Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Slowness - Trojan Found?


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jim M.

Jim M.

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 06 September 2007 - 09:13 PM

For awhile now I've had a slowish internet connection, sometimes google wouldn't even fully load it would just timeout it seemed (matter of fact this is my third time trying to posting this text). I always blamed my ISP but then I noticed (or realized) that my laptop was always faster. So I booted this machine into safe mode with networking and the web surfing became much faster.

Every now and then AVG tells me it found a back door Trojan. And Spybot always finds something called WildTangent as a registry item. Would any of these cause a slow down? Thanks for any help or information you can provide. The hijackThis log is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:52 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 6862 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 07 September 2007 - 07:11 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Jim M. :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 07 September 2007 - 09:58 PM

Hi Richie,

Thanks for helping me out. I tried to run hijackthis after I did the combo fix and I keep getting an error message. "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." But I only have one account and it's the administrator. I tried to re-install it in a different directory but I get the same message. I also tried to rename the exe and get the same message. AVG did keep warning it was a threat but I turned that off and again the same message. Here's the combofix log anyway.

ComboFix 07-09-08.8 - "Jim" 2007-09-07 22:33:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\download
C:\Program Files\Common Files\download\mc-110-12-0000080.exe
C:\Program Files\Common Files\inetget2
C:\Program Files\Common Files\windows
C:\Program Files\Common Files\windows\AutoIt3.exe


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-07 22:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-06 18:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 23:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-05 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-05 22:52 <DIR> d-------- C:\Program Files\a-squared Free
2007-09-02 23:33 <DIR> d-------- C:\Program Files\Exifer
2007-09-02 23:21 <DIR> d-------- C:\DOCUME~1\Jim\APPLIC~1\Two Pilots
2007-09-02 23:19 <DIR> d-------- C:\Program Files\Two Pilots
2007-08-15 15:21 <DIR> d-------- C:\02404decf1304b4cb2d33b
2007-08-11 11:15 <DIR> d-------- C:\Program Files\Neat Image
2007-08-07 23:17 <DIR> d-------- C:\Program Files\MosaicCreator
2007-08-07 13:58 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-05 23:30 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-05 23:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-02 11:28 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-31 20:03 --------- d-------- C:\Program Files\City of Heroes
2007-08-31 16:17 --------- d-------- C:\DOCUME~1\Jim\APPLIC~1\Canon
2007-08-07 23:22 737280 --a------ C:\WINDOWS\iun6002.exe
2007-08-07 23:22 --------- d-------- C:\Program Files\AndreaMosaic
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-25 21:46 --------- d-------- C:\Program Files\BookSmart
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2005-11-06 22:52 286720 --a------ C:\Program Files\Uninstall My Web Search.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-15 19:07]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 22:45]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-05-31 20:57:43]

C:\DOCUME~1\Jim\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-21 19:58:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jim^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Jim\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlienAutopsy]
"C:\Program Files\AlienAutopsy\Test_BS.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlienSetupLauncher]
\\aliensrv\AlienFactory\AlienFactory.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
REGSVR32.EXE /S CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

R1 SSHDRV65;SSHDRV65;\??\C:\WINDOWS\System32\drivers\SSHDRV65.sys
R1 SSHDRV77;SSHDRV77;\??\C:\WINDOWS\System32\drivers\SSHDRV77.sys
R1 TeksKernel;TeksKernel;C:\WINDOWS\system32\Drivers\TeksKernel.sys
R2 Ndismeetro;Meetro NDIS Protocol Driver;C:\WINDOWS\system32\DRIVERS\ndismeetro.sys
R2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-08-31 22:04:52 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-04-15 16:00:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-08 02:32:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-07 22:36:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-07 22:38:02
C:\ComboFix-quarantined-files.txt ... 2007-09-07 22:37
.
--- E O F ---

#4 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 07 September 2007 - 10:49 PM

I was able to get a HijackThis log when in safe mode with networking, not sure if this helps at all but here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:22 AM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 5822 bytes

Edited by Jim M., 07 September 2007 - 11:02 PM.


#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 08 September 2007 - 03:43 AM

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#6 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 08 September 2007 - 08:06 PM

Ok here are the logs. Still have to use hijackthis in safe mode. Again, thanks for your help.



Scan History Details

Start Date: 9/8/2007 3:36:25 PM

End Date: 9/8/2007 6:25:05 PM

Total Time: 168 Min 40 Sec

Detected security risks



Weatherbug Low Risk Adware more information...

