Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob Dns Changer


  • This topic is locked This topic is locked
32 replies to this topic

#1 joshiscoolest

joshiscoolest

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 05 September 2007 - 11:59 AM

I have recently gotten Zlob DNSChanger. I have run AdAware, AVG Virus Scan, SpyBot, Super Anti-Spyware and Trojan Remover. I have also run all of these in Safe Mode. Many of the programs find the virus and say that they have cleaned it up but it still remains.

I notice it when I open Internet windows in new tabs. It has not affected my home page, only when I surf the web. If I use google for a search and the use "open in new tab" option, it usually takes me to some strange sites. I can just use the back button to get to what I originally clicked on but it is a pain in the butt. I am also wondering what else this virus may be doing to the rest of the machine.

Trojan Remover runs a quick scan at startup and tells me that it has found a problem in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"system" and it is trying to run C:\Windows\system32\kdfwz.exe. Trojan Remover says that it can't scan this file because it is being blocked. The only option I have is to ignore this file on startup scan. I am no expert, but I am thinking the problem lies right there.

I went into regedit and found the "system" file that it is referring to but I am afraid to do anything to it as I don't know what it will do.

Any help that anyone can provide will be greatly appreciated.

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:53 PM, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{777D4C18-DD6D-415F-B50C-77BA5AC5709A}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9270 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 05 September 2007 - 01:51 PM

Hello joshiscoolest and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Step #2

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{777D4C18-DD6D-415F-B50C-77BA5AC5709A}: NameServer = 85.255.114.57,85.255.112.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}: NameServer = 85.255.114.57,85.255.112.186


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
In your next post please include the following reports:
  • FixWareout report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,

Edited by SNOWHITE, 05 September 2007 - 01:53 PM.

SNOWHITE
Posted Image

#3 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 05 September 2007 - 02:39 PM

Thankyou so much for your help SNOWHITE.

I ran FixWareout from your link and it did what you said it would. I will post the log file at the end of this post.

When I got to step 2 and tried to check the boxes next to the entries from HijackThis they were different then they were before. This time it was :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:51 PM, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8458 bytes


As you can see... the 017 entries have different numbers in them then they did before. I am not sure if that is important or not but I figured I would post it here and ask your opinion before I did anything.

Thanks again for your help.

Fixwareout Log:

Username "HP_Owner" - 05/09/2007 15:24:58 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfwz.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{777D4C18-DD6D-415F-B50C-77BA5AC5709A}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E4F88170-6C2D-46A5-B06C-931DE5B8C984}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdfwz.ren 71219 13/06/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9FA.EXE /P30 \"EPSON Stylus Photo R320 Series\" /O6 \"USB002\" /M \"Stylus Photo R320\""
"D-Link Wireless G WUA-1340"="C:\\Program Files\\D-Link\\Wireless G WUA-1340\\AirGCFG.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 05 September 2007 - 02:44 PM

OK, thanks for letting me know

Please proceed with step 3 from my previous post :thumbsup:
SNOWHITE
Posted Image

#5 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 05 September 2007 - 03:17 PM

Just so we are clear. I have done step 3 and will post the two log files. I have not done any of step 2. When I saw that those numbers in the HijackThis log file were different I closed it and contacted you.

Extra.txt

Username "HP_Owner" - 05/09/2007 15:24:58 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfwz.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{777D4C18-DD6D-415F-B50C-77BA5AC5709A}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}
"nameserver"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{17E0EC55-C442-4DEA-981B-3A84E0ED5671}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{74173CD4-5CBF-4D8A-BECA-A3646AFF7CE7}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E4F88170-6C2D-46A5-B06C-931DE5B8C984}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EB487D0F-7866-4B61-973E-D38ACC7E4A5F}
"DhcpNameServer"="85.255.114.57,85.255.112.186" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdfwz.ren 71219 13/06/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9FA.EXE /P30 \"EPSON Stylus Photo R320 Series\" /O6 \"USB002\" /M \"Stylus Photo R320\""
"D-Link Wireless G WUA-1340"="C:\\Program Files\\D-Link\\Wireless G WUA-1340\\AirGCFG.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Main.txt

