Virus Of Death - Help Needed!

Question

VIRUSOFDEATH 0 Newbie Poster

18 Years Ago

I NEED SOME SERIOUS HELP ! ! !
NOBODYS KNOWS WHAT THIS VIRUS IS....OR HOW TO GET RID OF IT!
I THINK I'VE RUN EVERY ANTIVIRUS, CLEANER, REMOVER, FIREWALL THAT EXISTS....
CWHREDDER, NORTON ANTIVIRUS, SPYDOCTOR, ADAWARE, PANDA, EWIDO, MICROSOFTS MALWARE REMOVAL AND DEFENDER, SMITREM,
THE CLEANER, PANDA, KAPERSKY, TREND, COMPUTER ASSOCIATES.
THEY WON'T WORK ON THIS VIRUS AND I'LL EXPLAIN WHY BELOW AND SHOW LOGS OF PROGRAMS THAT HAVE TRIED TO INSTALL ON THIS COMPUTER.
I HAVE REPLACED FOUR HARD-DRIVES AND DITCHED A COMPLETE COMPUTER....I'VE FORMATED AND WIPED WITH EVERY UTILITY I COULD FIND
FROM COMMAND LINE TO FLOPPY TO CD LOW-LEVEL WIPING UTILITIES. I'VE TRIED TO REPARTITION MY HARD-DRIVES AS THEY ARE IMMEDIATELY
ALTERED AND EVEN THE HD MFG. DRIVE DISK INDICATES THE LAST 1/10 MISSIING. ON ONE OF MY ATTEMPS TO RID MYSELF OF THIS MUTANT, I FORMATED
AND RELOADED WINDOWS AND DOWNLOADED ALMOST EVERY SECURITY PROGRAM OFFERED AT DOWNLOAD.COM. A WASTE OF TIME. THIS THING HAS
TO BE UNINSTALLED BECAUSE IT ISN'T A FILE OR TWO...IT IS THE ENTIRE COMPUTER....THE OPERATING SYSTEM. READ ON...I'LL EXPLAIN.
THIS HAS BEEN ABOUT 4 MONTHS OF HELL...I ACTUALLY HAVE DONE SOME RESEARCH ONLINE AND WITH THE GREAT HELP OF SOME ROOTKIT PROGRAMS
THAT EXPOSED WHAT WAS ACTUALLY GOING ON ON MY PC...I'M PRAYING SOMEONE WILL KNOW WHAT THIS INFECTION IS AND HOW TO CURE IT.
FROM THE ONLINE SITES I'VE RESEARCHED THAT HELP SITUATIONS LIKE MINE...I'VE ONLY FOUND TWO CASES WITH MY INFECTION...AND BOTH OF THE PEOPLE
SOUNDED LIKE THEY WERE HAVING A MENTAL BREAKDOWN. I HOPE WE FIND A WAY TO FIX OUR COMPUTERS ! THE PERSON WHO CREATED THIS SHOULD BE
SHOT...SERIOUSLY...ITS THE PERFECT VIRUS...I'M IMPRESSED, NOW GET A LIFE!I IT WAS CALLED THE WININT.DLL VIRUS AND TERMINAL SERVICE TROJAN IN THEIR LOGS.
I'VE FOUND THAT THE VIRUS HAS MANY AVENUES OF MAINTAINING CONTROL OF THE COMPUTER. IT REPARTITIONS THE HD AND MIRRORS ITS VERSION OF THE OPERATING
SYSTEM AND ALL THE OTHER FILES IT USES. IT USES MANY FORMS OF TEXT...NOT JUST CHINESE AND UNICODE...BUT IT HAS ALL THESE UTITLITIES TO CUT CHARACTERS AND SPREAD
THEM OUT - AUTOMATICALLY CHANGING THE SYSTEM AND REGISTRY BY SWITCHING THESE CONVERSION MODES....SO, IT MIGHT BE TRYING TO HIDE IN FREE SPACE. FOR THE FIRST COUPLE OF
WEEKS...I THINK I KEPT GETTING INFECTED BY A NEIGHBORING COMPUTER AS MY COMPUTER ALWAYS KEPT SIGNING ONTO ANOTHER NETWORK...LITERALLY WASN'T EVEN USING MY INTERNET SERVICE
TO DO SERCHES ! I COULDN'T CHANGE IT. I WOULD DELETE CONNECTIONS...ADD PASSWORDS. I WANTED TO ASK EVERY NEIGHBOR THEIR NETWORKS NAME AND BEG THEM TO SECURE IT. ANYWAY, THAT WAS MY
OLD COMPUTER....I SCRAPPED IT. MY NEW ONE...ALONG WITH A COUPLE OF HUNDRED INVESTED IN ANTIVIRUS AND FIREWALLS, ETC...WAS INFECTED THE MOMENT IT LOADED. LITERALLY. I WAS STUMPED.
SUPRISE....THE VIRUS HAD CHANGED THE NETWORK SETTINGS AND POSSIBLY SENT FILES TO MY HEWLITT PACKARD PRINTER. YUP. ONE OF THE OTHER GUYS THAT HAS THE VIRUS ON A WEBLOG HAD THE SAME THING
HAPPEN TO HIM...HE SAID THE VIRUSHIJACKED HIS PRINTER AND HIS SONY CLIE AND HE HAD NO CLUE WHAT WAS WRONG. HIS PHONE HAD TONS OF FILES ON IT THAT MADE NO SENSE...AND HIS PRINTER COMPLETLY STOPPED
WORKING. SO, I SENT MY COMPUTER TO THE PROS...YEAH...TWO CENTERS AT ABOUT $150 EACH...BOTH REISTALLED WINDOWS AND WERE ADAMANT THAT MY PC WAS PERFECT. NOTHING I COULD
SAY COULD CONVINCE THEM THAT MY PC HAD A VIRUS AND THAT I HAD REINSTALLED WINDOWS ON IT MYSELF ALMOST 30 TIMES TO NO AVAIL.
SO HERE ARE THE DETAILS:
%SYSTEMROOT%\SYSTEM32
AND
/??/C::/WINDOWS/SYSTEM32
AND
C:/PROGRAMFILES/I386/SYSTEM32
ALL CARRY SYSTEM32 FILES....THE LAST FILE IS PROBABLY ONE OF THE VIRUSES AS MOST OF THE I386 FILES ARE RUN IN SEPERATE PROCESSES.
THE VIRUS IS CONTROLLING ALL THE DRIVES AND INPUT DEVICES BY LOADING THEM WITHIN ITSELF. LITERALLY, THE CD DRIVE IS LOADED IN THE HARD DRIVE...ALL THE DEVICES
ARE LEGACY. INPUT DEVICES ARE CONTROLLED BY H.I.D. AND USB DRIVERS. INTERESTINGLY, TWO VERSIONS OF MY ATHLON XP PROCESSOR ARE LOADED.
THE PARTITIONS ARE 0 AND 1
THE ROOT UTILITY EXPOSED THAT
I386/DISK80/PARTITION0(MBR)
I386/DISK80/PARTITION1(HPFS/NTFS)
CONFIG.NT... INITIALIZES A MS DOS STARTUP...AN EMM COMMAND LINE THAT SPECIFIES THE SYSTEM
PUTTING THE FILES IN UMB...UPPER MEMORY BLOCKS. ITS A PIF APPLICATION...
AUTOXEC.BAT = %PATH%C\PROGRA...\COMMON1\MUVEET1\030625
MOST OF ITS WRITTEN IN IME...CHINESE...WITH A TWIST.
ATOK BY JUSTSYSTEMCORP = SOFTWARE WITH CHINESE KANA CHARACTERS LOADED IN HIGH-LEVEL MORPHEME ANALYTICAL TECHNOLOGY.
UNFORTUNATELY, THEY ARE CHINESE WEBSITES BUT THEY ARE THE CONVERSION UTILITIES THAT TURN ALL THE CHINESE SCRIPTS AND PROGRAMS ON MY PC INTO
ENGLISH...I WISH I COULD INTERCEPT THAT CONVERSION...ALL THIS MALWARE HAS TO GO THROUGH THAT PROCESS.
A TYPICAL INSTALLATION OF A PROGRAM....EVERYTHING THAT IS DOWNLOADED
OR ENTERS THIS COMPUTER THROUGH ANY PORT...DISK DRIVE...HARD DRIVE...MODEM...
KEYBOARD...MOUSE...ANY PROGRAM..ANTIVIRUS...FIREWALL...QUICKEN...EVEN...WINDOWS XP!...THIS
VIRUS IMMEDIATELY RUNS YOUR ITEM IN A SEPERATE PROCESS...ANALYZES....AND UNINSTALLS
THE ITEM WHILE REPLACING THE FILES WITH ITS WORTHLESS VERSION...USING THE CORRECT FILE
NAMES SO THAT IT IS IMMUNE TO ANTIVIRUS ENGINES. I PASTED AN INSTALLATION FILE FOR ZONE ALARMPRO.
ESSENTIALLY, IT...AND ALL THE OTHER SECURITY PROGRAMS I'VE TRIED TO USE ARE WORTHLESS. THE ONLY
PROGRAMS THAT I FINALLY FOUND THAT WORKED AMAZINGLY WERE THE ROOTKIT EXPOSERS.

