Help - Search - Members - Calendar
Full Version: Maleware Problems
BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal
   
IowaGuy
May 11 2007, 06:59 PM
All I know for sure is I am infected and of course all the spyware and anti-virus software wont remove it. It originally started when I clicked on this message in a MSN IM message. Even though I knew better than to click it, I did, I guess because I have nude photos of me on some websites, and thought maybe they actually found one! So any way, their scam worked! It don't seem to be to bad - just an occasional pop-up from time to time that never shows a website. Also I don't have a name for what ever I have. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:39:00 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\kgouotec.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Thanks, Rob
Rahina
May 12 2007, 12:36 AM
Hello IowaGuy! Welcome to Bleepingcomputer forums smile.gif

Let's get you clean up.

Step #1

We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
Right click an open area in the main panel.
Select New > Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there.

Step #2

Please download Combofix to your desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next reply please Post Combofix.txt & Hijackthis Logfile.
IowaGuy
May 12 2007, 09:26 AM
Howdy 0 here are the logs you requested:

"Rob Heidemann" - 2007-05-12 9:06:38 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Rob Heidemann\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fbinvins.dll
C:\WINDOWS\system32\genpewri.dll
C:\WINDOWS\system32\kgouotec.dll
C:\WINDOWS\system32\xtockfix.dll
C:\WINDOWS\system32\xxyaxwu.dll
C:\WINDOWS\system32\cetouogk.ini
C:\WINDOWS\system32\wvusttr.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\{34F33~1
C:\Program Files\Common Files\{54F33~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1\s?stem32
C:\qoobox\purity\C\Program Files\STEM32~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-12 08:53 <DIR> d-------- C:\HJT
2007-05-05 13:32 <DIR> d-------- C:\Program Files\Executive Software
2007-05-05 11:58 <DIR> d-------- C:\Program Files\IObit
2007-05-05 11:32 <DIR> d-------- C:\Program Files\CCleaner
2007-05-05 11:17 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12 <DIR> d-------- C:\Program Files\InterMute
2007-05-04 21:24 1,500,767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24 1,397,965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-04-23 21:20 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\.Philips
2007-04-21 18:04 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\Viewpoint
2007-04-18 21:39 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\X10 Commander
2007-04-17 19:39 <DIR> d-------- C:\Program Files\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-12 14:13:24 132,660 ----a-w C:\WINDOWS\system32\pcehfjwb.dll
2007-05-05 16:41:31 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-04 03:41:34 -------- d-----w C:\Program Files\MSN Messenger
2007-05-02 01:38:07 -------- d-----w C:\Program Files\Rhapsody
2007-05-01 02:54:52 -------- d-----w C:\Program Files\mIRC
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 00:10:07 -------- d-----w C:\Program Files\Philips
2007-04-16 11:24:34 -------- d-----w C:\Program Files\Lx_cats
2007-04-13 02:32:57 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 22:15:05 -------- d-----w C:\Program Files\Common Files\i4j_jres
2007-04-09 21:59:56 286,720 ------w C:\WINDOWS\Setup1.exe
2007-04-09 21:59:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-04 01:21:00 -------- d-----w C:\Program Files\ID3man
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-14 16:51:50 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"="C:\WINDOWS\system32\sstqq.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\pcehfjwb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 09:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 9:15:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-12 09:18


Logfile of HijackThis v1.99.1
Scan saved at 9:20:48 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Rahina
May 12 2007, 09:57 AM
Good Work smile.gif

We still have work to do.

Step #1

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepads: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Step #3

In your Next reply please post:

C:\Vundofix.txt
C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt
IowaGuy
May 12 2007, 10:32 AM
VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll



Logfile of HijackThis v1.99.1
Scan saved at 10:27:22 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 10:13:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-12 15:13:57 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:14:52 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\Rob Heidemann.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\pcehfjwb.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IFP800 (iriver Internet Audio Player IFP-800) - c:\windows\system32\drivers\ifp800.sys <Not Verified; iRiver, Inc.; IFP-100>
R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R1 BS_I2cIo - c:\windows\system32\drivers\bs_i2cio.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 BCORETH5 (BCORETH5 NDIS Protocol Driver) - c:\windows\system32\bcoreth5.sys <Not Verified; BridgeCo AG, Switzerland; BridgeCo RawEther Driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 giveio - c:\windows\system32\giveio.sys
S3 pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 ZZZMPR5 (ZZZMPR5 NDIS Protocol Driver) - c:\windows\system32\zzzmpr5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 09:13:22 132660 --a------ C:\WINDOWS\system32\pcehfjwb.dll
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 21:24:34 1500767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24:22 1397965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23:57 284244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-05-03 21:23:56 284244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{40F095AF-D288-48EE-9AE7-FB59E8BB7078} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\pcehfjwb.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------



Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 3.20GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 702.42 MiB / 288.56 MiB
Pagefile Memory (total/avail): 1721.13 MiB / 1342.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1972.68 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.27 GiB total, 21.38 GiB free.
D: is Fixed (NTFS) - 93.16 GiB total, 26.1 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (UDF)
H: is CDROM (UDF)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1001 [VPS 000739-3] v4.7.1001 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob Heidemann\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HEIDEMAN-C1D0D8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob Heidemann
LOGONSERVER=\\HEIDEMAN-C1D0D8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\MOZILL~1;C:\PROGRA~1\MOZILL~1;C:\Program Files\Mozilla Firefox;C:\Program Files\Outlook Express;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
USERDOMAIN=HEIDEMAN-C1D0D8
USERNAME=Rob Heidemann
USERPROFILE=C:\Documents and Settings\Rob Heidemann
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob Heidemann (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ATI Multimedia Center 8.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{42BC25C4-E224-45FB-8CEF-162D2EEC5A34} /l1033
ATI Remote Wonder 1.4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{41331E03-97D4-421E-BBD1-0A914CFE19BC} /l1033
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\Setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Stylus Photo R260 User's Guide --> C:\Program Files\epson\guide\spr260_e\uninstall.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe /uninstall
ID3man5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ID3man\ID3man.isu"
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
Lexmark 810 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBSUNST.EXE -NOLICENSE
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe F:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
MySpaceIM --> MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
Philips Media Manager 3.3.12.0004 --> C:\Program Files\Philips\Media Manager\uninstall.exe
Philips Wireless Music Receiver Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Philips\Wireless Music Receiver\ST6UNST.LOG"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSC Service Utility v4.20 --> "C:\Program Files\SSC Service Utility\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Wal-Mart Music Downloads Store --> MsiExec.exe /I{A6A13E30-656F-4876-9B03-FBD4D712BB40}
WarpSpeeder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB4EAD4A-8A80-43A5-8B23-78A2F6B26298}\setup.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------
Rahina
May 12 2007, 10:41 AM
Please Re-Scan using Vundofix and post the results in your next reply.
IowaGuy
May 12 2007, 11:36 AM
You guys are fast responders! Here ya go:


VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:23:26 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll
Rahina
May 12 2007, 12:10 PM
Run ComboFix again using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe" /v qqtss.bak1 qqtss.bak2 sstqq.dll

When finished, it shall produce a log for you, which will again be named C:\ComboFix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Now, Re-scan using Dss.exe.

Next Please Post:

C:\ComboFix.txt
C:\Deckard\System Scanner\Main.txt
IowaGuy
May 12 2007, 12:24 PM
"Rob Heidemann" - 2007-05-12 12:13:43 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Rob Heidemann\Desktop\"
Command switches used :: "/v qqtss.bak1 qqtss.bak2 sstqq.dll"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pcehfjwb.dll
C:\WINDOWS\system32\bwjfhecp.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\APPLIC~1\DOBE~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1
C:\qoobox\purity\C\DOCUME~1\ROBHEI~1\MYDOCU~1\SSTEM3~1\s?stem32
C:\qoobox\purity\C\Program Files\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))