Deckard's System Scanner v20070826.66
Run by HP_Owner on 2007-09-05 16:07:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
105: 2007-09-05 20:07:18 UTC - RP703 - Deckard's System Scanner Restore Point
104: 2007-09-05 19:23:43 UTC - RP702 - Sept. 05 JH
103: 2007-09-05 17:36:34 UTC - RP701 - Software Distribution Service 3.0
102: 2007-09-04 19:36:31 UTC - RP700 - Sept. 04 JH
101: 2007-09-04 18:10:55 UTC - RP699 - Removed GameTap


-- First Restore Point --
1: 2007-06-07 19:25:53 UTC - RP599 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:51 PM, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8458 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 CDRPDACC (Arrowkey Device Access) - c:\program files\321studios\shared\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-05 09:52:13 370 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-05-01 11:58:57 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-08-05 and 2007-09-05 -----------------------------

2007-09-04 16:27:50 0 d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2007-09-04 15:07:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2007-09-04 14:44:42 0 d-------- C:\Program Files\BearShare
2007-09-04 12:28:05 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-04 12:27:36 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-09-04 12:27:36 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-09-04 12:27:36 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-09-04 12:27:36 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-09-04 12:27:36 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-09-04 12:27:35 0 d-------- C:\Program Files\Trojan Remover
2007-09-04 12:27:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Simply Super Software
2007-09-04 12:27:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-09-03 14:08:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-01 14:15:31 0 dr-h----- C:\$VAULT$.AVG
2007-09-01 10:03:40 0 d-------- C:\Program Files\DVDFab Platinum 3
2007-08-31 11:43:23 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\AVG7
2007-08-31 11:43:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-31 11:42:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-31 11:30:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-08-29 14:26:12 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-29 14:26:03 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-08-29 14:26:03 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-28 16:51:28 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-08-28 16:51:28 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-08-28 16:51:28 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-08-28 16:51:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-08-28 16:51:27 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-08-28 16:51:27 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-08-28 16:51:27 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-08-28 16:51:27 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-08-28 16:51:27 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-08-28 16:51:27 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-08-28 16:51:27 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-08-28 16:51:27 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-08-28 16:51:27 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-08-28 16:51:27 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-08-28 16:51:26 1048576 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-24 12:38:06 0 d-------- C:\Program Files\Lavasoft
2007-08-24 12:38:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-24 12:37:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 14:14:29 0 d-------- C:\Downloads
2007-08-21 15:30:36 159845 --a------ C:\WINDOWS\MPEG-4 Booster Pack Uninstaller.exe
2007-08-21 15:30:16 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\River Past G4
2007-08-21 15:26:23 163426 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-08-21 15:26:22 0 d-------- C:\Program Files\River Past
2007-08-21 15:26:22 0 d-------- C:\Program Files\Common Files\River Past
2007-08-21 15:26:22 0 d-------- C:\Documents and Settings\All Users\Application Data\River Past G4
2007-08-21 13:34:58 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\DivX
2007-08-21 13:28:09 0 d-------- C:\Program Files\DivX
2007-08-21 13:28:09 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Dr. DivX 2.0 OSS