Details: Weatherbug is an ad supported desktop weather applicaton that provides updates on weather conditions and displays real time temperatures in the taskbar icon.

Status: Deleted



Files detected

C:\PROGRAM FILES\AWS\WxBugSetup502b4.EXE

C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll

C:\PROGRAM FILES\AWS



Registry entries detected

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Control

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\InprocServer32

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\MiscStatus\1

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ProgID

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Programmable

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\TypeLib

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\Version

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\ProxyStubClsid

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\ProxyStubClsid

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\TypeLib

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\TypeLib

HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{04A38F6B-006F-4247-BA4C-02A139D5531C}\TypeLib

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MiniBugTransporter.MiniBugTransporterX.1

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX.1

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX.1\CLSID

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX.1\CLSID

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX\CLSID

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX\CLSID

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX\CurVer

HKEY_LOCAL_MACHINE\Software\Classes\MINIBUGTRANSPORTER.MINIBUGTRANSPORTERX\CurVer

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\0

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\0\win32

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\0\win32

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\FLAGS

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\FLAGS

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\HELPDIR

HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{3C2D2A1E-031F-4397-9614-87C932A848E0}\1.0\HELPDIR

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Cam

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Cam

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Command

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\CurrentStation

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Design

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Forecast

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Links

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Local

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Options

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Options

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Options

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Options

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Reg

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Reg

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Reg

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Registration

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\setup

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station0

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station10

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station11

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station12

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station13

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station14

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station15

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station16

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station17

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station18

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station19

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station1

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station20

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station21

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station22

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station2

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station3

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station4

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station5

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station6

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station7

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station8

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Station9

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\AWS\weather\Warning





Whazit Toolbar Toolbar more information...

Details: Whazit is an Internet Explorer toolbar and home-/search-/error- page hijacker pointed at its controlling server whazit.com.

Status: Deleted



Files detected

C:\WINDOWS\fiz1





SearchNugget.DNSCatcher Browser Plug-in more information...

Details: SearchNugget.DNSCatcher (aka Shorty) is a browser helper object (BHO) for Internet Explorer that redirect search results.

Status: Deleted



Files detected

C:\qoobox\Quarantine\C\Program Files\Common Files\Download\mc-110-12-0000080.exe.vir





Desktop Weather Potentially Unwanted Program more information...

Status: Deleted



Registry entries detected

HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Apps

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL\Framework\UserProfile

HKEY_USERS\S-1-5-21-1229272821-926492609-839522115-1003\SOFTWARE\THE WEATHER CHANNEL





Need2FindBar Potentially Unwanted Program more information...

Details: Need2FindBar is a browser helper object (BHO) toolbar that has a search function.

Status: Deleted



Registry entries detected

HKEY_USERS\SEARCH





Backdoor.Mirc.AH Backdoor more information...

Status: Deleted



Files detected

C:\Program Files\mIRC\backup\mirc.exe

















BitDefender Online Scanner















Scan report generated at: Sat, Sep 08, 2007 - 20:35:48



















Scan path: A:\;C:\;D:\;E:\;































Statistics



Time





00:58:22



Files





206450



Folders





10700



Boot Sectors





2



Archives





6798



Packed Files





11603















Results



Identified Viruses





4



Infected Files





7



Suspect Files





0



Warnings





0



Disinfected





0



Deleted Files





7















Engines Info



Virus Definitions





767138



Engine build





AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)



Scan plugins





5



Archive plugins





18



Unpack plugins





4



E-mail plugins





1



System plugins





1















Scan Settings



First Action





Disinfect



Second Action





Delete



Heuristics





Yes



Enable Warnings





Yes



Scanned Extensions





*;



Exclude Extensions









Scan Emails





Yes



Scan Archives





Yes



Scan Packed





Yes



Scan Files





Yes



Scan Boot





Yes

















Scanned File





Status



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)





Infected with: Html.Bofra.B



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)





Disinfection failed



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)





Deleted



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx





Update failed



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)





Infected with: Html.Bofra.D



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)





Disinfection failed



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)





Deleted



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx





Update failed



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)





Infected with: Html.Bofra.B



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)





Disinfection failed



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)





Deleted



C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx





Update failed



C:\Program Files\mIRC\mirc.exe





Infected with: Backdoor.Mirc.AH



C:\Program Files\mIRC\mirc.exe





Disinfection failed



C:\Program Files\mIRC\mirc.exe





Deleted



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe





Infected with: Trojan.Downloader.4540.A



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe





Disinfection failed



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe





Deleted



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe





Infected with: Backdoor.Mirc.AH



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe





Disinfection failed



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe





Deleted



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe





Infected with: Backdoor.Mirc.AH



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe





Disinfection failed



C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe





Deleted











































Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:48:23 PM, on 9/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Safe mode with network support