2007-05-12 10:13 <DIR> d-------- C:\Deckard
2007-05-12 10:05 <DIR> d-------- C:\VundoFix Backups
2007-05-12 09:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-12 08:53 <DIR> d-------- C:\HJT
2007-05-05 13:32 <DIR> d-------- C:\Program Files\Executive Software
2007-05-05 11:58 <DIR> d-------- C:\Program Files\IObit
2007-05-05 11:32 <DIR> d-------- C:\Program Files\CCleaner
2007-05-05 11:17 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12 <DIR> d-------- C:\Program Files\InterMute
2007-05-04 21:24 1,500,767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24 1,397,965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-05-03 21:23 284,244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-04-23 21:20 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\.Philips
2007-04-21 18:04 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\Viewpoint
2007-04-18 21:39 <DIR> d-------- C:\DOCUME~1\ROBHEI~1\APPLIC~1\X10 Commander
2007-04-17 19:39 <DIR> d-------- C:\Program Files\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 16:41:31 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-04 03:41:34 -------- d-----w C:\Program Files\MSN Messenger
2007-05-02 01:38:07 -------- d-----w C:\Program Files\Rhapsody
2007-05-01 02:54:52 -------- d-----w C:\Program Files\mIRC
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 00:10:07 -------- d-----w C:\Program Files\Philips
2007-04-16 11:24:34 -------- d-----w C:\Program Files\Lx_cats
2007-04-13 02:32:57 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 22:15:05 -------- d-----w C:\Program Files\Common Files\i4j_jres
2007-04-09 21:59:56 286,720 ------w C:\WINDOWS\Setup1.exe
2007-04-09 21:59:51 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-04 01:21:00 -------- d-----w C:\Program Files\ID3man
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-14 16:51:50 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"="C:\WINDOWS\system32\sstqq.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 12:18:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-12 12:18:27
C:\ComboFix-quarantined-files.txt ... 2007-05-12 12:18
C:\ComboFix2.txt ... 2007-05-12 09:15



Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 12:19:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:19:32 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 21:24:34 1500767 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:24:22 1397965 ---hs---- C:\WINDOWS\system32\qqtss.bak1
2007-05-03 21:23:57 284244 ---hs---- C:\WINDOWS\system32\ddabc.dll
2007-05-03 21:23:56 284244 ---hs---- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{40F095AF-D288-48EE-9AE7-FB59E8BB7078} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1200ba9d-2f9e-11db-81aa-806d6172696f}]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 12:20:17 ---------
Rahina
May 12 2007, 01:41 PM
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step #1

Please download the OTMoveIt.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\qqtss.bak2
    C:\WINDOWS\system32\qqtss.bak1
    C:\WINDOWS\system32\ddabc.dll
    C:\WINDOWS\system32\sstqq.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {40F095AF-D288-48EE-9AE7-FB59E8BB7078} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this folder (if present):

C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint

Step #3

Go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

QUOTE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{40F095AF-D288-48EE-9AE7-FB59E8BB7078}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq]

Save this as fix.reg Choose to save as all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Step #4

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Step #5

Now, Re-scan using Deckard's System scanner.

In your next reply please post:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt

Also Add Doctor Web Results.

Let me know how thins are running now smile.gif
IowaGuy
May 12 2007, 11:58 PM
Ok I did all your steps, but the files you wanted me to fix did not show up in HiJackThis. Also the file i was to delete was not showing up in Windows Explorer.
Here is the Doctor Web results:
sstqq.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.60;Incurable.Moved.;
fbinvins.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Incurable.Moved.;
genpewri.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.Crew;Incurable.Moved.;
kgouotec.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pcehfjwb.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wvusttr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xtockfix.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xxyaxwu.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0000017.dll;C:\System Volume Information\_restore{AAFE2685-98FA-4B34-A8D9-2924C0C3826E}\RP1;Trojan.Virtumod;Deleted.;
ab_02.exe;C:\WINDOWS;Trojan.DownLoader.17379;Deleted.;
sstqq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
ddabc.dll;C:\_OTMoveIt\MovedFiles\WINDOWS\system32;Trojan.Virtumod;Deleted.;


HERE IS THE DSS LOGS, BUT IT DIDNT APPEAR TO MAKE A NEW EXTRA.TXT

Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-12 at 23:50:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:50:40 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4EDA0FEC-458C-497E-8FB8-720CD64A464E} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-12 and 2007-05-12 -----------------------------

2007-05-12 21:25:51 132660 --a------ C:\WINDOWS\system32\eboinupw.dll
2007-05-12 21:25:47 49204 --a------ C:\WINDOWS\system32\rgjaaklt.dll
2007-05-12 21:25:46 1504926 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:23:56 284244 -----n--- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{4EDA0FEC-458C-497E-8FB8-720CD64A464E} C:\WINDOWS\system32\sstqq.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} C:\WINDOWS\system32\rgjaaklt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\eboinupw.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 23:51:24 ---------





Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 3.20GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 702.42 MiB / 288.56 MiB
Pagefile Memory (total/avail): 1721.13 MiB / 1342.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1972.68 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.27 GiB total, 21.38 GiB free.
D: is Fixed (NTFS) - 93.16 GiB total, 26.1 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (UDF)
H: is CDROM (UDF)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1001 [VPS 000739-3] v4.7.1001 (ALWIL Software)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob Heidemann\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HEIDEMAN-C1D0D8
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob Heidemann
LOGONSERVER=\\HEIDEMAN-C1D0D8
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\MOZILL~1;C:\PROGRA~1\MOZILL~1;C:\Program Files\Mozilla Firefox;C:\Program Files\Outlook Express;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBHEI~1\LOCALS~1\Temp
USERDOMAIN=HEIDEMAN-C1D0D8
USERNAME=Rob Heidemann
USERPROFILE=C:\Documents and Settings\Rob Heidemann
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob Heidemann (admin)
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ATI Multimedia Center 8.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{42BC25C4-E224-45FB-8CEF-162D2EEC5A34} /l1033
ATI Remote Wonder 1.4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{41331E03-97D4-421E-BBD1-0A914CFE19BC} /l1033
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\Setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Stylus Photo R260 User's Guide --> C:\Program Files\epson\guide\spr260_e\uninstall.exe
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Rob Heidemann\Desktop\HijackThis.exe /uninstall
ID3man5.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ID3man\ID3man.isu"
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
iriver Music Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{072D2077-9E22-4F7F-B817-A92CA6CCC843}\Setup.exe" -l0x9 anything
iRiver Updater --> \uninst.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark 3100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBRUN5C.EXE -dLexmark 3100 Series
Lexmark 810 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBSUNST.EXE -NOLICENSE
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE132}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe F:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
MySpaceIM --> MsiExec.exe /I{FE242C4A-4AF0-4E9F-ABFF-92CA3CEE8761}
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
Philips Media Manager 3.3.12.0004 --> C:\Program Files\Philips\Media Manager\uninstall.exe
Philips Wireless Music Receiver Utility --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Philips\Wireless Music Receiver\ST6UNST.LOG"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SSC Service Utility v4.20 --> "C:\Program Files\SSC Service Utility\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Wal-Mart Music Downloads Store --> MsiExec.exe /I{A6A13E30-656F-4876-9B03-FBD4D712BB40}
WarpSpeeder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EB4EAD4A-8A80-43A5-8B23-78A2F6B26298}\setup.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-05-12 at 10:15:55 ---------
Rahina
May 13 2007, 03:35 AM
Thank you, Could you please post Fresh Reports from Deckards system Scanner.

Report's are located here:

C:\Deckard\System Scanner\Main.txt
C:\Deckard\System Scanner\Extra.txt
IowaGuy
May 13 2007, 08:40 AM
For some reason I cant get it to make a new Extra.txt. It only makes Main.txt.

Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-13 at 08:33:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:33:41 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll
O2 - BHO: (no name) - {F410184F-FAFA-A27B-DADB-A328E05263B9} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-13 and 2007-05-13 -----------------------------

2007-05-12 21:25:51 132660 --a------ C:\WINDOWS\system32\eboinupw.dll
2007-05-12 21:25:47 49204 --a------ C:\WINDOWS\system32\rgjaaklt.dll
2007-05-12 21:25:46 1504926 ---hs---- C:\WINDOWS\system32\qqtss.bak2
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-05-03 21:23:56 284244 -----n--- C:\WINDOWS\system32\sstqq.dll
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{D494C649-BCA9-487E-97F5-157174AF87F8} C:\WINDOWS\system32\sstqq.dll
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} C:\WINDOWS\system32\rgjaaklt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WindowsUpdate"="rundll32.exe \"C:\\WINDOWS\\system32\\eboinupw.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqq

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Setup.exe


-- End of Deckard's System Scanner: finished at 2007-05-13 at 08:34:24 ---------
Rahina
May 13 2007, 10:06 AM
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK.
  • When VundoFix re-opens, click Scan for Vundo button.
  • Once the scan is complete, right-click inside the listbox (white box) and click Add more files?
  • Copy & paste the 4 entries below into the top 2 boxes:

    C:\WINDOWS\System32\rgjaaklt.dll
    C:\WINDOWS\system32\tlkaajgr.*

    C:\WINDOWS\SYSTEM32\sstqq.dll
    C:\WINDOWS\SYSTEM32\qqtss.*

  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log, from normal mode.
IowaGuy
May 13 2007, 10:31 AM
Logfile of HijackThis v1.99.1
Scan saved at 10:26:46 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)





VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:05:44 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:23:26 AM 5/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak1
C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

VundoFix V6.3.21

Checking Java version...