-- Find3M Report ---------------------------------------------------------------

2007-09-04 21:25:38 0 d-------- C:\Program Files\PartyGaming.Net
2007-09-04 14:13:12 0 d-------- C:\Program Files\Visual Business Cards
2007-09-04 14:11:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-04 14:09:44 0 d-------- C:\Program Files\SlySoft
2007-09-01 16:02:50 14 --a------ C:\WINDOWS\popcinfo.dat
2007-09-01 10:04:21 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\Vso
2007-09-01 10:03:46 34 --a------ C:\Documents and Settings\HP_Owner\Application Data\pcouffin.log
2007-09-01 10:03:42 47360 --a------ C:\Documents and Settings\HP_Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-09-01 10:03:42 1144 --a------ C:\Documents and Settings\HP_Owner\Application Data\pcouffin.inf
2007-09-01 10:03:42 7887 --a------ C:\Documents and Settings\HP_Owner\Application Data\pcouffin.cat
2007-08-24 12:37:44 0 d-------- C:\Program Files\Common Files
2007-08-22 17:26:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-29 17:56:27 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2007-07-29 17:34:42 0 d-------- C:\Program Files\Electronic Arts
2007-07-26 23:33:18 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-07-26 13:46:35 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\My Battle for Middle-earth™ II Files
2007-07-25 22:53:34 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:50:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-25 22:50:34 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-25 22:50:22 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-25 22:50:22 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-25 22:50:22 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-25 22:50:22 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-25 22:49:28 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-20 14:19:58 81920 --a------ C:\Documents and Settings\HP_Owner\Application Data\ezpinst.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [26/04/2004 03:00 AM]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [15/12/2005 12:19 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [31/08/2007 11:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16/02/2007 10:54 AM]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [29/08/2007 08:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 03:00 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [09/10/2004 02:18 AM 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y]
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y1]
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\system32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"




-- End of Deckard's System Scanner: finished at 2007-09-05 16:12:51 ------------

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 05 September 2007 - 09:09 PM

Just so we are clear. I have done step 3 and will post the two log files. I have not done any of step 2. When I saw that those numbers in the HijackThis log file were different I closed it and contacted you.


Don't worry i did understand you the first time and it was good that you decided to contact me before proceeding with next step, thanks again :flowers:
Those entries that i asked you to remove with HijackThis were missing because FixWareout already removed them without problem, which is good.

Mistakenly you have posted wrong report to me, instead of the contents of Extra.txt, you have posted FixWareout report again, you should find extra.txt at this location :
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to this file (if present):
C:\Deckard\System Scanner\extra.txt < double click on it and copy&paste the report back here :thumbsup:

If you cant find it, its ok, just let me know.

Please follow the steps below exactly in the order they are written:

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab



Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next post please include the following reports:
  • extra.txt report
  • combofix report
  • New HijackThis log, created after running combofix
Let me know how the things went.

Should you have any questions, please feel free to ask.

Regards,
SNOWHITE
Posted Image

#7 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 10:40 AM

Good Morning Snowhite!

EXTRA.txt REPORT

Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3200+
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 511.48 MiB / 295.34 MiB
Pagefile Memory (total/avail): 1153.9 MiB / 923.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1970.57 MiB

C: is Fixed (NTFS) - 180.5 GiB total, 97.34 GiB free.
D: is Fixed (FAT32) - 5.79 GiB total, 0.76 GiB free.
E: is CDROM (UDF)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3200822A - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 5.8 GiB - D:
\PARTITION1 (bootable) - Installable File System - 180.5 GiB - C:

\\.\PHYSICALDRIVE5 - EPSON Stylus Storage USB Device

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.485 v7.5.485 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"="C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe:*:Enabled:Star Wars Galactic Battlegrounds: Clone Campaigns"
"C:\\Westwood\\RA2\\game.exe"="C:\\Westwood\\RA2\\game.exe:*:Enabled:Main executable for Red Alert 2"
"C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"="C:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat"="C:\\Program Files\\EA Games\\The Battle for Middle-earth ™\\game.dat:*:Enabled:The Battle for Middle-earth ™"
"C:\\Program Files\\Giant\\LEGO Star Wars Game\\LegoStarwars.exe"="C:\\Program Files\\Giant\\LEGO Star Wars Game\\LegoStarwars.exe:*:Enabled:Launch Lego Star Wars"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Enabled:Zoo Tycoon 2 Executable"
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"="C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Disabled:SAgent4"
"C:\\WINDOWS\\system32\\drivers\\etc\\system.exe"="C:\\WINDOWS\\system32\\drivers\\etc\\system.exe:*:Disabled:system"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\fpupdate.exe:*:Enabled:fpupdate"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\LaunchEAW.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\LaunchEAW.exe:*:Enabled:Play Star Wars Empire at War"
"C:\\Westwood\\RA2\\gamemd.exe"="C:\\Westwood\\RA2\\gamemd.exe:*:Enabled:Main executable for Yuri's Revenge"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"="C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE:*:Enabled:Worms 4 Mayhem"
"C:\\Program Files\\Yahoo! Games\\Cubis Gold 2\\cubis2.exe"="C:\\Program Files\\Yahoo! Games\\Cubis Gold 2\\cubis2.exe:*:Enabled:cubis2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars: Empire at War"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HP_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TMANHOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HP_Owner
LOGONSERVER=\\TMANHOME
MIGO_DRIVE=M
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\PROGRA~1\COMMON~1\ULEADS~1\Mpeg;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\HP_Owner\LOCALS~1\Temp
USERDOMAIN=TMANHOME
USERNAME=HP_Owner
USERPROFILE=C:\Documents and Settings\HP_Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HP_Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Installshield Installation Information\{1002F322-18D1-4A79-95C8-84EA3E940287}\QBReplace.exe {1002F322-18D1-4A79-95C8-84EA3E940287}#{97397C17-A929-4a6b-A68D-17829274C6CB}
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
--> VTUninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Timer'
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Agere Systems PCI Soft Modem --> agrsmdel
AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1033
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BearFlix --> C:\PROGRA~1\BearFlix\UNWISE.EXE C:\PROGRA~1\BearFlix\INSTALL.LOG
BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
Call of Duty® 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033
Cubis Gold 2 --> C:\PROGRA~1\YAHOO!~1\CUBISG~1\UNWISE.EXE C:\PROGRA~1\YAHOO!~1\CUBISG~1\INSTALL.LOG
CueClub --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\Real\RealGames\CueClub\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Region+CSS Free 5.9.8.5 --> "C:\Program Files\DVD Region+CSS Free\unins000.exe"
DVD Shrink 3.1.4 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVD X Copy Platinum 4.0.3 --> "C:\Program Files\321Studios\Platinum\uninstall.exe"
DVD X Rescue --> C:\PROGRA~1\321STU~1\DVDXRE~1\UNWISE.EXE C:\PROGRA~1\321STU~1\DVDXRE~1\INSTALL.LOG
DVDFab Platinum 3.1.7.6 Ghosthunter release --> "C:\Program Files\DVDFab Platinum 3\unins000.exe"
DVDXCopy Platinum 4.0.3 --> "C:\Program Files\321Studios\uninstall.exe"
Dynomite Deluxe 2.71 --> C:\Program Files\PopCap Games\Dynomite Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Dynomite Deluxe\Install.log"
EA SPORTS online 2005 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESPR320 Reference Guide --> C:\Program Files\epson\guide\spr320_le\uninstall.exe
FreeRIP v2.944 --> "C:\Program Files\FreeRIP2\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 4.2 --> C:\Program Files\HP\Digital Imaging\{5E1494D4-3562-4FFB-B35C-600F80F6934C}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 4.0 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update --> MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
HPIZ402 --> MsiExec.exe /X{8D9768AE-DE42-4A04-A461-2361A58C384D}
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
K-Lite Codec Pack 2.73 Full Beta 1 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Lexmark Supplies Monitor --> C:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z65 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXALUN5C.EXE -dLexmark Z65
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9242864-2841-4ADE-86E0-8F90F91B04DD}\setup.exe" -l0x9
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Need for Speed™ Carbon --> C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe
Need for Speed™ Most Wanted --> C:\Program Files\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PartyPokerNet --> "C:\Program Files\PartyGaming.Net\PartyPokerNet\Uninstall.exe" "C:\Program Files\PartyGaming.Net\PartyPokerNet\install.log"
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickBooks Pro Edition 2006 --> C:\Program Files\Installshield Installation Information\{C4168479-5416-4224-8BE9-E4349642595B}\QBReplace.exe {C4168479-5416-4224-8BE9-E4349642595B}#{9058A930-BC63-4FA9-A35B-D74BE4054F40}
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
River Past MPEG-4 Booster Pack --> C:\WINDOWS\MPEG-4 Booster Pack Uninstaller.exe
River Past Video Cleaner Pro --> C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9
S3 S3Display --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2 --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay --> vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars Empire at War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}\Setup.exe" -l0x9 -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Battle for Middle-earth ™ --> C:\Program Files\EA GAMES\The Battle for Middle-earth ™\EAUninstall.exe
The Battle for Middle-earth ™ II --> C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\EAUninstall.exe
The Lord of the Rings, The Rise of the Witch-king --> C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\EAUninstall.exe
Trojan Remover 6.6.2 --> "C:\Program Files\Trojan Remover\unins000.exe"
Ulead DVD MovieFactory 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{448AB2CB-C94A-47DE-80B8-9D7824DEFA57}\setup.exe" -l0x9
Updates from HP --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 309731
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> VTsetvga.exe -s -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\hg201hp.inf
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
VSO Inspector 1.2.5 --> "C:\Program Files\vso\tools\unins000.exe"
Westwood Shared Internet Components --> C:\Westwood\Internet\UNINSTAP.EXE
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless G WUA-1340 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{71FD28F7-E697-40B4-8DC9-91E8B1B9AEE9}
Worms 4 Mayhem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45E7C481-3EF4-4FCB-AF0B-19F70D618F0C}\setup.exe" -l0x9 -removeonly
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zoo Tycoon 2 --> "C:\Program Files\Microsoft Games\Zoo Tycoon 2\UNINSTAL.EXE" /runtemp /uninstall
Zoo Tycoon Expanded --> "C:\Program Files\Microsoft Games\Zoo Tycoon\UNINSTAL.EXE" /runtemp /addremove