A ZONE ALARM PRO INSTALL
RegDB Key: SOFTWARE\Zone Labs\ZoneAlarm\Registration
RegDB Val: U.S. English
RegDB Name: RegLanguage
RegDB Key: System\CurrentControlSet\Services\EventLog\System\vsdatant
RegDB Val: C:\WINDOWS\system32\vsdatant.sys
RegDB Name: EventMessageFile
RegDB Root: 2
RegDB Old: C:\WINDOWS\system32\vsdatant.sys
RegDB Key: System\CurrentControlSet\Services\EventLog\System\vsdatant
File Overwrite: C:\WINDOWS\system32\vsdatant.sys
File Overwrite: C:\WINDOWS\system32\vsdata.dll
File Overwrite: C:\WINDOWS\system32\vsmonapi.dll | 07-20-2005 | 02:45:34 | 6.0.631.3 | 104208 | 69e0b6eb
File Overwrite: C:\WINDOWS\system32\vspubapi.dll | 07-20-2005 | 02:45:38 | 6.0.631.3 | 227088 | 9538ea3e
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\repair
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsdb.dll
Made Dir: C:\WINDOWS\system32\ZoneLabs
File Copy: C:\WINDOWS\system32\ZoneLabs\vsdb.dll
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsutil.dll
File Copy: C:\WINDOWS\system32\vsutil.dll
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsinit.dll
File Copy: C:\WINDOWS\system32\vsinit.dll
File Copy: C:\WINDOWS\system32\ZoneLabs\vsmon.exe | 07-20-2005 | 02:45:30 | 6.0.631.3 | 1672976 | a602eb32
File Copy: C:\WINDOWS\system32\vsxml.dll | 07-20-2005 | 02:46:02 | 6.0.631.3 | 100112 | 52f04d3c
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsmon.exe
File Copy: C:\WINDOWS\system32\ZoneLabs\ssleay32.dll | 07-20-2005 | 02:44:46 | 6.0.631.3 | 452368 | 71d6810c
File Copy: C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
File Copy: C:\WINDOWS\system32\ZoneLabs\vsruledb.dll | 07-20-2005 | 02:45:46 | 6.0.631.3 | 1120016 | c4a032ee
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsruledb.dll
File Copy: C:\WINDOWS\system32\zlcomm.dll | 07-20-2005 | 02:46:22 | 6.0.631.3 | 79632 | bf4717d0
File Copy: C:\WINDOWS\system32\zlcommdb.dll | 07-20-2005 | 02:46:26 | 6.0.631.3 | 71440 | a058453b
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe | 07-21-2005 | 12:52:32 | 6.0.631.3 | 540296 | a3c5acc6
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Pro
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Pro
RegDB Val: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
RegDB Name: UninstallString
RegDB Root: 2
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\license.txt
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\readme.html
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zl_priv.htm
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe | 07-20-2005 | 02:46:18 | 6.0.631.3 | 980752 | c5fdd655
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\framewrk.dll | 07-20-2005 | 02:42:16 | 6.0.631.3 | 1017616 | f303eb48
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe | 07-20-2005 | 02:47:08 | 6.0.631.3 | 34576 | 7683b64e
File Copy: C:\WINDOWS\system32\ZoneLabs\zlparser.dll | 07-20-2005 | 02:46:38 | 6.0.631.3 | 177936 | 67e0393d
File Copy: C:\WINDOWS\system32\ZoneLabs\scheduler.dll | 07-20-2005 | 02:44:34 | 6.0.631.3 | 149264 | 242203fe
File Copy: C:\WINDOWS\system32\ZoneLabs\cerbprovider.pvx | 07-20-2005 | 02:41:54 | 6.0.631.3 | 100120 | d92ce347
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zatutor.exe | 07-20-2005 | 02:46:06 | 6.0.631.3 | 55056 | 10fad6d2
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\programs.zap | 07-20-2005 | 02:44:16 | 6.0.631.3 | 288528 | 6e55b370
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\security.zap | 07-20-2005 | 02:44:38 | 6.0.631.3 | 407312 | c225067d
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\alert.zap | 07-20-2005 | 02:41:34 | 6.0.631.3 | 194320 | 6d06216f
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\email.zap | 07-20-2005 | 02:42:00 | 6.0.631.3 | 104208 | a3ed5e50
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\firewall.zap | 07-20-2005 | 02:42:12 | 6.0.631.3 | 141072 | 56082e6
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\filter.zap | 07-20-2005 | 02:42:08 | 6.0.631.3 | 63248 | e44ea993
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\privacy.zap | 07-20-2005 | 02:44:08 | 6.0.631.3 | 145168 | a4d2a5e3
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\expert.dll | 07-20-2005 | 02:42:04 | 6.0.631.3 | 190224 | 5026ee31
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\idlock.zap | 07-20-2005 | 02:42:24 | 6.0.631.3 | 251664 | 63f6f9ae
File Copy: C:\WINDOWS\system32\ZoneLabs\vsvault.dll | 07-20-2005 | 02:45:58 | 6.0.631.3 | 239376 | ac1475b6
File Copy: C:\WINDOWS\system32\vsregexp.dll | 07-20-2005 | 02:45:42 | 6.0.631.3 | 71440 | 61a1b411
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\images
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\DOS_Title.gif | 05-19-2005 | 10:10:10 | | 1503 | 4fb64cfe
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\blocked_content.gif | 09-15-2003 | 11:44:06 | | 1276 | 331adbd1
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\Cerb_logo_small.gif | 04-11-2005 | 18:06:26 | | 1956 | 9d7f69f6
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\spacer.gif | 09-15-2003 | 11:44:06 | | 43 | ab68bd76
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\style_IE5_pc.css | 09-15-2003 | 11:44:06 | | 6481 | bae134ad
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\topbend_purple.gif | 09-15-2003 | 11:44:06 | | 350 | 11bd098f
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\background.gif | 09-15-2003 | 11:44:06 | | 816 | 72133236
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\topbar.gif | 09-15-2003 | 11:44:06 | | 120 | cfddaec8
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\ZAP_logo_small.gif | 04-30-2004 | 14:17:42 | | 2006 | b387d51f
File Copy: C:\WINDOWS\system32\ZoneLabs\camupd.dll | 07-20-2005 | 02:41:52 | 6.0.631.3 | 87824 | 259c2c01
File Copy: C:\WINDOWS\system32\ZoneLabs\zlsre.dll | 07-20-2005 | 02:46:54 | 6.0.631.3 | 255760 | d6528a02
File Copy: C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll | 07-20-2005 | 02:46:42 | 6.0.631.3 | 71448 | e8f50daf
File Copy: C:\WINDOWS\system32\ZoneLabs\qrbase.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 689928 | e8f1be00
File Copy: C:\WINDOWS\system32\ZoneLabs\srescan.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 1382152 | a5ba7a11
File Copy: C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 648968 | c8f56f5b
File Copy: C:\WINDOWS\system32\ZoneLabs\spyware.dat | 07-04-2005 | 23:29:58 | | 559170 | 36a3b565
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\scan.zap | 07-20-2005 | 02:44:28 | 6.0.631.3 | 476944 | 3fdc871d
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\scan.zmx | 07-20-2005 | 01:54:48 | | 37962 | 442503a8
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\cam.zap | 07-20-2005 | 02:41:46 | 6.0.631.3 | 79624 | c21e9501
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\Help