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\Program Files\Trend Micro\HijackThis\scanner.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe



--

End of file - 6475 bytes

Edited by Jim M., 08 September 2007 - 08:36 PM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 09 September 2007 - 05:28 AM

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

Post a new Hijackthis log please.
Posted Image
Posted Image

#8 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 09 September 2007 - 09:12 AM

Wordwrap wasn't checked off. Is it because BitDefender is in HTML? Also when ever I try to post it times out so I've been useing my mac laptop to reply.



<HTML>

<HEAD>

<TITLE>BitDefender Online Scanner -Scan Report</TITLE>

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">

<meta name="generator" content="Namo WebEditor v5.0(Trial)">

</HEAD>

<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >





<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">

<tr>

<td width="458">

<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender

Online Scanner</b></span></font></p>



</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>

<tr>



<td colspan="3" width="912">

<p><font face="Arial"><span style="font-size:11pt;"><B>Scan report generated

at: Sat, Sep 08, 2007 - 20:35:48</b></span></font></p>

</td>

</tr>



<tr>

<td width="458">

<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>

</td>



<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>



<tr>



<td width="458">

<p><font face="Arial"><span style="font-size:11pt;"><B>Scan

path: </b></span><span style="font-size:10pt;">A:\;C:\;D:\;E:\;</span></font></p>

</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>



</td>

</tr>



<tr>

<td width="458">

<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>

</td>

<td width="40%">

<p>&nbsp;</p>



</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>



<tr>

<td width="458">

<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">



<tr>

<td width="451" colspan="2" bgcolor="#CCCCCC">

<p><font face="Arial" size="2"><B>Statistics</b></font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Time</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">00:58:22</font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Files</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">206450</font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Folders</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">10700</font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Boot Sectors</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">2</font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Archives</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">6798</font></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Packed Files</font></p>



</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">11603</font></p>

</td>

</tr>

</table>

</td>

<td width="40%">



<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>







<tr>

<td width="458">



<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">

<tr>

<td width="451" colspan="2" bgcolor="#CCCCCC">

<p><font face="Arial" size="2"><B>Results</b></font></p>

</td>

</tr>

<tr>

<td width="57%">



<p><font face="Arial" size="2">Identified Viruses </font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">4</font></p>

</td>

</tr>

<tr>

<td width="57%">



<p><font face="Arial" size="2">Infected Files </font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">7</font></p>

</td>

</tr>

<tr>

<td width="57%">



<p><font face="Arial" size="2">Suspect&nbsp;Files </font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">0</font></p>

</td>

</tr>

<tr>



<td width="57%">

<p><font face="Arial" size="2">Warnings</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">0</font></p>

</td>

</tr>

<tr>



<td width="57%">

<p><font face="Arial" size="2">Disinfected</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">0</font></p>

</td>

</tr>

<tr>



<td width="57%">

<p><font face="Arial" size="2">Deleted Files</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">7</font></p>

</td>

</tr>

</table>



</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>



<tr>

<td width="458">

<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">

<tr>

<td width="451" colspan="2" bgcolor="#CCCCCC">

<p><font face="Arial" size="2"><B>Engines Info</b></font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Virus Definitions</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">767138</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Engine build</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan plugins</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">5</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Archive plugins</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">18</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Unpack plugins</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">4</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">E-mail plugins</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">1</font></p>

</td>

</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">System&nbsp;plugins</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">1</font></p>

</td>



</tr>

</table>

</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>



</tr>



<tr>

<td width="458">

<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">

<tr>

<td width="451" colspan="2" bgcolor="#CCCCCC">

<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">First Action</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Disinfect</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Second Action</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Delete</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Heuristics</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Enable Warnings</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scanned Extensions</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">*;</font></p>

</td>



</tr>



<tr>

<td width="57%">

<p><font face="Arial" size="2">Exclude Extensions</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">&nbsp;</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan Emails</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan Archives</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan Packed</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan Files</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">Scan Boot</font></p>

</td>

<td width="43%" align="right">

<p><font face="Arial" size="2">Yes</font></p>

</td>



</tr>

</table>

</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>



</tr>



<tr>

<td colspan=2> &nbsp;