-- Application Event Log -------------------------------------------------------

Event Record #/Type16808 / Error
Event Submitted/Written: 09/05/2007 00:22:33 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.5730.11, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type16804 / Error
Event Submitted/Written: 09/05/2007 00:02:59 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application pprekop.exe, version 4.2.0.172, faulting module ole32.dll, version 5.1.2600.2182, fault address 0x10017bed.
Processing media-specific event for [pprekop.exe!ws!]

Event Record #/Type16803 / Error
Event Submitted/Written: 09/04/2007 10:58:58 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application pprekop.exe, version 4.2.0.172, faulting module ole32.dll, version 5.1.2600.2182, fault address 0x10017bed.
Processing media-specific event for [pprekop.exe!ws!]

Event Record #/Type16802 / Error
Event Submitted/Written: 09/04/2007 10:58:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application PartyGamingNet.exe, version 1.0.0.115, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type16801 / Error
Event Submitted/Written: 09/04/2007 10:32:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application pprekop.exe, version 4.2.0.172, faulting module ole32.dll, version 5.1.2600.2182, fault address 0x10017bed.
Processing media-specific event for [pprekop.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type49245 / Warning
Event Submitted/Written: 09/05/2007 03:26:58 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\TMANWORK on the network \Device\NetBT_Tcpip_{777D4C18-DD6D-415F-B50C-77BA5AC5709A}.
The data is the error code.

Event Record #/Type49237 / Warning
Event Submitted/Written: 09/05/2007 03:26:38 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001195CF58B4. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type49167 / Error
Event Submitted/Written: 09/04/2007 09:40:51 PM
Event ID/Source: 19 / Print
Event Description:
Sharing printer failed + 1722, Printer Lexmark Z65 share name Printer2.

Event Record #/Type49158 / Warning
Event Submitted/Written: 09/04/2007 04:17:30 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\TMANWORK on the network \Device\NetBT_Tcpip_{777D4C18-DD6D-415F-B50C-77BA5AC5709A}.
The data is the error code.

Event Record #/Type49157 / Warning
Event Submitted/Written: 09/04/2007 03:27:29 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\TMANWORK on the network \Device\NetBT_Tcpip_{777D4C18-DD6D-415F-B50C-77BA5AC5709A}.
The data is the error code.