L2MFIX LOG

These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

windows-virus

5 Contributors
5 Replies
457 Views
3 Weeks Discussion Span
Latest Post 18 Years Ago Latest Post by confusertech

tayspen 28 <Insert title here>

18 Years Ago

My eyes...They burn!

Please lose the caps next time :)

"I HAVE REPLACED FOUR HARD-DRIVES AND DITCHED A COMPLETE COMPUTER"

Hmm, is that right. Well the only place a virus can hide is in the harddrive. Also if you replaced the computer, the virus would have left. You are either stretching the truth, or got this "virus" again.

THE CD DRIVE IS LOADED IN THE HARD DRIVE

What?!?

ONE OF THE OTHER GUYS THAT HAS THE VIRUS ON A WEBLOG HAD THE SAME THING
HAPPEN TO HIM

If you Really want to try one more thing. Download HiJackthis( http://www.merijn.org/files/hijackthis.zip) and post a log.

But

RELOADED WINDOWS AND DOWNLOADED ALMOST EVERY SECURITY PROGRAM OFFERED AT DOWNLOAD.COM

Sounds like you did everything...

'Stein 150 Lapsed Skeptic

18 Years Ago

-Admin, request transfer to Virus, Spyware, and Nasties forum.

Thanks :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

VIRUSOFDEATH 0 Newbie Poster · Answer 1 · 2006-05-19T04:32:28+00:00

Here's my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:29 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton SystemWorks\CfgWiz.exe
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mark\Desktop\HIJACKTHIS\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://global.acer.com"]http://global.acer.com[/URL]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - [URL="https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab"]https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab[/URL]
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - [URL="https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab"]https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab[/URL]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [URL="https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab"]https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/URL]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [URL="http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab"]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/URL]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [URL="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/URL]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Principal AntiVirus (RspAVService) - Resplendence - C:\WINDOWS\system32\rspavsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

HERE ARE MORE DETAILS:
%SYSTEMROOT%\SYSTEM32 
AND
/??/C::/WINDOWS/SYSTEM32
AND
C:/PROGRAMFILES/I386/SYSTEM32
ALL CARRY SYSTEM32 FILES....THE LAST FILE IS PROBABLY ONE OF THE VIRUSES AS MOST OF THE I386 FILES ARE RUN IN SEPERATE PROCESSES.
THE VIRUS IS CONTROLLING ALL THE DRIVES AND INPUT DEVICES BY LOADING THEM WITHIN ITSELF.  LITERALLY, THE CD DRIVE IS LOADED IN THE HARD DRIVE...ALL THE DEVICES 
ARE LEGACY.  INPUT DEVICES ARE CONTROLLED BY H.I.D. AND USB DRIVERS.  INTERESTINGLY, TWO VERSIONS  OF MY ATHLON XP PROCESSOR ARE LOADED.
THE PARTITIONS ARE 0 AND 1
THE ROOT UTILITY EXPOSED THAT
I386/DISK80/PARTITION0(MBR)
I386/DISK80/PARTITION1(HPFS/NTFS)
CONFIG.NT...  INITIALIZES A MS DOS STARTUP...AN EMM COMMAND LINE THAT SPECIFIES THE SYSTEM 
PUTTING THE FILES IN UMB...UPPER MEMORY BLOCKS.  ITS A PIF APPLICATION...
AUTOXEC.BAT = %PATH%C\PROGRA...\COMMON1\MUVEET1\030625
MOST OF ITS WRITTEN IN IME...CHINESE...WITH A TWIST.
ATOK BY JUSTSYSTEMCORP = SOFTWARE WITH CHINESE KANA CHARACTERS LOADED IN HIGH-LEVEL MORPHEME ANALYTICAL TECHNOLOGY.
UNFORTUNATELY, THEY ARE CHINESE WEBSITES BUT THEY ARE THE CONVERSION UTILITIES THAT TURN ALL THE CHINESE SCRIPTS AND PROGRAMS ON MY PC INTO
ENGLISH...I WISH I COULD INTERCEPT THAT CONVERSION...ALL THIS MALWARE HAS TO GO THROUGH THAT PROCESS.
A TYPICAL INSTALLATION OF A PROGRAM....EVERYTHING THAT IS DOWNLOADED 
OR ENTERS THIS COMPUTER THROUGH ANY PORT...DISK DRIVE...HARD DRIVE...MODEM...
KEYBOARD...MOUSE...ANY PROGRAM..ANTIVIRUS...FIREWALL...QUICKEN...EVEN...WINDOWS XP!...THIS
VIRUS IMMEDIATELY RUNS YOUR ITEM IN A SEPERATE PROCESS...ANALYZES....AND UNINSTALLS
THE ITEM WHILE REPLACING THE FILES WITH ITS WORTHLESS VERSION...USING THE CORRECT FILE
NAMES SO THAT IT IS IMMUNE TO ANTIVIRUS ENGINES.  I PASTED AN INSTALLATION FILE FOR ZONE ALARMPRO.  
ESSENTIALLY, IT...AND ALL THE OTHER SECURITY PROGRAMS I'VE TRIED TO USE ARE WORTHLESS.  THE ONLY 
PROGRAMS THAT I FINALLY FOUND THAT WORKED AMAZINGLY WERE THE ROOTKIT EXPOSERS.
HERE ARE SOME SETTINGS:
ComSpec %SystemRoot%\system32\cmd.exe <SYSTEM>
FP_NO_HOST_CHECK NO <SYSTEM>
NUMBER_OF_PROCESSORS 2 <SYSTEM>
OS Windows_NT <SYSTEM>
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH <SYSTEM>
PROCESSOR_ARCHITECTURE x86 <SYSTEM>
PROCESSOR_IDENTIFIER x86 Family 15 Model 35 Stepping 2, AuthenticAMD <SYSTEM>
PROCESSOR_LEVEL 15 <SYSTEM>
PROCESSOR_REVISION 2302 <SYSTEM>
Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem <SYSTEM>
TEMP %SystemRoot%\TEMP <SYSTEM>
TEMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\SYSTEM
TEMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\LOCAL SERVICE
TEMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\NETWORK SERVICE
TEMP %USERPROFILE%\Local Settings\Temp ACER\Mark
TMP %SystemRoot%\TEMP <SYSTEM>
TMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\SYSTEM
TMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\LOCAL SERVICE
TMP %USERPROFILE%\Local Settings\Temp NT AUTHORITY\NETWORK SERVICE
TMP %USERPROFILE%\Local Settings\Temp ACER\Mark
windir %SystemRoot% <SYSTEM>

