't run it at all. I've uninstalled it and reinstalled it 3 times (rebooting in between) but I can not get it to run. I show the hourglass when I click on it but it never starts up and on reboot it shows it as an "End it Now" task because it's not responding. Suggestions?

[Maggie]

I have finally managed to open Spybot. I've done each of the steps as noted above. Here is the new HiJack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\oracle9\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: setwrite.amsrackley.com (HKLM)
O15 - Trusted Zone: http://trackit.amsworld.com (HKLM)
O15 - Trusted Zone: http://vertashare.vertafore.com (HKLM)
O15 - Trusted IP range: http://192.168.21.104 (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.amsworld.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O20 - Winlogon Notify: uuyvtlfa - C:\WINDOWS\SYSTEM32\uuyvtlfa.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CVSNT Locking Service 2.5.03.2151 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2151 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle9\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle9\ora92\BIN\ONRSD.EXE
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 8855 bytes

[AdvancedSetup]

I apologize but I just got back in town and it's late so I need to get some sleep and I'll review it in the morning and provide you with more feedback.

Did Spybot Search & Destroy find and remove some items?

Were you able to run the items above. The ATF cleaner and the registry changes to remove policies ?

[Maggie]

AdvancedSetup, on Apr 21 2008, 02:16 AM, said:

I apologize but I just got back in town and it's late so I need to get some sleep and I'll review it in the morning and provide you with more feedback.

Did Spybot Search & Destroy find and remove some items?

Were you able to run the items above. The ATF cleaner and the registry changes to remove policies ?

Yes Spybot did find and remove things but the problem is still there. I did run ATF and the registry changes as well bu still the system is messed up. I triedto run Panda overnight as that was one of the "sticky" recommendations. It appears to be finding things but is still running so I'll have to stop it and restart it shortly so I can bring the laptop to work.

Thanks for any help you can give!

[AdvancedSetup]

Okay for now don't worry about the Panda Scanner.

Please download Malwarebytes' Anti-Malware from one of these links.

• Download from MajorGeeks.com
  
• Download from BestTechie.net
  
• Save the file to your desktop or where ever you save your files (just remember where you saved it)
  
• Then double-click the mbam-setup.exe install file and choose the default installation features.
  
• Let the program check for and install updates.
  
• Once completed - then run a Quick Scan of your system and once it's completed it will let you know what it finds.
  
• If any items are found allow it to clean them and reboot if necessary, and post the log here for us to look at. If you need help let me know.

Then if you've not already done so you should run a disk check on your drive.

• You can do this by clicking on your Start menu, then RUN and type in CHKDSK /F {there is a space between the K and the /} and press the Y key in the DOS Box that comes up.
  
• Then restart your computer and it should run a disk check on reboot.

Do you have any Symantec or Norton applications on your system?
You're still running a couple of items from Symantec that could be removed if you no longer use or have those products.


.

[Maggie]

Here is the mbam log:

Malwarebytes' Anti-Malware 1.11
Database version: 651

Scan type: Quick Scan
Objects scanned: 48279
Time elapsed: 13 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Nothing found.

I ran chkdsk as you noted and other than losing my quick launch toolbar don't think anything else happened.
Still have the Windows Security Center coming up and the errors popping up continuously so I know the bug is still there.

Thanks for your help.

[Maggie]

Sorry I forgot to answer your other question. Because I attach to the corporate servers with this laptop, I'm required to run Symantec. I had uninstalled it on Friday as I thought that might have been the problem as there were tons of errors in the Event Log for Symantec, but that wasn't it obviously so I re-installed it today.

[AdvancedSetup]

Maggie, on Apr 21 2008, 03:34 PM, said:

I ran chkdsk as you noted and other than losing my quick launch toolbar don't think anything else happened.

Still have the Windows Security Center coming up and the errors popping up continuously so I know the bug is still there.

Okay, well at this point unless it is some new malware/virus that Malwarebytes, Symantec, and Panda are not finding then I think we may be dealing with some invalid registry entries and / or some other setting issues and not a Malware issue.
I'm not saying 100% that it's not, just that currently no tools are finding/showing it so I think we need to get more information on your current issues.