Java version is 1.5.0.10

Scan started at 10:11:22 AM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\sstqq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qqtss.bak2
C:\WINDOWS\system32\qqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\rgjaaklt.dll
C:\WINDOWS\System32\rgjaaklt.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sstqq.dll
C:\WINDOWS\SYSTEM32\sstqq.dll Has been deleted!

Performing Repairs to the registry.
Done!
Rahina
May 13 2007, 12:04 PM
Well done smile.gif

Step #1

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {D494C649-BCA9-487E-97F5-157174AF87F8} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\rgjaaklt.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\eboinupw.dll",realset

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #2

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\WINDOWS\system32\eboinupw.dll

When you are ready with that, please Re-scan With Deckard's system scan and post a fresh Main.txt Logfile in your next reply.

Thanks smile.gif
IowaGuy
May 13 2007, 02:11 PM
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-13 at 14:06:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:06:29 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-13 and 2007-05-13 -----------------------------

2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-04-03 20:21:00 0 d-------- C:\Program Files\ID3man
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-13 at 14:07:00 ---------
Rahina
May 13 2007, 02:24 PM
Looks good.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #2

Download ATF-Cleaner by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step #3

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report

Let me know how things are now smile.gif
IowaGuy
May 13 2007, 04:55 PM
Things seem to be getting better, but they never were to bad. Here is the report:


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Rob Heidemann\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine\fbinvins.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine\genpewri.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Rahina
May 14 2007, 10:46 AM
Glad to hear things are running better smile.gif

Please Locate Doctor Web's Quarantine Folder:

Remove everything inside of this folder.

C:\Documents and Settings\Rob Heidemann\DoctorWeb\Quarantine

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\WINDOWS\nircmd.exe

Please Re-scan One more time with Deckard's system scanner and post a fresh Main.txt

Thanks
IowaGuy
May 14 2007, 06:26 PM
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-14 at 18:22:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:22:40 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
R3 - URLSearchHook: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-14 and 2007-05-14 -----------------------------

2007-05-13 21:12:04 0 d-------- C:\Program Files\Star_Media_Tuner
2007-05-13 15:47:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-17 19:39:30 0 d-------- C:\Program Files\Skype


-- Find3M Report ---------------------------------------------------------------

2007-05-13 16:09:02 0 d-------- C:\Program Files\Lexmark 3100 Series
2007-05-13 16:07:51 0 d-------- C:\Program Files\ID3man
2007-05-13 16:05:59 0 d-------- C:\Program Files\ATI Multimedia
2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 20:25:55 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-30 21:54:52 0 d-------- C:\Program Files\mIRC
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-02-14 11:51:50 5248 --a------ C:\WINDOWS\system32\giveio.sys


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{073a0daa-e2e0-4b30-b256-a19a5a456702} C:\Program Files\Star_Media_Tuner\tbStar.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\ISUSPM.exe\" -scheduler"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-14 at 18:23:07 ---------
Rahina
May 14 2007, 11:56 PM
Good, How are things now ?
IowaGuy
May 15 2007, 04:04 PM
Things seem normal again. Haven't noticed any pop ups or redirects lately! Thanks so much, hopefully I don't do anything stupid like that again!
Rahina
May 15 2007, 11:26 PM
Good smile.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore.
If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above
  1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
  2. From within Internet Explorer click on the Tools menu and then click on Options.
  3. Click once on the Security tab
  4. Click once on the Internet icon so it becomes highlighted.
  5. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install AVG Anti-Spyware - Install and download AVG Anti-Spyware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using AVG Anti-Spyware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Let me know if you still receive problems smile.gif
IowaGuy
May 20 2007, 09:19 PM
Hello! I am hoping you or someone there can help me one more time! I clicked on a link again (I don't know why I'm so stupid!) and it started to do its thing, but I interrupted it. I also deleted anything I could find of the program, but I'm sure there is still some debris left on my computer. The only problems I notice is the computer don't seem to want to shut down and the Task Manager was disabled. I did get the Task Manager fixed by myself! If you could help me once more I'd so appreciate it! Thanks, Rob
Rahina
May 21 2007, 12:31 AM
Oh.. mellow.gif

Run Deckard's System Scanner.

Post a fresh Main.txt in your next reply.

Thank you.
IowaGuy
May 21 2007, 05:10 PM
Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-21 at 17:05:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:05:41 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
R3 - URLSearchHook: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Star_Media_Tuner toolbar - {073a0daa-e2e0-4b30-b256-a19a5a456702} - C:\Program Files\Star_Media_Tuner\tbStar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-21 and 2007-05-21 -----------------------------

2007-05-19 21:42:41 0 d-------- C:\Program Files\Bifrost
2007-05-19 21:42:41 22040 --a------ C:\Documents and Settings\Rob Heidemann\Application Data\addon.dat
2007-05-19 21:42:38 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-05-19 21:41:40 1195967 --a------ C:\server.exe
2007-05-17 19:27:06 36864 --a------ C:\WINDOWS\system32\sp2.exe <Not Verified; Olympus 400; Project1>
2007-05-16 15:32:10 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\WinPatrol
2007-05-16 15:32:06 0 d-------- C:\Program Files\BillP Studios
2007-05-13 21:12:04 0 d-------- C:\Program Files\Star_Media_Tuner
2007-05-13 15:47:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center
2007-04-23 21:20:25 0 d-------- C:\Documents and Settings\Rob Heidemann\.Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint


-- Find3M Report ---------------------------------------------------------------

2007-05-20 21:05:41 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-20 18:01:41 0 d-------- C:\Program Files\mIRC
2007-05-16 15:47:21 0 d-------- C:\Program Files\SpywareBlaster
2007-05-13 16:09:02 0 d-------- C:\Program Files\Lexmark 3100 Series
2007-05-13 16:07:51 0 d-------- C:\Program Files\ID3man
2007-05-13 16:05:59 0 d-------- C:\Program Files\ATI Multimedia
2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 21:29:52 0 d-------- C:\Program Files\Skype
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{073a0daa-e2e0-4b30-b256-a19a5a456702} C:\Program Files\Star_Media_Tuner\tbStar.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-21 at 17:06:06 ---------

Rahina
May 22 2007, 12:13 AM
Hello!

Step #1

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step #2

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #3

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report

IowaGuy
May 22 2007, 06:02 PM
Here is the Active Scan for ya!

Incident Status Location

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.go.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bravenet.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Rob Heidemann\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Virus:W32/MsnPhoto.A.worm Disinfected C:\Documents and Settings\Rob Heidemann\Local Settings\Temporary Internet Files\Content.IE5\RWWOO15E\fotos_posse[1].zip[Mis imágenes/yo_posse_007.jpg.exe]
Virus:Bck/Bifrose.ATW Disinfected C:\Program Files\Bifrost\server.exe
Virus:Bck/Bifrose.ATW Disinfected C:\server.exe
Virus:Trj/Agent.EAZ Disinfected C:\VundoFix Backups\rgjaaklt.dll.bad
Virus:W32/MsnPhoto.A.worm Disinfected C:\WINDOWS\system32\sp2.exe
Rahina
May 24 2007, 07:51 AM
Hello, Sorry For the delay getting to you.

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Documents and Settings\Rob Heidemann\Local Settings\Temporary Internet Files\Content.IE5\RWWOO15E\fotos_posse[1].zip

Please Locate the following folders:

C:\Program Files\Bifrost

Delete that folder if found.

C:\VundoFix\Backups

Empty it, ( Delete everything inside )

Go to Virustotal
Copy the following to the box next to "Browse" button:
  • C:\WINDOWS\system32\sp2.exe
Click on Send, Wait for the scan to end.

Let me know the results.
IowaGuy
May 24 2007, 07:42 PM
Ok, I did everything you said, but I cant find the C:\WINDOWS\system32\sp2.exe file. I did type it in, and it just said zero bytes. Also, I would of got this back to you alot sooner, but of course Virustotal was offline for a while.
Rahina
May 25 2007, 08:05 AM
Could you please Post a Fresh Main.txt, let's see if we can find something there.

Also, I will be out of town this weekend and i will hopefully get back on Sunday!

Thanks smile.gif
IowaGuy
May 25 2007, 05:23 PM
Here is the new main text. See ya soon.