-- End of Deckard's System Scanner: finished at 2007-09-05 16:12:51 ------------





COMBOFIX REPORT


ComboFix 07-08-30.3 - "HP_Owner" 2007-09-06 11:26:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\TriJinx.1.0.0.55
C:\WINDOWS\system32\drivers\sfsync02.sys
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 11:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-05 16:06 <DIR> d-------- C:\Deckard
2007-09-04 16:27 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
2007-09-04 15:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-09-04 14:44 <DIR> d-------- C:\Program Files\BearShare
2007-09-04 12:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-04 12:27 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-09-04 12:27 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-09-04 12:27 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-09-04 12:27 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-09-04 12:27 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-09-04 12:27 <DIR> d-------- C:\Program Files\Trojan Remover
2007-09-04 12:27 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Simply Super Software
2007-09-04 12:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-09-03 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-01 10:03 <DIR> d-------- C:\Program Files\DVDFab Platinum 3
2007-08-29 14:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-29 14:26 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-08-24 12:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-24 12:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 14:14 <DIR> d-------- C:\Downloads
2007-08-21 15:30 159,845 --a------ C:\WINDOWS\MPEG-4 Booster Pack Uninstaller.exe
2007-08-21 15:30 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\River Past G4
2007-08-21 15:26 163,426 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-08-21 15:26 <DIR> d-------- C:\Program Files\River Past
2007-08-21 15:26 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-08-21 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G4
2007-08-21 13:34 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\DivX
2007-08-21 13:32 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-21 13:32 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-21 13:32 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-21 13:32 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-08-21 13:32 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-08-21 13:28 <DIR> d-------- C:\Program Files\DivX
2007-08-21 13:28 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Dr. DivX 2.0 OSS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 21:25 --------- d-------- C:\Program Files\PartyGaming.Net
2007-09-04 14:13 --------- d-------- C:\Program Files\Visual Business Cards
2007-09-04 14:11 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-04 14:09 --------- d-------- C:\Program Files\SlySoft
2007-09-01 10:04 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Vso
2007-09-01 10:03 87608 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\inst.exe
2007-09-01 10:03 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-01 10:03 47360 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\pcouffin.sys
2007-08-22 17:26 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-22 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 17:56 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\My The Lord of the Rings, The Rise of the Witch-king Files
2007-07-29 17:34 --------- d-------- C:\Program Files\Electronic Arts
2007-07-26 23:33 --------- d-------- C:\Program Files\Common Files\EasyInfo
2007-07-26 13:46 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\My Battle for Middle-earth™ II Files
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-20 14:19 81920 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\ezpinst.exe
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2005-04-15 20:41:20 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [2004-04-26 03:00]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [2005-12-15 12:19]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-31 11:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-08-29 20:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 02:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y]
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y1]
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\system32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"

R2 CDRPDACC;Arrowkey Device Access;\??\C:\Program Files\321Studios\Shared\CDRPDACC.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-05-01 15:58:57 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-06 13:52:11 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 11:32:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 11:33:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 11:33

--- E O F ---




HIJACKTHIS LOG - After Combofix


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:38 AM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7705 bytes

#8 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 02:10 PM

Now after a sytem restart, the Trojan Remover Quick Scan at startup reports the following message:



The following file is called by the Windows Registry at boot time:

C:\DOCUME~1\HP_OWNER\LOCALS~1\TEMP\catchme.sys

The program is called from the following Registry Key:

HKLM\SYSTEM\CurrentControlSet\Services\catchme

The file cannot be found to be scanned (it may be hidden)




Just thought I would keep you up to date.

Edited by joshiscoolest, 06 September 2007 - 02:10 PM.


#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 06 September 2007 - 03:33 PM

Good Morning Snowhite!


Good Evening joshiscoolest ! :thumbsup:

One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

Should you have any questions, please feel free to ask.

Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\DOCUME~1\HP_Owner\APPLIC~1\inst.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini
C:\WINDOWS\winlogon.exe

Folder::
C:\Program Files\Save

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h3yb0y1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Step #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
In your next post please include the following reports:
  • combofix report
  • SDFix report
  • New HijackThis log
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#10 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 04:34 PM

I dragged CFScript into ComboFix as requested. It went as suggested.