<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">

<tr>

<td width="252" bgcolor="#CCCCCC">

<p><font face="Arial" size="2"><B>Scanned File</b></font></p>



</td>

<td width="195" bgcolor="#CCCCCC" align="right">

<p align="left"><b><font size="2" face="Arial">&nbsp;Status</font></b></p>

</td>

</tr>

<tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)</font></p>



</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Html.Bofra.B</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)</font></p>

</td>



<td width="43%" align="left">

<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 156)</font></p>

</td>

<td width="43%" align="left">



<p><font face="Arial" size="2">Deleted</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Update failed</font></p>



</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Html.Bofra.D</font></p>

</td>



</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">



<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 159)</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Deleted</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx</font></p>



</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Update failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)</font></p>

</td>



<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Html.Bofra.B</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)</font></p>

</td>

<td width="43%" align="left">



<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx=>(message 160)</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Deleted</font></p>



</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Documents and Settings\Jim\Local Settings\Application Data\Identities\{4E75E553-267C-4998-BA44-253A51C15650}\Microsoft\Outlook Express\Warcry.dbx</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Update failed</font></p>

</td>



</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Program Files\mIRC\mirc.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Backdoor.Mirc.AH</font></p>

</td>

</tr><tr>

<td width="57%">



<p><font face="Arial" size="2">C:\Program Files\mIRC\mirc.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\Program Files\mIRC\mirc.exe</font></p>



</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Deleted</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe</font></p>

</td>



<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Trojan.Downloader.4540.A</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe</font></p>

</td>

<td width="43%" align="left">



<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1092\A0244806.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Deleted</font></p>



</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Backdoor.Mirc.AH</font></p>

</td>



</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">



<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246919.exe</font></p>

</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Deleted</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe</font></p>



</td>

<td width="43%" align="left">

<p><font face="Arial" size="2">Infected with: Backdoor.Mirc.AH</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe</font></p>

</td>



<td width="43%" align="left">

<p><font face="Arial" size="2">Disinfection failed</font></p>

</td>

</tr><tr>

<td width="57%">

<p><font face="Arial" size="2">C:\System Volume Information\_restore{6DCAFDBF-826A-4A27-A731-561E2C8AE641}\RP1094\A0246928.exe</font></p>

</td>

<td width="43%" align="left">



<p><font face="Arial" size="2">Deleted</font></p>

</td>

</tr>

</table>

</td>



<td width="10%">

<p>&nbsp;</p>

</td>

</tr>



<tr>

<td width="458">

<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>

</td>

<td width="40%">

<p>&nbsp;</p>

</td>

<td width="10%">



<p>&nbsp;</p>

</td>

</tr>



<tr>

<td width="458">

<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>

</td>

<td width="40%">



<p>&nbsp;</p>

</td>

<td width="10%">

<p>&nbsp;</p>

</td>

</tr>



</table>

<p>&nbsp;</p>



</body>



</html>







Here's the new hijackthis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:14 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe


--
End of file - 7454 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 09 September 2007 - 10:43 AM

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Restart your pc.
Let me know how your pc is running now please.
Posted Image
Posted Image

#10 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 09 September 2007 - 11:35 AM

I'm not sure if this is a problem on my end or a trojan thing. One test I do is to try to upload an image file to a site from this computer and it still times out. But on my laptop it works fine. Here's the hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:52 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7387 bytes

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 09 September 2007 - 01:58 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jim^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]

Download/unzip iereg.bat to your destop thats attached below.
Double click on the unzipped filePosted Image on your destop.
You'll see a black screen flash,thats normal.
Restart your pc.

Let me know whats happening now.
Posted Image
Posted Image

#12 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 09 September 2007 - 09:19 PM

Still the same but it does seem faster. Maybe I just can't upload from here or something. Here's a hijackthis log. If your running out of ideas I can start to look for the original CDs and try to reformat.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:04 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572CRUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7387 bytes

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 10 September 2007 - 06:03 AM

If your running out of ideas I can start to look for the original CDs and try to reformat.

Probably thats the best way to go now,i'm out of suggestions anyway.
Posted Image
Posted Image

#14 Jim M.

Jim M.
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 10 September 2007 - 07:51 AM

Is there any article that you know of that goes over the steps to reformat? I've never done it before. Thanks for all your help!

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 10 September 2007 - 08:18 AM

If you have the Microsoft Windows XP installation disk try doing a Repair Install first,that may help and you won't lose any data.
Configure your computer to start from the CD-ROM drive.
[Boot into the Bios and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your computer's documentation or contact your computer manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your computer.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.

Let me know how you get on.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users