Deckard's System Scanner v20070426.43
Run by Rob Heidemann on 2007-05-25 at 17:17:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob Heidemann.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:17:52 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Rob Heidemann\My Documents\Downloads\dss.exe
C:\HJT\ROBHEI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/dmx/?mystation=KALO
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- Files created between 2007-04-25 and 2007-05-25 -----------------------------

2007-05-19 21:42:41 22040 --a------ C:\Documents and Settings\Rob Heidemann\Application Data\addon.dat
2007-05-19 21:42:38 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-05-16 15:32:10 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\WinPatrol
2007-05-16 15:32:06 0 d-------- C:\Program Files\BillP Studios
2007-05-13 15:47:13 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-12 20:45:10 0 d-------- C:\Documents and Settings\Rob Heidemann\DoctorWeb
2007-05-12 20:32:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-05-12 20:30:18 51822868 --a------ C:\RegBackup.reg
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-12 20:06:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-05-12 20:06:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-12 20:06:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-12 20:06:04 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-12 20:06:04 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-12 20:06:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-12 20:06:03 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-12 10:05:44 0 d-------- C:\VundoFix Backups
2007-05-12 08:53:23 0 d-------- C:\HJT
2007-05-05 13:32:44 0 d-------- C:\Program Files\Executive Software
2007-05-05 11:58:45 0 d-------- C:\Program Files\IObit
2007-05-05 11:37:00 0 dr-h----- C:\Documents and Settings\Rob Heidemann\Recent
2007-05-05 11:32:05 0 d-------- C:\Program Files\CCleaner
2007-05-05 11:18:03 2013 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-05-05 11:17:29 0 d-------- C:\Program Files\RogueRemover PRO
2007-05-05 11:12:40 0 d-------- C:\Program Files\InterMute
2007-05-04 17:30:21 0 d-------- C:\Program Files\Windows Live Safety Center


-- Find3M Report ---------------------------------------------------------------

2007-05-22 17:03:03 0 d-------- C:\Program Files\Lexmark 3100 Series
2007-05-22 17:01:53 0 d-------- C:\Program Files\ID3man
2007-05-22 17:00:03 0 d-------- C:\Program Files\ATI Multimedia
2007-05-21 21:38:22 0 d-------- C:\Program Files\mIRC
2007-05-20 21:05:41 4 --a------ C:\WINDOWS\system32\B4B166
2007-05-16 15:47:21 0 d-------- C:\Program Files\SpywareBlaster
2007-05-08 21:31:03 0 d-------- C:\Program Files\Java
2007-05-08 21:29:52 0 d-------- C:\Program Files\Skype
2007-05-05 11:41:31 0 d-------- C:\Program Files\Common Files\AOL
2007-05-03 22:41:34 0 d-------- C:\Program Files\MSN Messenger
2007-05-01 20:38:07 0 d-------- C:\Program Files\Rhapsody
2007-04-24 19:10:07 0 d-------- C:\Program Files\Philips
2007-04-21 18:04:13 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\Viewpoint
2007-04-18 21:39:54 0 d-------- C:\Documents and Settings\Rob Heidemann\Application Data\X10 Commander
2007-04-16 06:24:34 0 d-------- C:\Program Files\Lx_cats
2007-04-12 21:32:57 0 d-------- C:\Program Files\Wal-Mart Music Downloads Store
2007-04-09 17:15:05 0 d-------- C:\Program Files\Common Files\i4j_jres
2007-04-09 16:59:51 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SmartDefrag"="\"C:\\Program Files\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-05-25 at 17:18:19 ---------

Rahina
May 27 2007, 01:48 PM
Things Look Good.

Please Run Panda Active Scan One more time And let me know the results and how you system is acting now smile.gif
IowaGuy
May 28 2007, 12:12 PM
My system seems to be ad and virus free, but at time some programs seem to take a while to open and a few freeze on me. Probably nothing to do with adware, but thought I'd throw that out there. Here is the report:


Incident Status Location

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.go.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[www.winantiviruspro.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Rob Heidemann\Application Data\Mozilla\Firefox\Profiles\tdbacoaj.default\cookies.txt[.bravenet.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Rob Heidemann\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Rahina
May 28 2007, 12:50 PM
Looks good.

You can remove cookies using ATF-Cleaner regulary.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore.
If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above
  1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
  2. From within Internet Explorer click on the Tools menu and then click on Options.
  3. Click once on the Security tab
  4. Click once on the Internet icon so it becomes highlighted.
  5. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install AVG Anti-Spyware - Install and download AVG Anti-Spyware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using AVG Anti-Spyware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Let me know if you still receive problems smile.gif
Rahina
Jun 2 2007, 07:16 AM
This Issue Seems to Be Resolved, i'm glad i was able to help smile.gif

This topic will be closed now, if you nead it re-opened contact me via Private message.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.