I downloaded SDFix as stated and it did as you said it would. I rebooted in safe mode and ran the RunThis.bat. It did everything you said it would until the pc rebooted. It did reboot and there was a quick flash of a blue screen like the program uses but then it just disappeared. I waited a few minutes for something to happen but it never did. I did find the Report.txt file in the SDFix folder and I will post it. All I am saying is that it didn't pop up like you said it would. Let me know if this report file has everything you need.

Also, how serious is the possibility of someone hacking into my system and accessing my personal stuff? Like banking and emails and such?



COMBOFIX REPORT

ComboFix 07-08-30.3 - "HP_Owner" 2007-09-06 16:56:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -4:00]
* Created a new restore point

FILE::
C:\DOCUME~1\HP_Owner\APPLIC~1\inst.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini
C:\WINDOWS\winlogon.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HP_Owner\APPLIC~1\inst.exe
C:\DOCUME~1\HP_Owner\APPLIC~1\microsoft\internet explorer\quick launch\intern~1.lnk
C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 11:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-05 16:06 <DIR> d-------- C:\Deckard
2007-09-04 16:27 <DIR> d-------- C:\DOCUME~1\HP_Owner\.housecall6.6
2007-09-04 15:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-09-04 14:44 <DIR> d-------- C:\Program Files\BearShare
2007-09-04 12:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-04 12:27 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-09-04 12:27 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-09-04 12:27 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-09-04 12:27 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-09-04 12:27 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-09-04 12:27 <DIR> d-------- C:\Program Files\Trojan Remover
2007-09-04 12:27 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Simply Super Software
2007-09-04 12:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-09-03 14:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-01 10:03 <DIR> d-------- C:\Program Files\DVDFab Platinum 3
2007-08-29 14:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-29 14:26 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 14:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-28 16:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-08-24 12:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-24 12:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-24 12:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 14:14 <DIR> d-------- C:\Downloads
2007-08-21 15:30 159,845 --a------ C:\WINDOWS\MPEG-4 Booster Pack Uninstaller.exe
2007-08-21 15:30 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\River Past G4
2007-08-21 15:26 163,426 --a------ C:\WINDOWS\Video Cleaner Pro Uninstaller.exe
2007-08-21 15:26 <DIR> d-------- C:\Program Files\River Past
2007-08-21 15:26 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-08-21 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G4
2007-08-21 13:34 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\DivX
2007-08-21 13:32 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-21 13:32 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-21 13:32 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-21 13:32 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-08-21 13:32 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-08-21 13:28 <DIR> d-------- C:\Program Files\DivX
2007-08-21 13:28 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Dr. DivX 2.0 OSS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 21:25 --------- d-------- C:\Program Files\PartyGaming.Net
2007-09-04 14:13 --------- d-------- C:\Program Files\Visual Business Cards
2007-09-04 14:11 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-04 14:09 --------- d-------- C:\Program Files\SlySoft
2007-09-01 10:04 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Vso
2007-09-01 10:03 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-01 10:03 47360 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\pcouffin.sys
2007-08-22 17:26 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-22 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 17:56 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\My The Lord of the Rings, The Rise of the Witch-king Files
2007-07-29 17:34 --------- d-------- C:\Program Files\Electronic Arts
2007-07-26 23:33 --------- d-------- C:\Program Files\Common Files\EasyInfo
2007-07-26 13:46 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\My Battle for Middle-earth™ II Files
2007-07-25 23:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-25 22:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-25 22:53 43528 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-25 22:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-25 22:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-25 22:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-25 22:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-25 22:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-25 22:50 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-25 22:50 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-25 22:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-25 22:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-25 22:50 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-25 22:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-25 22:50 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-25 22:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-25 22:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-20 14:19 81920 --a------ C:\DOCUME~1\HP_Owner\APPLIC~1\ezpinst.exe
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2005-04-15 20:41:20 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [2004-04-26 03:00]
"D-Link Wireless G WUA-1340"="C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe" [2005-12-15 12:19]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-31 11:42]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-08-29 20:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 02:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
c:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\system32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