Item 1. To review what CHKDKS did you need to look in the Event Viewer. You can access that from your Administrator Tools in Control Panel and look in the APPLICATION section for one that has an entry under the SOURCE column for Winlogon
That will show the details of what it found and fixed.

Item 2. What errors or items are shown on the Window Security Center? Is it coming on FULL SCREEN each time for logon?
Item 3. What other errors are popping up besides Security Center? Are there actual Windows error dialog boxes, or Internet Explorer popups - what exactly are you seeing if you can describe that please.

If you know how can you post a screen shot - if not then we can either show you how to do one, or we'll need you to run another scanner to get more details about the system if we can determine from your explanations.

Thanks

[Maggie]

Ok. Let's try this.

This first screenshot is the primary image that comes up fullscreen on start up. As you can see it's not legit. Also notice down in the system tray there is a red shield with a white X in it. Similar to Microsoft's update shield but not.



This next screenshot is an error that pops up with nearly every Internet explorer access that is made and the verbage does change periodically to pick up the Title Bar data from the screen.



What you don't see on any of these are all the balloon popups during regular operations which indicate that a virus or viruses have been identify and requesting that the balloon be clicked on to download antivirus protection. Unfortunately screenshots won't pick up those balloons but if you need the detail, I'll do what I can to transcribe them all.

Here's what the task manager looks like.....it's basically been captured and is not really reflecting all the true activity on the system at any given time. You'll also notice that the entire normal surround and tabs are gone and it can't be closed in anyway. Also I can shrink the box but I can not send it backwards in any way so I have to reduce it's size to put it out of the way.




There are other issues as well such as GMail can not open as it should, I think it's rejecting something being sent to it so I have to open it in html. I don't receive this message on any other computer and waiting doesn't help. Here's that message:



There are also several business systems and sharepoint sites that will not allow me to update when on this computer but any other computer I can. I have a difficult installing software as well and can not remote in to this machine from another machine even though it is appropriately configured.

[Maggie]

Here's the chkdsk log. I don't think I ran it correctly earlier so I reran it just now.

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 1606 unused index entries from index $SII of file 0x9.
Cleaning up 1606 unused index entries from index $SDH of file 0x9.
Cleaning up 1606 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

150922610 KB total disk space.
21437472 KB in 122923 files.
46520 KB in 15600 indexes.
0 KB in bad sectors.
254374 KB in use by the system.
65536 KB occupied by the log file.
129184244 KB available on disk.

4096 bytes in each allocation unit.
37730652 total allocation units on disk.
32296061 allocation units available on disk.

Internal Info:
e0 3a 02 00 26 1d 02 00 6c 39 03 00 00 00 00 00 .:..&...l9......
2c 01 00 00 02 00 00 00 56 0b 00 00 00 00 00 00 ,.......V.......
50 11 35 0a 00 00 00 00 e2 8d b3 4a 00 00 00 00 P.5........J....
1e 55 79 13 00 00 00 00 00 00 00 00 00 00 00 00 .Uy.............
00 00 00 00 00 00 00 00 18 a1 c4 77 00 00 00 00 ...........w....
99 9e 36 00 00 00 00 00 a8 39 07 00 2b e0 01 00 ..6......9..+...
00 00 00 00 00 80 70 1c 05 00 00 00 f0 3c 00 00 ......p......<..

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft....link/events.asp.


Just a few other notes as well. Some of the popups that try to make you click on the balloons actually spell words wrong, like baloon. Also memory errors pop up that aren't real. Every now and than there is a true fatal error with lsass.exe which shuts down the system.

Thanks for checking this all out.

M

[Maggie]

Here's what the memory error looks like but it's not legit as I uninstalled IE7 completely and still received this error.

[AdvancedSetup]

Thank you very much for the screen shots.
That is actually a bit amazing that MBAM does not find anything, yet the system obviously has items that I've seen Malwarebytes remove before.

Let me do some checking and get back to you.

[AdvancedSetup]

Okay, let's get some more information from your system to see how best to assist you.


Download Deckard's System Scanner (DSS) to your Desktop

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply

[Maggie]

It appears that extra.txt did not generate. I'll run it one more time to see if I can obtain it.

