There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot browser bsod computer cpu crash css dell desktop driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware hijackthis hjt install internet internet explorer itunes keyboard laptop macro malware missing monitor network networking outlook outlook 2003 outlook 2007 outlook express password popups problem problems router seo server slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp winxp wireless
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Data Execution Prevention on explorer.exe HJT Log


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Page 1 of 2 1 2 >
 
Thread Tools
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
02-Jul-2008, 12:04 PM #1
Question Data Execution Prevention on explorer.exe HJT Log
Hello. Over the last few days strange things have been happening to my system. It is a 2.8 GHz Pentium D with 1GB RAM running XP Pro SP2 with all available updates installed. Some of the oddness:

1. Microsoft Excel 2000 is not opening files properly. From inside Excel I can go to File-->Open and the file will open immediately just like normal. If I double-click an Excel file on my Desktop or in a Windows Explorer window it will open immediately just like always if Excel is already running. If Excel is not running, it will open Excel to a grey screen (no open workbook), and then hang for about 3-5 minutes before opening the file I double-clicked.

2. My Task Manager is showing an "idle" CPU Usage of just over 50% and under a normal workload is hitting 100%. Normally it sits around 3-6% idle and around 30-40% under a normal workload.

3. In my Task Manager the file iexplore.exe is constantly running, no matter if I have an IE7 window open or not. If I kill the process, it will reappear anywhere within 5 seconds to 1 minute later.

4. When I booted up the machine this morning I got a dialogue box for Data Execution Prevention that says "To help protect your computer, Windows has closed this program. Name: Windows Explorer, Publisher: Microsoft Corporation" Here's a screenshot of what I'm seeing:


I have run full scans of my system with NOD32, Ad-Aware, Windows Defender and Spybot Search & Destroy and these programs are not finding any problems.

Here is the text of my HijackThis! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:38 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iSproggler\iSproggler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iSproggler] "C:\Program Files\iSproggler\iSproggler.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.20.101:4343/officesc...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.20.101:4343/officesc...l/setupini.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.20.101:4343/officesc...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169832376062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163085694234
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 8874 bytes

I've reached the limit of what I can figure out on my own. Doing some looking at other posts on this forum and others like it seem to point to some sort of video codec issue or a trojan downloader but I'm at a loss as to how to proceed.
cybertech's Avatar
Computer Specs
Moderator with 57,709 posts.
  
Join Date: Apr 2002
Location: Washington State
07-Jul-2008, 12:43 PM #2
Hi Welcome to TSG!!


Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
07-Jul-2008, 01:49 PM #3
Thank you for the response. Following is the Combofix log and HijackThis! logs as requested:

ComboFix 08-07-05.1 - swalker 2008-07-07 13:28:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702 [GMT -4:00]
Running from: C:\Documents and Settings\swalker\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\swalker\Application Data\macromedia\Flash Player\#SharedObjects\SMDAR7AT\www.broadcaster.com
C:\Documents and Settings\swalker\Application Data\macromedia\Flash Player\#SharedObjects\SMDAR7AT\www.broadcaster.com\played_list.sol
C:\Documents and Settings\swalker\Application Data\macromedia\Flash Player\#SharedObjects\SMDAR7AT\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\swalker\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\swalker\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\swalker\g2mdlhlpx.exe
C:\WINDOWS\system32\disk.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\p.exe
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\suspend.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.
2008-07-07 07:30 . 2008-07-07 07:30 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-24 12:52 . 2008-06-24 12:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-24 12:52 . 2008-06-24 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-24 12:51 . 2008-06-24 12:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 12:08 . 2008-06-24 12:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 07:29 . 2008-06-19 07:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-19 07:29 . 2008-06-19 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 09:33 . 2008-07-01 15:28 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 06:43 . 2008-06-13 06:43 <DIR> d-------- C:\Program Files\GlobalSCAPE
2008-06-13 06:43 . 2008-06-13 06:43 <DIR> d-------- C:\Documents and Settings\swalker\Application Data\GlobalSCAPE
2008-06-13 06:43 . 2008-06-13 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-06-11 19:36 . 2008-06-11 19:37 <DIR> d-------- C:\WINDOWS\system32\zigsng
2008-06-11 19:36 . 2008-05-23 14:31 44,544 -ra------ C:\WINDOWS\system32\msxml4a.dll
2008-06-11 19:36 . 2008-05-23 14:31 402 -ra------ C:\WINDOWS\system32\msxml4.inf
2008-06-10 20:00 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 09:11 . 2007-10-31 10:53 2,917,736 --a------ C:\WINDOWS\system32\amagent4.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 14:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-01 19:31 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-01 19:31 --------- d-----w C:\Program Files\Windows Live
2008-07-01 19:24 --------- d-----w C:\Program Files\Citrix
2008-07-01 19:01 --------- d-----w C:\Documents and Settings\swalker\Application Data\OfficeUpdate12
2008-07-01 18:56 --------- d-----w C:\Program Files\Snapshot Viewer
2008-06-19 23:50 --------- d-----w C:\Program Files\iSproggler
2008-06-13 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 14:14 4 ----a-w C:\Documents and Settings\All Users\Application Data\winam.dat
2008-06-10 14:14 1,588 ---ha-w C:\Documents and Settings\All Users\Application Data\amprm.dat
2008-06-10 14:13 65,536 ----a-w C:\WINDOWS\system32\dpexsvc.exe
2008-06-03 18:11 --------- d-----w C:\Program Files\GoldWave
2008-06-02 21:01 16 ----a-w C:\Documents and Settings\All Users\Application Data\amguid.dat
2008-05-27 12:45 --------- d-----w C:\Program Files\Panasonic
2008-05-27 12:39 --------- d-----w C:\Documents and Settings\swalker\Application Data\AdobeUM
2008-05-23 18:31 525,824 ----a-r C:\WINDOWS\system32\sqlceqp30.dll
2008-05-23 18:31 52,736 ----a-r C:\WINDOWS\system32\sqlcecompact30.dll
2008-05-23 18:31 44,544 ----a-r C:\WINDOWS\system32\sqlceme30.dll
2008-05-23 18:31 287,232 ----a-r C:\WINDOWS\system32\sqlceca30.dll
2008-05-23 18:31 284,672 ----a-r C:\WINDOWS\system32\sqlcese30.dll
2008-05-23 18:31 133,120 ----a-r C:\WINDOWS\system32\sqlceoledb30.dll
2008-05-23 18:31 129,536 ----a-r C:\WINDOWS\system32\sqlceer30EN.dll
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 19:20 --------- d-----w C:\Program Files\Google
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-31 14:42 674 ----a-w C:\Documents and Settings\All Users\Application Data\awmsg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"iSproggler"="C:\Program Files\iSproggler\iSproggler.exe" [2007-07-20 16:37 16047602]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 14:01 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-23 00:41 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-23 00:44 86016]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-24 10:53 29744]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-31 14:58 949376]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Defender.lnk - C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 19:20:12 866584]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Share dTaskScheduler]
"{30EABBB2-0887-BD4D-E613-208A5186D1CD}"= "C:\WINDOWS\system32\zigsng\Director_igfer.dll" [2008-06-11 19:36 2208043]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"SvcLauncher"= {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll [2008-06-11 19:36 2208043]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
=
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-09-03 16:18 94208 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-25 21:23 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Semagic]
--a------ 2007-04-01 11:50 2314320 C:\Program Files\Semagic\LiveJournalU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-04 14:01 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-12 21:54 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"iPod Service"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"MDM"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"gusvc"=2 (0x2)
"NOD32krn"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"GoogleDesktopManager-022208-143751"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:*isabled:vnc
"15164:UDP"= 15164:UDP:*isabled:AM Agent
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 13:53]
S3 el985nd5;3Com Gigabit Ethernet Server NIC (SX/TX);C:\WINDOWS\system32\DRIVERS\el985n51.sys [2001-08-17 12:11]
S3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;C:\WINDOWS\system32\DRIVERS\netflx3.sys []
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-24 10:53]
*Newly Created Service* - CATCHME
*Newly Created Service* - IPOD_SERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-07-07 12:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-07 15:01:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-07-07 17:35:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{2AECFF45-085C-4BD7-8A22-C73CE1E65507}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 13:31:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-07 13:36:40
ComboFix-quarantined-files.txt 2008-07-07 17:36:38
Pre-Run: 93,677,408,256 bytes free
Post-Run: 93,751,779,328 bytes free
188 --- E O F --- 2008-07-07 11:31:14




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:44, on 2008-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iSproggler] "C:\Program Files\iSproggler\iSproggler.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.20.101:4343/officesc...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.20.101:4343/officesc...l/setupini.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.20.101:4343/officesc...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169832376062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163085694234
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
--
End of file - 7806 bytes
cybertech's Avatar
Computer Specs
Moderator with 57,709 posts.
  
Join Date: Apr 2002
Location: Washington State
07-Jul-2008, 07:39 PM #4
Please review this: http://ca.com/us/securityadvisor/pes....aspx?id=35592

Let me know if you desire to continue with *cleaning* your machine. Personally I would get my data off of the machine and proceed with a new installation of the OS.

I will wait for your response.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
08-Jul-2008, 07:41 AM #5
Yikes! Unfortunately reloading the machine OS isn't really feasible for me at the moment, so I'd really appreciate assistance on trying to clean it first. Thanks!
Morny's Avatar
Senior Member with 149 posts.
  
Join Date: Oct 2005
Location: Eastbourne, United Kingdom
Experience: Intermediate
08-Jul-2008, 10:29 AM #6
Maybe you could save your data to a USB key and then format the HD and reload windows.
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
08-Jul-2008, 11:33 AM #7
It's partly a amount of data issue (nearly 25 gig of data, I'd need a few USB drives) and partly a time constraint due to it being the beginning of a new quarter and having to wrap up last quarter, get stuff done etc. I'd rather attempt to clean it and if that doesn't work then get the data off, format the HD and reload the system.
Morny's Avatar
Senior Member with 149 posts.
  
Join Date: Oct 2005
Location: Eastbourne, United Kingdom
Experience: Intermediate
08-Jul-2008, 12:29 PM #8
Shame you haven't got a spare external HD to back up data to which would only take a few minutes or so. I see your point though and not sure what to suggest. Hopefully someone else will come to the rescue.
cybertech's Avatar
Computer Specs
Moderator with 57,709 posts.
  
Join Date: Apr 2002
Location: Washington State
09-Jul-2008, 12:51 PM #9
Do you know what this is?

O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll



Open Notepad and copy and paste the text in the quote box below into it:
Quote:
KILLALL::

File::
C:\Documents and Settings\All Users\Application Data\amprm.dat
C:\WINDOWS\system32\dpexsvc.exe
C:\Documents and Settings\All Users\Application Data\amguid.dat
C:\Documents and Settings\All Users\Application Data\awmsg.dat

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Last edited by cybertech : 10-Jul-2008 02:14 PM.
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
10-Jul-2008, 01:52 PM #10
Thanks for the help so far!

O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll

I have absolutely no clue what that is. Doing a Google search on it gives this very page as the first (and only relevant) hit.

----------

ComboFix - The log is so large Firefox kept choking on the data so I've attached it as a text file (combofixlog1.txt).

----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33, on 2008-07-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iSproggler\iSproggler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\swalker\Desktop\procexp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iSproggler] "C:\Program Files\iSproggler\iSproggler.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.20.101:4343/officesc...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.20.101:4343/officesc...l/setupini.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.20.101:4343/officesc...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169832376062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163085694234
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 8553 bytes

----------

Java is updated to the most recent version - (JRE) 6 Update 7.

----------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 09, 2008 17:14:14
Records in database: 932487
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
L:\
M:\
N:\
O:\
P:\
S:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 329002
Threat name: 4
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 21:02:54


File name / Threat name / Threats count
C:\Program Files\NetMeeting\SoftActivity\AMSys\sagendrv.sys Infected: not-a-virus:Monitor.Win32.ActivityLogger.a 1
C:\Program Files\NetMeeting\SoftActivity\AMSys\swsys.exe Infected: not-a-virus:Monitor.Win32.ActivityLogger.a 1
C:\WINDOWS\system32\amagent4.exe Infected: not-a-virus:Monitor.Win32.ActivityLogger.a 2
Y:\activmon-full\amagent4.exe Infected: not-a-virus:Monitor.Win32.ActivityLogger.a 2
Y:\activmon-full\amonitor4.exe Infected: not-a-virus:Monitor.Win32.ActivityLogger.a 2
Y:\utils.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1
Y:\utils.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
Y:\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

The selected area was scanned.
Attached Files
File Type: txt ComboFixLog1.txt (385.4 KB, 91 views)
cybertech's Avatar
Computer Specs
Moderator with 57,709 posts.
  
Join Date: Apr 2002
Location: Washington State
10-Jul-2008, 02:17 PM #11
Run HJT again and put a check in the following:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZSzim029YYUS
O21 - SSODL: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - C:\WINDOWS\system32\zigsng\Director_igfer.dll

Close all applications and browser windows before you click "fix checked".


Did you install the monitors listed as infected by Kaspersky?
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Barahir's Avatar
Computer Specs
Junior Member with 11 posts.
  
Join Date: Jul 2008
Location: Middletown, Ohio, USA
Experience: Intermediate
10-Jul-2008, 02:52 PM #12
Ran HijackThis again and checked those three items. Rebooted, and the item starting in 02 was back again. Ran HJT this again and checked that item again, it is gone but I haven't rebooted yet.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52, on 2008-07-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iSproggler\iSproggler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Safari\Safari.exe
C:\DOCUMENTS AND SETTINGS\SWALKER\DESKTOP\PROCEXP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iSproggler] "C:\Program Files\iSproggler\iSproggler.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.20.101:4343/officesc...l/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.20.101:4343/officesc...l/setupini.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.20.101:4343/officesc...RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169832376062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163085694234
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: SvcLauncher - {30EABBB2-0887-BD4D-E613-208A5186D1CD} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 8271 bytes

Also, now Firefox 3 will not start after doing that and rebooting. I try to start FF3 and all i get is a crash report dialogue box asking if I want to send information about my crash to Mozilla. Don't see a browser window ever open. I'm down to using Safari at this point to get on here.

I do use VNC here to remotely connect to other machines in the plant, but I did not install any of the other agents listed from the Kaspersky scan, and after speaking to several people (up to and including the VP/owner' daughter) no one has ever heard of it.

Thanks!