Winnt32 = Performs an installation of or upgrade to Windows XP. You can run winnt32 at the command prompt on a computer running Windows 95, Windows 98, Windows Millennium Edition, Windows NT, Windows 2000, or Windows XP.
If you run winnt32 on an Itanium-based computer, the command can be run from the Extensible Firmware Interface (EFI) or from Windows XP (not from an earlier operating system). Also, on an Itanium-based computer, /cmdcons and /
syspart are not available, and options relating to upgrades are also not available.  Syntax winnt32 [/checkupgradeonly] [/cmd:command_line] [/cmdcons] [/copydir:{i386|ia64}\FolderName] [/copysource:FolderName] [/debug[Level]:
[FileName]] [/dudisable] [/duprepare:pathname] [/dushare:pathname] [/m:FolderName] [/makelocalsource] [/noreboot] [/s:SourcePath] [/syspart:DriveLetter] [/tempdrive:DriveLetter] [/udf:id [,UDB_file]] [/unattend[num]:[answer_file]]
 Syntax = winnt32 [/checkupgradeonly] [/cmd:command_line] [/cmdcons] [/copydir:{i386|ia64}\FolderName] [/copysource:FolderName] [/debug[Level]:[FileName]] [/dudisable] [/duprepare:pathname] [/dushare:pathname] [/m:FolderName]
 [/makelocalsource] [/noreboot] [/s:SourcePath] [/syspart:DriveLetter] [/tempdrive:DriveLetter] [/udf:id [,UDB_file]] [/unattend[num]:[answer_file]
/cmd:command_line Instructs Setup to carry out a specific command before the final phase of Setup. This would occur after your computer has restarted and after Setup has collected the necessary configuration information, but before Setup is complete. 
/cmdcons Installs the Recovery Console as a startup option on a functioning x86-based computer. The Recovery Console is a command-line interface from which you can perform tasks such as starting and stopping services and accessing the local drive (including
 drives formatted with NTFS). You can only use the /cmdcons option after normal Setup is finished. 
/copydir:{i386|ia64}\FolderName Creates an additional folder within the folder in which the Windows XP files are installed. Folder_name refers to a folder that you have created to hold modifications just for your site. For example, for x86-based computers, you could
 create a folder called Private_drivers within the i386 source folder for your installation, and place driver files in the folder. Then you could type /copydir:i386\Private_drivers to have Setup copy that folder to your newly installed computer, making the new folder location 
systemroot\Private_drivers. You can use /copydir to create as many additional folders as you want. 
/copysource:FolderName Creates a temporary additional folder within the folder in which the Windows XP files are installed. Folder_name refers to a folder that you have created to hold modifications just for your site. For example, you could create a folder called Private_drivers within
 the source folder for your installation, and place driver files in the folder. Then you could type /copysource:Private_drivers to have Setup copy that folder to your newly installed computer and use its files during Setup, making the temporary folder location systemroot\Private_drivers. 
You can use /copysource to create as many additional folders as you want. Unlike the folders /copydir creates, /copysource folders are deleted after Setup completes. 
WMIC overview
XXcopy 
   MORE COMMANDS RUN BY THE VIRUS (OR WHOEVER IS RUNNING THESE PROCESESSES!!!
%ALLUSERSPROFILE% Local Returns the location of the All Users Profile. 
%APPDATA% Local Returns the location where applications store data by default. 
%CD% Local Returns the current directory string. 
%CMDCMDLINE% Local Returns the exact command line used to start the current Cmd.exe. 
%CMDEXTVERSION% System Returns the version number of the current Command Processor Extensions. 
%COMPUTERNAME%  System Returns the name of the computer. 
%COMSPEC%  System Returns the exact path to the command shell executable. 
%DATE%  System Returns the current date. Uses the same format as the date /t command. Generated by Cmd.exe. For more information about the date command, see Date. 
%ERRORLEVEL%  System Returns the error code of the most recently used command. A non zero value usually indicates an error. 
%HOMEDRIVE%  System Returns which local workstation drive letter is connected to the user's home directory. Set based on the value of the home directory. The user's home directory is specified in Local Users and Groups. 
%HOMEPATH%  System Returns the full path of the user's home directory. Set based on the value of the home directory. The user's home directory is specified in Local Users and Groups. 
%HOMESHARE%  System Returns the network path to the user's shared home directory. Set based on the value of the home directory. The user's home directory is specified in Local Users and Groups. 
%LOGONSEVER%  Local Returns the name of the domain controller that validated the current logon session. 
%NUMBER_OF_PROCESSORS%  System Specifies the number of processors installed on the computer. 
%OS%  System Returns the operating system name. Windows 2000 displays the operating system as Windows_NT. 
%PATH% System Specifies the search path for executable files. 
%PATHEXT% System Returns a list of the file extensions that the operating system considers to be executable. 
%PROCESSOR_ARCHITECTURE%  System Returns the chip architecture of the processor. Values: x86, IA64. 
%PROCESSOR_IDENTFIER% System Returns a description of the processor. 
%PROCESSOR_LEVEL%  System Returns the model number of the processor installed on the computer. 
%PROCESSOR_REVISION% System Returns the revision number of the processor.  
%PROMPT% Local Returns the command prompt settings for the current interpreter. Generated by Cmd.exe. 
%RANDOM% System Returns a random decimal number between 0 and 32767. Generated by Cmd.exe. 
%SYSTEMDRIVE% System Returns the drive containing the Windows XP root directory (that is, the system root). 
%SYSTEMROOT%  System Returns the location of the Windows XP root directory. 
%TEMP% and %TMP% System and User Returns the default temporary directories that are used by applications available to users who are currently logged on. Some applications require TEMP and others require TMP. 
%TIME% System Returns the current time. Uses the same format as the time /t command. Generated by Cmd.exe. For more information about the time command, see Time. 
%USERDOMAIN% Local Returns the name of the domain that contains the user's account. 
%USERNAME% Local Returns the name of the user who is currently logged on. 
%USERPROFILE% Local Returns the location of the profile for the current user. 
%WINDIR% System Returns the location of the operating system directory. 