R2 CDRPDACC;Arrowkey Device Access;\??\C:\Program Files\321Studios\Shared\CDRPDACC.SYS
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


Contents of the 'Scheduled Tasks' folder
2007-05-01 15:58:57 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-06 13:52:11 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 17:01:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 17:03:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 17:02
C:\ComboFix2.txt ... 2007-09-06 11:33

--- E O F ---





SDFIX REPORT:


SDFix: Version 1.102

Run by HP_Owner on 06/09/2007 at 05:13 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File







NEW HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:46 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_...itched/main.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{166FD7F1-DD51-4AAE-85D1-CA085CFD1F91}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7681 bytes

#11 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 04:37 PM

Just did another QuickScan with Trojan Remover and it found the same "catchme" stuff that it found earlier.

Let me know if I screwed up the last set of instructions and if I should do it again.

Thanks

#12 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 05:20 PM

Not to sound overly paranoid, but is there anything you can tell me or show me that can assure me that you are not involved with any of this internet fraud? I don't mean any disrespect but I am sort of following your instructions on here and I am not sure what information you could gather from any of my posts.

Thanks

#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 06 September 2007 - 05:59 PM

Not to sound overly paranoid, but is there anything you can tell me or show me that can assure me that you are not involved with any of this internet fraud? I don't mean any disrespect but I am sort of following your instructions on here and I am not sure what information you could gather from any of my posts.


At this moments the best thing is to stay calm and not paranoid. There is nothing to worry about i gather only information that can help me to help you resolve your computer problem, and this reports i ask from you are here only to help me see what are the not legit entries, so we can remove them.

Also, how serious is the possibility of someone hacking into my system and accessing my personal stuff? Like banking and emails and such?


I cant say how serious can be, there was a backdoor trojan which was visible and we removed it. We will do more research and check if there are other threats so we can remove them, although, when this kind of threats are present i cant guarantee that it will be 100% secure afterwards. It also depends of how long the threat was present and active on the computer, also it depends on how good is the computer protected. If your doing online banking, contact your bank, also change your passwords like i instructed you in my previous post.


Just did another QuickScan with Trojan Remover and it found the same "catchme" stuff that it found earlier.

Thanks


The "catchme" stuff is legit, no worries :thumbsup:

Follow these steps:

Click start > Run... > copy&paste this into the run boxC:\SDFix\RunThis.bat /second
Press OK button, SDFix should open a "dos" window and proceed from where it left off.

Wait to finish with scanning and you will find the report at this location c:\SDFix\report.txt, post it back here.

Let me know if you encounter any problems with these steps :flowers:


Regards,

Edited by SNOWHITE, 06 September 2007 - 08:11 PM.

SNOWHITE
Posted Image

#14 joshiscoolest

joshiscoolest
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 September 2007 - 07:04 PM

Hello

I appreciate your honesty on all of this. For the record, I really didn't believe that you had anything but good intentions and am very thankful for your help.

I ran C:\SDFix\RunThis.bat /second and the same thing happened. There was a flash of a blue window that popped up and then disappeared again. I waited in case it was running in the background but nothing happened.

I went back to c:\SDFix\report.txt and it is the same report as before. I will post it again anyways so you can see it.

Not sure what to do next.

Thanks again for all your help.




SDFix: Version 1.102

Run by HP_Owner on 06/09/2007 at 05:13 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:53 PM

Posted 06 September 2007 - 07:17 PM

I appreciate your honesty on all of this. For the record, I really didn't believe that you had anything but good intentions and am very thankful for your help.


Thanks for letting me know :thumbsup:

Follow these steps:

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Step #1

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

If you are unable to run scan with AVG Anti-Spyware in Safe Mode, Click the next link http://fileserver.ewido.net/public.cgi?id=20990 and download AVG_Anti-Spyware_7.5.1.36_Safe_Mode_Registry_Patch.reg to your desktop. It should look like this -> Posted Image double click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Post back with AVG Anti-Spyware report, Kaspersky report and new HijackThis log back into this thread, it is 2 in the morning here and i need to take a sleep now, i will review your logs tomorrow, bye for now :flowers:

Regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users