Here is Main.txt:

Deckard's System Scanner v20071014.68
Run by colforma on 2008-04-22 07:39:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as colforma.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:39, on 2008-04-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle9\ora92\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\colforma\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\colforma.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: setwrite.amsrackley.com (HKLM)
O15 - Trusted Zone: http://trackit.amsworld.com (HKLM)
O15 - Trusted Zone: http://vertashare.vertafore.com (HKLM)
O15 - Trusted IP range: http://192.168.21.104 (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.amsworld.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amsworld.com
O20 - Winlogon Notify: uuyvtlfa - C:\WINDOWS\SYSTEM32\uuyvtlfa.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CVSNT Locking Service 2.5.03.2151 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2151 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle9\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle9\ora92\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 9677 bytes

-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-18 16:46:24 0 d-------- C:\Program Files\Trend Micro
2008-04-18 16:24:54 0 d-------- C:\Program Files\Panda Security
2008-04-18 14:10:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 13:08:43 0 d-------- C:\Documents and Settings\colforma\Application Data\Malwarebytes
2008-04-18 13:08:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 13:08:30 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 13:08:12 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-18 12:02:59 0 d-------- C:\Program Files\Enigma Software Group
2008-04-18 11:35:52 0 d-------- C:\327882R2FWJFW
2008-04-18 09:18:18 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-04-17 13:33:49 0 d--hs---- C:\Documents and Settings\colforma\UserData
2008-04-17 11:15:55 0 d-------- C:\c0247d6407c87318ba
2008-04-17 10:06:05 0 d-------- C:\Documents and Settings\NetworkService\Application Data\GOODSEARCH
2008-04-17 08:56:27 0 d-------- C:\Program Files\goodsearch
2008-04-17 08:56:27 0 d-------- C:\Documents and Settings\colforma\Application Data\GOODSEARCH
2008-04-16 17:23:11 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-16 17:23:06 0 d-------- C:\Documents and Settings\colforma\Application Data\Mozilla
2008-04-16 16:03:31 248832 --a------ C:\WINDOWS\system32\uuyvtlfa.dll
2008-04-15 13:39:18 0 d-------- C:\Documents and Settings\lorddo\Application Data\Adobe
2008-04-15 13:38:55 0 d-------- C:\Documents and Settings\lorddo\Application Data\Google
2008-04-11 16:45:28 0 d-------- C:\ART
2008-04-11 13:13:55 24848 --a------ C:\WINDOWS\system32\msjter35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-04-11 13:13:55 123664 --a------ C:\WINDOWS\system32\msjint35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-04-11 13:13:15 0 d-------- C:\Program Files\Common Files\Allenbrook
2008-04-08 12:35:02 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-04-08 11:33:34 0 d-------- C:\Program Files\Microsoft
2008-04-07 11:15:15 0 --a------ C:\WINDOWS\system32\PNTIF6
2008-04-07 11:15:15 0 d-------- C:\Documents and Settings\All Users\Application Data\PEERNET
2008-04-07 11:05:25 0 d-------- C:\Program Files\Allenbrook
2008-04-02 17:25:10 286720 -ra------ C:\WINDOWS\system32\p2sodbc.dll <Not Verified; Seagate Software Information Management Group, Inc.; Crystal Reports>
2008-04-02 17:25:10 4587577 -ra------ C:\WINDOWS\system32\crpe32.dll <Not Verified; Seagate Software, Inc.; Crystal Reports>
2008-04-02 17:25:08 1667072 -ra------ C:\WINDOWS\system32\QAUWVED.DLL <Not Verified; QAS Ltd.; QuickAddress Pro UI API>
2008-04-02 17:25:08 18944 -ra------ C:\WINDOWS\system32\implode.dll <Not Verified; ; Implode Application>
2008-04-02 17:25:08 229888 -ra------ C:\WINDOWS\system32\crpaig32.dll <Not Verified; Seagate Software, Information Management Group, Inc.; Crystal Reports Pro For Windows>
2008-04-02 17:25:06 139264 -ra------ C:\WINDOWS\system32\QAUWV001.DLL <Not Verified; QAS Ltd.; QuickAddress Pro UI API>
2008-04-02 17:25:06 35941 -ra------ C:\WINDOWS\system32\qalcl.dat
2008-04-02 17:25:06 54 -ra------ C:\WINDOWS\system32\103478.dat
2008-03-31 19:30:27 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Google
2008-03-31 19:30:26 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-03-31 16:54:45 0 d-------- C:\WINDOWS\system32\XPSViewer
2008-03-31 16:53:35 0 d-------- C:\Program Files\Reference Assemblies
2008-03-27 19:23:56 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-03-27 19:23:55 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2008-04-22 07:29:23 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-21 08:26:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-21 08:23:19 0 d-------- C:\Program Files\Symantec
2008-04-18 13:08:12 0 d-------- C:\Program Files\Common Files
2008-04-18 09:23:53 2027 --a------ C:\Documents and Settings\colforma\Application Data\update.log
2008-04-17 12:32:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-17 12:26:04 0 d-------- C:\Program Files\Microsoft.NET
2008-04-17 10:44:53 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-17 09:00:53 0 d-------- C:\Program Files\MSBuild
2008-04-17 08:43:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 15:04:27 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-11 14:37:47 0 d-------- C:\Documents and Settings\colforma\Application Data\OfficeUpdate12
2008-04-11 13:20:37 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-27 13:26:56 0 d-------- C:\Program Files\PrintKey2000
2008-03-27 13:17:54 0 d-------- C:\Documents and Settings\colforma\Application Data\Adobe
2008-03-21 16:47:04 0 d-------- C:\Documents and Settings\colforma\Application Data\Google
2008-03-21 16:46:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-21 16:44:56 0 d-------- C:\Program Files\Google
2008-03-18 15:47:12 0 d-------- C:\Program Files\CVSNT
2008-03-18 11:36:15 0 d-------- C:\Documents and Settings\colforma\Application Data\AdobeUM
2008-03-17 13:22:23 0 d-------- C:\Program Files\Windows Live
2008-03-17 13:22:05 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-12 20:43:02 0 d-------- C:\Program Files\WindowsUpdate
2008-03-12 19:47:00 0 d-------- C:\Documents and Settings\colforma\Application Data\Sun
2008-03-12 19:22:56 0 d-------- C:\Program Files\Java
2008-03-12 19:21:54 0 d-------- C:\Program Files\Common Files\Java
2008-03-12 19:19:45 0 d-------- C:\Documents and Settings\colforma\Application Data\Macromedia
2008-03-12 17:21:22 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-12 17:12:50 0 d-------- C:\Program Files\Microsoft SQL Server
2008-03-10 13:48:56 0 d-------- C:\Documents and Settings\colforma\Application Data\Identities
2008-03-10 10:20:52 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-03-10 10:20:39 0 d-------- C:\Program Files\MSECACHE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 19:01]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 18:36]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 08:12]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [2007-03-05 16:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-05 16:54]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"SystemTray"="SysTray.Exe" [2004-08-04 08:00 C:\WINDOWS\system32\systray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 17:38]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 19:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 16:14:00]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2008-03-17 08:40:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoActiveDesktop"=0 (0x0)
"LockTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uuyvtlfa]
uuyvtlfa.dll 2008-04-16 16:03 248832 C:\WINDOWS\system32\uuyvtlfa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 setuid

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-04-22 07:39:36 ------------

[Maggie]

Still didn't receive an extra.txt file on the second try. Suggestions?

[AdvancedSetup]

Hi Maggie,

Just wanted to let you know that I'm reading and researching still.
Please have patience as these things can take time to clear up.

Take a look in this folder to see if the Deckard logs are there.

C:\Deckard\System Scanner\

[Maggie]

I checked the location but only the main.txt was there. I looked to see if I could uninstall it and reinstall it to run again but can't see where I could uninstall from.

I do appreciate all your help!

[AdvancedSetup]

Is this Windows XP Pro?

If so then I would like you to do a System State Backup before we proceed with some other tools.

You can use these articles for assistance if needed. Let me know if you need more assistance with this.

How to use the Backup utility that is included in Windows XP to back up files and folders

How to Use the Backup Utility to Back Up Files and Folders in Windows XP Home Edition

A System State backup can help us recover better than System Restore in many cases if needed.