       A ZONE ALARM PRO INSTALL
RegDB Key: SOFTWARE\Zone Labs\ZoneAlarm\Registration
RegDB Val: U.S. English
RegDB Name: RegLanguage
RegDB Key: System\CurrentControlSet\Services\EventLog\System\vsdatant
RegDB Val: C:\WINDOWS\system32\vsdatant.sys
RegDB Name: EventMessageFile
RegDB Root: 2
RegDB Old: C:\WINDOWS\system32\vsdatant.sys
RegDB Key: System\CurrentControlSet\Services\EventLog\System\vsdatant
File Overwrite: C:\WINDOWS\system32\vsdatant.sys
File Overwrite: C:\WINDOWS\system32\vsdata.dll
File Overwrite: C:\WINDOWS\system32\vsmonapi.dll | 07-20-2005 | 02:45:34 | 6.0.631.3 | 104208 | 69e0b6eb
File Overwrite: C:\WINDOWS\system32\vspubapi.dll | 07-20-2005 | 02:45:38 | 6.0.631.3 | 227088 | 9538ea3e
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\repair
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsdb.dll
Made Dir: C:\WINDOWS\system32\ZoneLabs
File Copy: C:\WINDOWS\system32\ZoneLabs\vsdb.dll
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsutil.dll
File Copy: C:\WINDOWS\system32\vsutil.dll
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsinit.dll
File Copy: C:\WINDOWS\system32\vsinit.dll
File Copy: C:\WINDOWS\system32\ZoneLabs\vsmon.exe | 07-20-2005 | 02:45:30 | 6.0.631.3 | 1672976 | a602eb32
File Copy: C:\WINDOWS\system32\vsxml.dll | 07-20-2005 | 02:46:02 | 6.0.631.3 | 100112 | 52f04d3c
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsmon.exe
File Copy: C:\WINDOWS\system32\ZoneLabs\ssleay32.dll | 07-20-2005 | 02:44:46 | 6.0.631.3 | 452368 | 71d6810c
File Copy: C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
File Copy: C:\WINDOWS\system32\ZoneLabs\vsruledb.dll | 07-20-2005 | 02:45:46 | 6.0.631.3 | 1120016 | c4a032ee
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\repair\vsruledb.dll
File Copy: C:\WINDOWS\system32\zlcomm.dll | 07-20-2005 | 02:46:22 | 6.0.631.3 | 79632 | bf4717d0
File Copy: C:\WINDOWS\system32\zlcommdb.dll | 07-20-2005 | 02:46:26 | 6.0.631.3 | 71440 | a058453b
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe | 07-21-2005 | 12:52:32 | 6.0.631.3 | 540296 | a3c5acc6
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Pro
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm Pro
RegDB Val: C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
RegDB Name: UninstallString
RegDB Root: 2
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\license.txt
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\readme.html
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zl_priv.htm
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe | 07-20-2005 | 02:46:18 | 6.0.631.3 | 980752 | c5fdd655
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\framewrk.dll | 07-20-2005 | 02:42:16 | 6.0.631.3 | 1017616 | f303eb48
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe | 07-20-2005 | 02:47:08 | 6.0.631.3 | 34576 | 7683b64e
File Copy: C:\WINDOWS\system32\ZoneLabs\zlparser.dll | 07-20-2005 | 02:46:38 | 6.0.631.3 | 177936 | 67e0393d
File Copy: C:\WINDOWS\system32\ZoneLabs\scheduler.dll | 07-20-2005 | 02:44:34 | 6.0.631.3 | 149264 | 242203fe
File Copy: C:\WINDOWS\system32\ZoneLabs\cerbprovider.pvx | 07-20-2005 | 02:41:54 | 6.0.631.3 | 100120 | d92ce347
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\zatutor.exe | 07-20-2005 | 02:46:06 | 6.0.631.3 | 55056 | 10fad6d2
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\programs.zap | 07-20-2005 | 02:44:16 | 6.0.631.3 | 288528 | 6e55b370
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\security.zap | 07-20-2005 | 02:44:38 | 6.0.631.3 | 407312 | c225067d
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\alert.zap | 07-20-2005 | 02:41:34 | 6.0.631.3 | 194320 | 6d06216f
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\email.zap | 07-20-2005 | 02:42:00 | 6.0.631.3 | 104208 | a3ed5e50
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\firewall.zap | 07-20-2005 | 02:42:12 | 6.0.631.3 | 141072 | 56082e6
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\filter.zap | 07-20-2005 | 02:42:08 | 6.0.631.3 | 63248 | e44ea993
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\privacy.zap | 07-20-2005 | 02:44:08 | 6.0.631.3 | 145168 | a4d2a5e3
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\expert.dll | 07-20-2005 | 02:42:04 | 6.0.631.3 | 190224 | 5026ee31
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\idlock.zap | 07-20-2005 | 02:42:24 | 6.0.631.3 | 251664 | 63f6f9ae
File Copy: C:\WINDOWS\system32\ZoneLabs\vsvault.dll | 07-20-2005 | 02:45:58 | 6.0.631.3 | 239376 | ac1475b6
File Copy: C:\WINDOWS\system32\vsregexp.dll | 07-20-2005 | 02:45:42 | 6.0.631.3 | 71440 | 61a1b411
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\images
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\DOS_Title.gif | 05-19-2005 | 10:10:10 | | 1503 | 4fb64cfe
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\blocked_content.gif | 09-15-2003 | 11:44:06 | | 1276 | 331adbd1
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\Cerb_logo_small.gif | 04-11-2005 | 18:06:26 | | 1956 | 9d7f69f6
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\spacer.gif | 09-15-2003 | 11:44:06 | | 43 | ab68bd76
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\style_IE5_pc.css | 09-15-2003 | 11:44:06 | | 6481 | bae134ad
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\topbend_purple.gif | 09-15-2003 | 11:44:06 | | 350 | 11bd098f
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\background.gif | 09-15-2003 | 11:44:06 | | 816 | 72133236
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\topbar.gif | 09-15-2003 | 11:44:06 | | 120 | cfddaec8
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\images\ZAP_logo_small.gif | 04-30-2004 | 14:17:42 | | 2006 | b387d51f
File Copy: C:\WINDOWS\system32\ZoneLabs\camupd.dll | 07-20-2005 | 02:41:52 | 6.0.631.3 | 87824 | 259c2c01
File Copy: C:\WINDOWS\system32\ZoneLabs\zlsre.dll | 07-20-2005 | 02:46:54 | 6.0.631.3 | 255760 | d6528a02
File Copy: C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll | 07-20-2005 | 02:46:42 | 6.0.631.3 | 71448 | e8f50daf
File Copy: C:\WINDOWS\system32\ZoneLabs\qrbase.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 689928 | e8f1be00
File Copy: C:\WINDOWS\system32\ZoneLabs\srescan.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 1382152 | a5ba7a11
File Copy: C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll | 07-04-2005 | 23:29:58 | 4.0.9.6 | 648968 | c8f56f5b
File Copy: C:\WINDOWS\system32\ZoneLabs\spyware.dat | 07-04-2005 | 23:29:58 | | 559170 | 36a3b565
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\scan.zap | 07-20-2005 | 02:44:28 | 6.0.631.3 | 476944 | 3fdc871d
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\scan.zmx | 07-20-2005 | 01:54:48 | | 37962 | 442503a8
File Copy: C:\Program Files\Zone Labs\ZoneAlarm\cam.zap | 07-20-2005 | 02:41:46 | 6.0.631.3 | 79624 | c21e9501
Made Dir: C:\Program Files\Zone Labs\ZoneAlarm\Help
         PART OF THE SETUP LOG
01/15/2005 19:22:31.437,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6434,BEGIN_SECTION,Installing Windows NT (I WAS ACTUALLY INSTALLING WINDOWS MEDIA EDITION)
01/15/2005 19:22:33.468,d:\xpsprtm\base\ntsetup\syssetup\wizard.c,1568,,SETUP: Calculating registery size
01/15/2005 19:22:33.468,d:\xpsprtm\base\ntsetup\syssetup\wizard.c,1599,,SETUP: Calculated time for Win9x migration = 120 seconds
01/15/2005 19:22:33.468,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6465,BEGIN_SECTION,Initialization
01/15/2005 19:22:33.859,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6585,BEGIN_SECTION,Common Initialiazation
01/15/2005 19:22:33.859,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1674,BEGIN_SECTION,Initializing action log
01/15/2005 19:22:34.015,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,GUI mode Setup has started.
01/15/2005 19:22:34.046,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1679,END_SECTION,Initializing action log
01/15/2005 19:22:34.093,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1764,BEGIN_SECTION,Creating setup background window
01/15/2005 19:22:35.140,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1775,END_SECTION,Creating setup background window
01/15/2005 19:22:35.140,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1826,BEGIN_SECTION,Initializing SMS support
01/15/2005 19:22:35.140,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1835,,Setup: (non-critical error): Failed load of ismif32.dll.
01/15/2005 19:22:35.156,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1837,END_SECTION,Initializing SMS support
01/15/2005 19:22:35.203,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1868,BEGIN_SECTION,Shutting down power management
01/15/2005 19:22:35.203,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1871,END_SECTION,Shutting down power management
01/15/2005 19:22:35.250,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,1950,BEGIN_SECTION,Processing parameters from sif
01/15/2005 19:22:36.500,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find WaitForReboot.
01/15/2005 19:22:36.500,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,632,,SETUP: Upgrade=0.
01/15/2005 19:22:36.500,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,633,,SETUP: Unattended=1.
01/15/2005 19:22:36.500,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find runoobe.
01/15/2005 19:22:36.500,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find uniqueness.
01/15/2005 19:22:36.515,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find includecatalog.
01/15/2005 19:22:36.750,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,Volume: 
01/15/2005 19:22:36.765,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,E:\ 01/15/2005 19:22:36.765,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,Device Path: [URL="file://\\?\ide#cdromhl-dt-st_cd-rw_gce-8527b________________1.01____#5&3aadb0d2&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b"]\\?\ide#cdromhl-dt-st_cd-rw_gce-8527b________________1.01____#5&3aadb0d2&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b[/URL]}
01/15/2005 19:22:36.765,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,PCI\VEN_10DE&DEV_0265&SUBSYS_0CAF105B&REV_A1
01/15/2005 19:22:36.765,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,
01/15/2005 19:22:36.781,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,Device Path: [URL="file://\\?\ide#diskwdc_wd2500jd-22hbc0_____________________08.02d08#5&3429813e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b"]\\?\ide#diskwdc_wd2500jd-22hbc0_____________________08.02d08#5&3429813e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b[/URL]}
01/15/2005 19:22:37.921,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\rsaenh.dll...
01/15/2005 19:22:37.984,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\rsaenh.dll registered successfully
01/15/2005 19:22:38.062,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\dssenh.dll...
01/15/2005 19:22:38.093,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\dssenh.dll registered successfully
01/15/2005 19:22:38.171,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\initpki.dll...
01/15/2005 19:22:44.875,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\initpki.dll registered successfully
01/15/2005 19:22:52.093,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find driversigningpolicy.
01/15/2005 19:22:52.093,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find nondriversigningpolicy.
01/15/2005 19:22:52.171,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\I386\NT5INF.CA_ was copied to C:\WINDOWS\system32\dllcache\NT5INF.CAT.
01/15/2005 19:22:52.312,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\I386\NT5.CA_ was copied to C:\WINDOWS\system32\dllcache\NT5.CAT.
01/15/2005 19:22:52.328,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\I386\SP2.CAT was copied to C:\WINDOWS\system32\dllcache\SP2.CAT.
01/15/2005 19:22:52.406,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\I386\NTPRINT.CAT was copied to C:\WINDOWS\system32\dllcache\NTPRINT.CAT.
01/15/2005 19:22:52.468,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\I386\NT5IIS.CA_ was copied to C:\WINDOWS\system32\dllcache\NT5IIS.CAT.
(SKIPPED A BUNCH)
01/15/2005 19:23:05.312,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\netman.dll registered successfully
01/15/2005 19:23:05.375,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\netshell.dll...
01/15/2005 19:23:05.406,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\netshell.dll registered successfully
01/15/2005 19:23:05.437,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\odbcconf.dll...
01/15/2005 19:23:05.500,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\odbcconf.dll registered successfully
01/15/2005 19:23:05.515,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\msiexec.exe...
01/15/2005 19:23:06.281,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\msiexec.exe registered successfully
01/15/2005 19:23:06.312,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\Lodctr.exe...
01/15/2005 19:23:06.437,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\Lodctr.exe registered successfully
01/15/2005 19:23:06.468,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\msctf.dll...
01/15/2005 19:23:06.484,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\msctf.dll registered successfully
01/15/2005 19:23:06.484,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,2460,END_SECTION,Registering Phase 1 Dlls
01/15/2005 19:23:06.484,d:\xpsprtm\base\ntsetup\syssetup\services.c,71,,SETUP: Waiting on event SC_AutoStartComplete 
01/15/2005 19:23:06.484,d:\xpsprtm\base\ntsetup\syssetup\services.c,75,,SETUP: Wait on event SC_AutoStartComplete completed successfully 
01/15/2005 19:23:06.484,d:\xpsprtm\base\ntsetup\syssetup\ocm.c,137,BEGIN_SECTION,Initializing the OC manager
01/15/2005 19:23:09.718,d:\xpsprtm\base\ntsetup\syssetup\ocm.c,145,END_SECTION,Initializing the OC manager
01/15/2005 19:23:09.718,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6590,END_SECTION,Common Initialiazation
01/15/2005 19:23:09.718,d:\xpsprtm\base\ntsetup\syssetup\pid.c,1078,,Found Product key in Answer file.
01/15/2005 19:23:09.781,d:\xpsprtm\base\ntsetup\syssetup\registry.c,1527,BEGIN_SECTION,SetCurrentProductIdInRegistry
01/15/2005 19:23:09.781,d:\xpsprtm\base\ntsetup\syssetup\registry.c,1539,END_SECTION,SetCurrentProductIdInRegistry
01/15/2005 19:23:09.781,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6626,END_SECTION,Initialization
01/15/2005 19:23:09.781,d:\xpsprtm\base\ntsetup\syssetup\syssetup.c,6629,BEGIN_SECTION,Wizard
01/15/2005 19:23:09.921,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,418,BEGIN_SECTION,Welcome Page
01/15/2005 19:23:09.921,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,656,BEGIN_SECTION,Eula Page
01/15/2005 19:23:09.921,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,662,END_SECTION,Eula Page
01/15/2005 19:23:09.921,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,1211,BEGIN_SECTION,Installing Devices Page
01/15/2005 19:23:09.937,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,1289,BEGIN_SECTION,Installing security
01/15/2005 19:23:19.718,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,1295,END_SECTION,Installing security
01/15/2005 19:23:19.718,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,1297,,SETUP: CallSceSetupRootSecurity started
01/15/2005 19:23:19.718,d:\xpsprtm\base\ntsetup\syssetup\welcome.c,1307,BEGIN_SECTION,Installing PnP devices
01/15/2005 19:23:19.718,d:\xpsprtm\base\ntsetup\syssetup\syssec.c,463,BEGIN_SECTION,SceSetupRootSecurity
01/15/2005 19:23:19.718,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,3543,BEGIN_SECTION,Installing OEM infs
01/15/2005 19:23:19.734,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,3551,END_SECTION,Installing OEM infs
01/15/2005 19:23:19.734,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,3553,BEGIN_SECTION,Precompiling infs
01/15/2005 19:23:19.734,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1514,,SETUP: Entering PrecompileInfFiles()
01/15/2005 19:23:19.750,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: xscan_xp.inf
01/15/2005 19:23:19.796,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv5.inf
01/15/2005 19:23:19.843,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv4.inf
01/15/2005 19:23:19.890,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv3.inf
01/15/2005 19:23:19.921,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv2.inf
01/15/2005 19:23:19.984,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv1.inf
01/15/2005 19:23:20.015,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wtv0.inf
01/15/2005 19:23:20.078,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wstcodec.inf
01/15/2005 19:23:20.140,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wsh.inf
01/15/2005 19:23:20.187,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wpdmtp.inf
SKIPPED A BUNCH
01/15/2005 19:23:20.265,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1590,,SETUP: Pre-compiling file: wordpad.infse\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Network Service 
01/15/2005 19:25:29.921,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 19, Guid = {4D36E974-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:29.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Network Service
01/15/2005 19:25:29.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Network Protocol 
01/15/2005 19:25:29.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 20, Guid = {4D36E975-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:29.984,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Network Protocol
01/15/2005 19:25:30.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: PCMCIA adapters 
01/15/2005 19:25:30.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 21, Guid = {4D36E977-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = PCMCIA adapters
01/15/2005 19:25:30.015,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Ports (COM & LPT) 
01/15/2005 19:25:30.015,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 22, Guid = {4D36E978-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.531,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4667,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) succeeded (phase1). ClassDescription = Ports (COM & LPT)
01/15/2005 19:25:30.531,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,2072,,SETUP:     Index = 0, DeviceId = ROOT\*PNP0501\1_0_17_0_0_0
01/15/2005 19:25:30.656,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4760,,SETUP:         SetupDiCallClassInstaller(DIF_REGISTERDEVICE) failed (phase2). Error = e0000202, DeviceId = ROOT\*PNP0501\1_0_17_0_0_0
01/15/2005 19:25:30.656,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,2072,,SETUP:     Index = 1, DeviceId = ROOT\*PNP0501\1_0_17_1_0_0
01/15/2005 19:25:30.765,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4760,,SETUP:         SetupDiCallClassInstaller(DIF_REGISTERDEVICE) failed (phase2). Error = e0000202, DeviceId = ROOT\*PNP0501\1_0_17_1_0_0
01/15/2005 19:25:30.765,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Printers 
01/15/2005 19:25:30.765,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 23, Guid = {4D36E979-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.812,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Printers
01/15/2005 19:25:30.828,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: SCSI and RAID controllers 
01/15/2005 19:25:30.828,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 24, Guid = {4D36E97B-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.875,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = SCSI and RAID controllers
01/15/2005 19:25:30.890,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: System devices 
01/15/2005 19:25:30.890,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 25, Guid = {4D36E97D-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.921,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = System devices
01/15/2005 19:25:30.937,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Other devices 
01/15/2005 19:25:30.937,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 26, Guid = {4D36E97E-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Other devices
01/15/2005 19:25:30.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Floppy disk drives 
01/15/2005 19:25:30.953,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 27, Guid = {4D36E980-E325-11CE-BFC1-08002BE10318}
01/15/2005 19:25:30.984,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Floppy disk drives
01/15/2005 19:25:31.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Processors 
01/15/2005 19:25:31.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 28, Guid = {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
01/15/2005 19:25:31.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Processors
01/15/2005 19:25:31.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Multi-port serial adapters 
01/15/2005 19:25:31.000,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 29, Guid = {50906CB8-BA12-11D1-BF5D-0000F805F530}
01/15/2005 19:25:31.140,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4667,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) succeeded (phase1). ClassDescription = Multi-port serial adapters
01/15/2005 19:25:31.140,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,2249,,SETUP:     DeviceInfoSet is empty. ClassDescription = Multi-port serial adapters
01/15/2005 19:25:31.140,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Smart card readers 
01/15/2005 19:25:31.140,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 30, Guid = {50DD5230-BA8A-11D1-BF5D-0000F805F530}
01/15/2005 19:25:31.203,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Smart card readers
01/15/2005 19:25:31.218,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Storage volume shadow copies 
01/15/2005 19:25:31.218,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 31, Guid = {533C5B84-EC70-11D2-9505-00C04F79DEAF}
01/15/2005 19:25:31.218,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = Storage volume shadow copies
01/15/2005 19:25:31.218,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: 1394 Debugger Device 
01/15/2005 19:25:31.234,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 32, Guid = {66F250D6-7801-4A64-B139-EEA80A450B24}
01/15/2005 19:25:31.250,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = 1394 Debugger Device
01/15/2005 19:25:31.250,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: IEEE 1394 Bus host controllers 
01/15/2005 19:25:31.265,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 33, Guid = {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
01/15/2005 19:25:31.265,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,4658,,SETUP:     SetupDiCallClassInstaller(DIF_FIRSTTIMESETUP) failed (phase1). Error = e000020e, ClassDescription = IEEE 1394 Bus host controllers
01/15/2005 19:25:31.265,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1816,,SETUP: Installing legacy devices of class: Infrared devices 
01/15/2005 19:25:31.281,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 34, Guid = {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}01/15/2005 19:25:31.328,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,1817,,SETUP:     GuidIndex = 35, Guid = {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}9:25:32.765,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,5334,,SETUP: Device installed. DeviceId = ROOT\MEDIA\MS_MMMCI, Description = Media Control Devices
01/15/2005 19:25:32.765,d:\xpsprtm\base\ntsetup\syssetup\syspnp.c,2419,,SETUP: Installing  device: ROOT\MEDIA\MS_MMVID, GuidIndex = 13, Index = 1
01/15/2005 19:26:20.546,d:\xpclient\base\ntsetup\ocmanage\common\ocsetup.c,938,BEGIN_SECTION,Building file list...
01/15/2005 19:26:21.030,d:\xpclient\base\ntsetup\ocmanage\common\ocsetup.c,1029,END_SECTION,Building file list...
01/15/2005 19:26:21.030,d:\xpclient\base\ntsetup\ocmanage\common\ocsetup.c,1137,BEGIN_SECTION,Preparing for installation...
01/15/2005 19:26:21.077,d:\xpclient\base\ntsetup\ocmanage\common\ocsetup.c,1199,END_SECTION,Preparing for installation...
01/15/2005 19:26:21.077,d:\xpclient\base\ntsetup\ocmanage\common\ocsetup.c,1586,BEGIN_SECTION,Performing configuration...
SKIPPED A BUNCH
01/15/2005 19:26:22.249,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\WINDOWS\Driver Cache\i386\sp2.cab was copied to C:\WINDOWS\system32\DRIVERS\rdpdr.sys.
01/15/2005 19:26:22.296,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\WINDOWS\Driver Cache\i386\sp2.cab was copied to C:\WINDOWS\system32\DRIVERS\termdd.sys.
0115/2005 19:26:22.358,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\cmprops.dl_ was copied to C:\WINDOWS\system32\cmprops.dll.
01/15/2005 19:26:22.390,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\licwmi.dl_ was copied to C:\WINDOWS\system32\licwmi.dll.
01/15/2005 19:26:22.405,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\mmfutil.dl_ was copied to C:\WINDOWS\system32\mmfutil.dll.
01/15/2005 19:26:22.437,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\servdeps.dl_ was copied to C:\WINDOWS\system32\servdeps.dll.
01/15/2005 19:26:22.483,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\cimwin32.dl_ was copied to C:\WINDOWS\system32\WBEM\cimwin32.dll.
01/15/2005 19:26:22.499,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\csv.xs_ was copied to C:\WINDOWS\system32\WBEM\csv.xsl.
01/15/2005 19:26:22.515,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\esscli.dl_ was copied to C:\WINDOWS\system32\WBEM\esscli.dll.
01/15/2005 19:26:22.608,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\i386\fastprox.dl_ was copied to C:\WINDOWS\system32\WBEM\fastprox.dll.
655,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\2052\cscompui.dll.
01/15/2005 19:26:48.671,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\1028\cscompui.dll.
01/15/2005 19:26:48.671,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\1033\cscompui.dll.
01/15/2005 19:26:48.671,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\3082\cscompui.dll.
01/15/2005 19:26:48.687,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\1036\cscompui.dll.
01/15/2005 19:26:48.687,d:\xpsprtm\base\ntsetup\syssetup\log.c,133,,C:\$WIN_NT$.~LS\cmpnents\netfx\i386\netfx.cab was copied to C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\1031\cscompui.dll.
SKIPPED A BUNCH
01/15/2005 19:28:57.265,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\qcap.dll...
01/15/2005 19:28:57.280,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\qcap.dll registered successfully
01/15/2005 19:28:57.327,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\amstream.dll...
01/15/2005 19:28:57.327,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\amstream.dll registered successfully
01/15/2005 19:28:57.374,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\qedit.dll...
01/15/2005 19:28:57.437,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\qedit.dll registered successfully
01/15/2005 19:28:57.468,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\qasf.dll...
01/15/2005 19:28:57.483,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\qasf.dll registered successfully
01/15/2005 19:28:57.515,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\drmstor.dll...
01/15/2005 19:28:57.530,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\drmstor.dll registered successfully
01/15/2005 19:28:57.562,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\drmclien.dll...
01/15/2005 19:28:57.562,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\drmclien.dll registered successfully
01/15/2005 19:28:57.593,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\dxmasf.dll...
01/15/2005 19:28:57.624,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\dxmasf.dll registered successfully
01/15/2005 19:28:57.671,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\sbe.dll...
01/15/2005 19:28:57.687,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32\sbe.dll registered successfully
01/15/2005 19:28:57.733,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,444,,SETUP: file to register is C:\WINDOWS\system32\encdec.dll...
01/15/2005 19:28:57.749,d:\xpsprtm\base\ntsetup\syssetup\ctls.c,467,,SETUP: C:\WINDOWS\system32
SKIPPED A BUNCH
01/01/2005 00:41:06.765,OOBE Trace,0,,HasBroadband: true
01/01/2005 00:41:06.765,OOBE Trace,0,,UseBroadband: true
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,4585,,DISPID_EXTERNAL_GETREGSTATUS
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\status.cpp,356,,DISPID_STATUS_GET_STATUS
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\status.cpp,356,,DISPID_STATUS_GET_STATUS
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\api.cpp,973,,DISPID_API_GET_REGVALUE: 
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\api.cpp,997,,SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE\CKPT: TopOfStack
01/01/2005 00:41:06.765,d:\xpsprtm\base\ntsetup\oobe\msobmain\api.cpp,937,,DISPID_API_SET_REGVALUE: 
KIPPED A BUNCH
01/01/2005 00:41:31.453,d:\xpsprtm\base\ntsetup\oobe\msobcomm\misc.cpp,1113,,Autodial set C:\Documents and Settings\Default User\NTUSER.DAT
01/01/2005 00:41:31.750,d:\xpsprtm\base\ntsetup\oobe\msobcomm\misc.cpp,1002,,Setting ICW Completed key 0x00000000
01/01/2005 00:41:31.750,d:\xpsprtm\base\ntsetup\oobe\msobcomm\misc.cpp,1113,,Autodial set C:\Documents and Settings\Administrator\NTUSER.DAT
01/01/2005 00:41:32.015,d:\xpsprtm\base\ntsetup\oobe\msobcomm\misc.cpp,1198,,LookupAccountName Owner (1332)
01/01/2005 00:41:32.015,d:\xpsprtm\base\ntsetup\oobe\msobmain\language.cpp,579,,DISPID_LANGUAGE_GETREBOOTSTATE
01/01/2005 00:41:34.437,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,3586,,DISPID_EXTERNAL_FINISH
01/01/2005 00:41:34.437,d:\xpsprtm\base\ntsetup\syssetup\cmdline.c,228,,SETUP: SpSetupLoadParameter was unable to find productkey.
01/01/2005 00:41:34.515,d:\xpsprtm\base\ntsetup\syssetup\registry.c,1478,BEGIN_SECTION,SetProductIdInRegistry
01/01/2005 00:41:34.515,d:\xpsprtm\base\ntsetup\syssetup\registry.c,1515,END_SECTION,SetProductIdInRegistry
01/01/2005 00:41:34.765,d:\xpsprtm\base\ntsetup\syssetup\oobe.c,1534,BEGIN_SECTION,RunOEMExtraTasks
01/01/2005 00:41:34.765,d:\xpsprtm\base\ntsetup\syssetup\oobe.c,1575,,Start command :Rundll32.exe: with arguments :fldrclnr.dll,Wizard_RunDLL silent:
01/01/2005 00:41:34.921,d:\xpsprtm\base\ntsetup\syssetup\oobe.c,1607,END_SECTION,RunOEMExtraTasks
01/01/2005 00:41:35.156,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,6976,,Create account Mark in Administrators NTSTATUS(0)
01/01/2005 00:41:38.750,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,6819,,NetUserGetInfo Mark (0x00000000)
01/01/2005 00:41:39.093,d:\xpsprtm\base\ntsetup\oobe\msobmain\msobmain.cpp,6843,,Change Mark password property from 0x00000201 to 0x00010201 (0x00000000)

DMR 152 Wombat At Large Team Colleague · Answer 2 · 2006-05-20T01:30:03+00:00

VIRUSOFDEATH,

You need to:

* Slow down a bit and focus. You are making many rather extreme assumptions based on very scattershot and disparate "facts", some of which actually point to nothing conclusive whatsoever.

* Stop posting IN CAPITAL LETTERS, andstartusingproperpunctuationandspacings; you're posts are extremely difficult to read. We need to be able to easily distill the relevant facts from your (rather lenghty) posts.

* Start posting more specifics about exactly where you have found information regarding this problem, and what exact diagnostic programs you have run. Knowing the name of the rootkit detection programs you have used, and seeing the full and exact text of their reports, would be of help to us. Also- telling us where/how you determined what commands the virus is running and other of its activities would be a Good Thing.

Disregarding the rather broad statements such as: "THE LAST FILE IS PROBABLY ONE OF THE VIRUSES AS MOST OF THE I386 FILES ARE RUN IN SEPERATE PROCESSES.
THE VIRUS IS CONTROLLING ALL THE DRIVES AND INPUT DEVICES BY LOADING THEM WITHIN ITSELF. LITERALLY, THE CD DRIVE IS LOADED IN THE HARD DRIVE...", none of the concrete facts that you have posted (the values of your environment variables, the results of the ZA installation, the contents of the HJT and L2MFix logs, the entries in your autoexec.bat file, etc.) point to anything amiss whatsoever.

confusertech 0 Newbie Poster · Answer 3 · 2006-06-09T08:33:55+00:00

confusertech 0 Newbie Poster

18 Years Ago

Why fight it? Go to killdisk.com

:lol: