Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I Cleaned Up The Spyware.cyberlog-x, Virtumonde, Virus Blast - Need Log Checked.


  • Please log in to reply
23 replies to this topic

#1 MikeSessa

MikeSessa

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 19 October 2007 - 10:36 PM

Here's a link back to the problems I had and things I did to attempt to eliminate the virus and prepare to post a HJT log.
http://www.bleepingcomputer.com/forums/t/112666/mikesessas-hjt-log/


TMacK tells me to post my HiJackThis log here in order to be sure my system is clean so here is my current HJt log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:44 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\lqtyfgsv.dll",sitypnow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Monitor.lnk = E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6984 bytes


What do you think?

Again thanks for the help my computer is much more usable than when those spyware/ransomware/virus had taken over control of my machine. I still am having a few system messages telling me such and such program has to close like I've had media player close after playing a song, firefox close attempting an update etc. Could be some things were damaged due to numerous scans by different anti spyware scans???

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 20 October 2007 - 04:58 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum MikeSessa :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.


Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 10:44 AM

Thank you RichieUK.

I removed all java installs and updated as you said.

I downloaded combofix, closed my browser and ran it. It would not run. It generates "freeware implementation of REG.EXE has encountered a problem and needs to close - send error report to ms/ don't" I selected don't send. It repeats similar messages - closed them all with - do not send. Finally I got a message that said - "Not admin need admin priv to run tool".

This is where I stopped.

I checked my user accounts and I am admin with password logon.

Thought something might have gone wrong with the d/l for combofix so I deleted it - re downloaded it and tried again - very same result. I am dling to the desktop and running it on the desktop.

Searched to be sure it didn't run a log and it didn't.

I'm waiting for further instructions.

Again thank you for your kind assistance.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 11:03 AM

Download this tool to your desktop:
http://download.bleepingcomputer.com/sUBs/...bug-Restore.exe
Doubleclick SeDebug-Restore.exe and let it run.
Restart your pc,this is very important.

Then try Combofix again.
Posted Image
Posted Image

#5 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 11:22 AM

Nope no good.

SeDebug reported

'\cscript.exe is not recognized as an internal or external command.

please reboot

I rebooted and noticed the new hdwe running in the tool bar recognizing a usb device then a hard drive. after the reboot finished up I tried to run combofix and got the same result as last time - messages and not admin.

Finally I'm running firefox and I just had a bunch of what looks to be msiexplorer windows pop up in what appears to be a new hijack - and they won't close - one is some jack9-untv crap and it won't close.

Help!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 11:39 AM

Try running Combofix in Safe Mode:
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Wether Combofix runs or not,carry on below:
Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#7 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 02:19 PM

Tried to run combofix in safe mode. Strange thing when booted into safe mode. Now I have been able to boot into safe mode as recently as a couple days ago. When going into safe mode the desktop icons appear, then blank out to a black screen a couple tow or three times then the screen stays black with no icons - the corners appear in safe mode but now I could not execute any programs because no icons to click on. Tried a couple times - same thing.

Back into normal mode ran Vundo - it found a few things and removed them. Rebooted and removed 2 more on restart.

Here's Vundofix


VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Scan started at 2:55:41 PM 10/21/2007

Listing files found while scanning....

C:\windows\system32\ddccaxx.dll
C:\WINDOWS\system32\fncmayrl.dll
C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\xpoocfmr.ini

Beginning removal...

Attempting to delete C:\windows\system32\ddccaxx.dll
C:\windows\system32\ddccaxx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\fncmayrl.dll
C:\WINDOWS\system32\fncmayrl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\rmfcoopx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xpoocfmr.ini
C:\WINDOWS\system32\xpoocfmr.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\ddccaxx.dll
C:\windows\system32\ddccaxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\rmfcoopx.dll Has been deleted!

Performing Repairs to the registry.
Done!


Found another Vundofix.txt


VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Scan started at 2:55:41 PM 10/21/2007

Listing files found while scanning....

C:\windows\system32\ddccaxx.dll
C:\WINDOWS\system32\fncmayrl.dll
C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\xpoocfmr.ini

Beginning removal...

Attempting to delete C:\windows\system32\ddccaxx.dll
C:\windows\system32\ddccaxx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\fncmayrl.dll
C:\WINDOWS\system32\fncmayrl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\rmfcoopx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\xpoocfmr.ini
C:\WINDOWS\system32\xpoocfmr.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\ddccaxx.dll
C:\windows\system32\ddccaxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmfcoopx.dll
C:\WINDOWS\system32\rmfcoopx.dll Has been deleted!

Performing Repairs to the registry.
Done!

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:39 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - {410FCCD6-922C-41B5-B7DB-838C03E17C14} - C:\WINDOWS\system32\mllml.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54442D04-3319-41EF-864B-70BB12CB784E} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: (no name) - {58932813-9280-4878-8631-60004E7F628F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CEE6C507-8395-4050-84F7-E4E26781FAEA} - (no file)
O2 - BHO: (no name) - {E81240CA-E5D7-473D-AA89-67B2EE533039} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\itjmfxkf.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Monitor.lnk = E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddccaxx - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bthjmdif.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8258 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 02:54 PM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService

Restart your pc.

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\itjmfxkf.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {410FCCD6-922C-41B5-B7DB-838C03E17C14} - C:\WINDOWS\system32\mllml.dll
O2 - BHO: (no name) - {54442D04-3319-41EF-864B-70BB12CB784E} - C:\WINDOWS\system32\awvvu.dll
O2 - BHO: (no name) - {58932813-9280-4878-8631-60004E7F628F} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {CEE6C507-8395-4050-84F7-E4E26781FAEA} - (no file)
O2 - BHO: (no name) - {E81240CA-E5D7-473D-AA89-67B2EE533039} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\itjmfxkf.dll",sitypnow
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - Winlogon Notify: ddccaxx - C:\WINDOWS\
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bthjmdif.exe (file missing)



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use 'Save As' to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#9 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 03:58 PM

Spybot won't start - spybot has encountered a problem and must shutdown.

Should I skip and move on?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 04:04 PM

Spybot won't start - spybot has encountered a problem and must shutdown.

Lets remove/uninstall Spybot S&D via Start/Control Panel/Add or Remove Programs,then restart your pc.
We can reinstall it later.
Then carry on with the rest of the steps please.
Posted Image
Posted Image

#11 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 04:12 PM

Very odd - I can't uninstall - i get this wierd windows error noise pulsating and then it stops and won't remove. This has only recently started happening perhaps when we did try to do the SeDebug thing and the new hdwe wizard was running. I got this same noise when spybot would not run.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 04:31 PM

Ok,carry on with the above instructions,lets see how you get on.
Posted Image
Posted Image

#13 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 05:28 PM

Let me say thanks again for helping me - here is the instructions carried out. The stupid spyware.cyberlog-x and their stupid online security guide and live safety center shields have reappeared on my desktop and the system messages have come back and the yellow exclamation point with it's stupid messages have all just started coming back

Ran Fixbat

OTMove

LoadLibrary failed for C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mllml.dll NOT unregistered.
C:\WINDOWS\system32\mllml.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\awvvu.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\awvvu.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\itjmfxkf.dll not found.

Created on 10/21/2007 17:46:43

Fixed with Hijackthis everything you told me - there were 3 keys or what have you that didn't match up - maybe they changed their own name so I didn't fix them because they didn't match up on the list. The 3 were:

O2 - BHO: (no name) - {54442D04-3319-41EF-864B-70BB12CB784E} - C:\WINDOWS\system32\awvvu.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\itjmfxkf.dll",sitypnow
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\bthjmdif.exe (file missing)

there were similar named ones just not exactly the same.

Deckards

Deckard's System Scanner v20071014.68
Run by mikeser on 2007-10-21 18:08:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-10-21 22:08:21 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.51 GiB (less than 15%) free.


-- HijackThis (run as mikeser.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:21 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Documents and Settings\mikeser\Desktop\dss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mikeser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - {410FCCD6-922C-41B5-B7DB-838C03E17C14} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\lmkkhqqa.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rqopvoby.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E0DCA605-E4F6-4F93-87C5-747CC019046B} - C:\WINDOWS\system32\awvvu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rqopvoby.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\krpgecte.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Monitor.lnk = E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: rqopvoby - C:\WINDOWS\SYSTEM32\rqopvoby.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gkwawfub.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7804 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071021-180607-515 O2 - BHO: (no name) - {CEE6C507-8395-4050-84F7-E4E26781FAEA} - (no file)
backup-20071021-180607-547 O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
backup-20071021-180607-725 O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
backup-20071021-180607-735 O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
backup-20071021-180607-880 O2 - BHO: (no name) - {58932813-9280-4878-8631-60004E7F628F} - (no file)
backup-20071021-180607-910 O2 - BHO: (no name) - {E81240CA-E5D7-473D-AA89-67B2EE533039} - (no file)
backup-20071021-180608-220 O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
backup-20071021-180608-804 O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
backup-20071021-180608-998 O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
backup-20071021-180609-266 O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
backup-20071021-180609-529 O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
backup-20071021-180609-677 O20 - Winlogon Notify: ddccaxx - C:\WINDOWS\
backup-20071021-180609-731 O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes; CDRTools>
R2 ETDrv - c:\windows\system32\drivers\etdrv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 PStrip - c:\windows\system32\drivers\pstrip.sys <Not Verified; EnTech Taiwan; PowerStrip>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; Elaborate Bytes; CloneCD>
R3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys

S3 Entech - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 ET5Drv - c:\windows\system32\drivers\et5drv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S3 RivaTunerEx - c:\program files\rivatuner v2.0 rc 15.3 new year edition\rivatunerex.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>

S2 DomainService - c:\windows\system32\gkwawfub.exe /service (file missing)
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-21 and 2007-10-21 -----------------------------

2007-10-21 18:11:04 77376 --a------ C:\WINDOWS\system32\lmkkhqqa.dll
2007-10-21 18:08:13 340032 --a------ C:\WINDOWS\system32\rqopvoby.dll
2007-10-21 18:07:50 340032 --a------ C:\WINDOWS\system32\ioermcnp.dll
2007-10-21 17:58:50 83008 --a------ C:\WINDOWS\system32\krpgecte.dll
2007-10-21 17:51:05 75328 --a------ C:\WINDOWS\system32\qsfouwtl.exe <Not Verified; ; DDC>
2007-10-21 17:42:10 75328 --a------ C:\WINDOWS\system32\vylqcxqt.exe <Not Verified; ; DDC>
2007-10-21 17:24:00 83008 --a------ C:\WINDOWS\system32\igmfxkjj.dll
2007-10-21 17:22:08 75328 --a------ C:\WINDOWS\system32\xjnfnwbi.exe <Not Verified; ; DDC>
2007-10-21 16:54:13 75328 --a------ C:\WINDOWS\system32\odynojdd.exe <Not Verified; ; DDC>
2007-10-21 15:04:11 75328 --a------ C:\WINDOWS\system32\ynwujaem.exe <Not Verified; ; DDC>
2007-10-21 14:55:41 0 d-------- C:\VundoFix Backups
2007-10-21 14:50:14 75328 --a------ C:\WINDOWS\system32\owsajmfv.exe <Not Verified; ; DDC>
2007-10-21 14:35:15 75328 --a------ C:\WINDOWS\system32\dsibommx.exe <Not Verified; ; DDC>
2007-10-21 12:11:23 83008 --a------ C:\WINDOWS\system32\gucjsgph.dll
2007-10-21 12:09:49 75328 --a------ C:\WINDOWS\system32\wxdqierb.exe <Not Verified; ; DDC>
2007-10-21 11:05:01 0 d-------- C:\Program Files\Common Files\Java
2007-10-21 11:01:40 75328 --a------ C:\WINDOWS\system32\krpipivt.exe <Not Verified; ; DDC>
2007-10-21 10:55:56 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-20 16:34:09 75328 --a------ C:\WINDOWS\system32\lqrsxrqh.exe <Not Verified; ; DDC>
2007-10-19 23:15:32 0 d-------- C:\Program Files\Trend Micro
2007-10-19 20:40:08 1156 --a------ C:\WINDOWS\mozver.dat
2007-10-17 19:59:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-10-16 22:58:12 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2007-10-16 22:50:01 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Google
2007-10-16 22:50:00 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-16 22:42:28 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-10-16 22:42:25 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-10-16 22:06:42 4526 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-16 22:05:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-16 22:05:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-16 22:05:22 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-16 22:05:22 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-16 22:05:22 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-16 20:28:02 0 d-------- C:\Documents and Settings\mikeser\Application Data\Grisoft
2007-10-16 20:27:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-16 20:00:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-16 20:00:30 0 d-------- C:\Documents and Settings\mikeser\Application Data\Mozilla
2007-10-16 19:17:29 339968 --a------ C:\Program Files\Hammer.dll
2007-10-16 19:17:05 389184 --a------ C:\WINDOWS\system32\oqcesonj.exe
2007-10-16 19:15:31 410510 ---hs---- C:\WINDOWS\system32\uvvwa.bak2
2007-10-15 18:46:04 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 16:57:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-15 13:43:54 412616 ---hs---- C:\WINDOWS\system32\uvvwa.ini2
2007-10-15 13:04:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-15 13:04:05 0 d-------- C:\Program Files\Spyware Doctor
2007-10-15 13:04:05 0 d-------- C:\Documents and Settings\mikeser\Application Data\PC Tools
2007-10-15 11:57:08 0 dr------- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Start Menu
2007-10-15 11:57:08 0 dr-h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\SendTo
2007-10-15 11:57:08 0 d--h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Recent
2007-10-15 11:57:08 0 d--h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\PrintHood
2007-10-15 11:57:08 0 d--h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\NetHood
2007-10-15 11:57:08 0 d-------- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\My Documents
2007-10-15 11:57:08 0 d--h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Local Settings
2007-10-15 11:57:08 0 d-------- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Favorites
2007-10-15 11:57:08 0 d-------- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Desktop
2007-10-15 11:57:08 0 d---s---- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Cookies
2007-10-15 11:57:08 0 dr-h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Application Data
2007-10-15 11:57:08 0 d---s---- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Application Data\Microsoft
2007-10-15 11:57:07 0 d--h----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\Templates
2007-10-15 11:57:07 524288 --ah----- C:\Documents and Settings\Administrator.BLEH-NAIK7VGNFN\NTUSER.DAT
2007-10-15 11:56:54 0 d--hs---- C:\WINDOWS\CSC
2007-10-15 11:33:27 6465 ---hs---- C:\WINDOWS\system32\uvvwa.bak1
2007-10-15 11:33:07 308832 --a------ C:\WINDOWS\system32\awvvu.dll
2007-10-15 11:14:19 0 d-------- C:\{00004528-0000-0000-0ADF-111613256D73}
2007-10-15 11:14:18 0 d-------- C:\{000039B2-0000-0000-B8A2-A432644C5E4F}
2007-10-15 09:26:04 0 d-------- C:\Documents and Settings\mikeser\.housecall6.6
2007-10-14 17:41:05 421317 ---hs---- C:\WINDOWS\system32\lmllm.bak2
2007-10-11 17:32:17 6465 ---hs---- C:\WINDOWS\system32\lmllm.bak1
2007-10-11 17:31:58 5767168 --a------ C:\Documents and Settings\mikeser\ntuser.dat
2007-10-11 17:26:32 0 d-------- C:\WINDOWS\system32\p1
2007-10-11 17:26:15 0 d-------- C:\WINDOWS\system32\vMW02a
2007-10-05 18:52:33 0 d-------- C:\Program Files\Freecorder
2007-10-05 18:52:22 0 d-------- C:\WINDOWS\Freecorder Toolbar
2007-10-05 17:26:31 0 d-------- C:\My Recordings


-- Find3M Report ---------------------------------------------------------------

2007-10-21 11:06:04 0 d-------- C:\Program Files\Java
2007-10-21 11:05:01 0 d-------- C:\Program Files\Common Files
2007-10-16 22:45:57 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-10-15 11:27:33 0 d-------- C:\Program Files\vmntoolbar
2007-10-15 10:32:51 0 d-------- C:\Documents and Settings\mikeser\Application Data\vmntoolbar
2007-10-15 10:04:24 0 d-------- C:\Program Files\Windows Live Safety Center
2007-10-10 19:44:03 0 --a------ C:\WINDOWS\system32\Biport
2007-10-09 21:48:23 0 d-------- C:\Program Files\mIRC
2007-10-05 15:21:52 0 d-------- C:\Program Files\LimeWire
2007-08-14 16:09:32 112 --a------ C:\WINDOWS\HOSTK100.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
10/05/2007 06:54 PM 1453080 --a------ C:\Program Files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410FCCD6-922C-41B5-B7DB-838C03E17C14}]
C:\WINDOWS\system32\mllml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]
10/21/2007 06:11 PM 77376 --a------ C:\WINDOWS\system32\lmkkhqqa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
10/21/2007 06:08 PM 340032 --a------ C:\WINDOWS\system32\rqopvoby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0DCA605-E4F6-4F93-87C5-747CC019046B}]
10/15/2007 11:33 AM 308832 --a------ C:\WINDOWS\system32\awvvu.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= C:\Program Files\Freecorder\tbFre1.dll [10/05/2007 06:54 PM 1453080]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\rqopvoby.dll [10/21/2007 06:08 PM 340032]

[-HKEY_CLASSES_ROOT\CLSID\{1392B8D2-5C05-419F-A8F6-B9F15A596612}]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [05/14/2004 03:47 AM C:\WINDOWS\SOUNDMAN.EXE]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [12/30/2003 05:44 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/17/2005 07:19 PM]
"nwiz"="nwiz.exe" [02/24/2005 08:32 AM C:\WINDOWS\system32\nwiz.exe]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 11:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 03:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 04:04 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [05/25/2004 10:16 AM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [07/20/2004 10:34 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/02/2006 06:40 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/26/2007 07:02 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/24/2005 08:32 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [10/02/2007 04:27 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SearchIndexer"="C:\WINDOWS\system32\krpgecte.dll" [10/21/2007 05:58 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [12:00:00 AM]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [1/22/2006 10:01:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqopvoby]
rqopvoby.dll 10/21/2007 06:08 PM 340032 C:\WINDOWS\system32\rqopvoby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AceGain LiveUpdate]
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
C:\Program Files\Gigabyte\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HorngTech4D]
C:\PROGRA~1\MOUSEM~1\MiceMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
C:\WINDOWS\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ohmbct]
C:\WINDOWS\ohmbct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
c:\program files\powerstrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saap]
c:\program files\music planet\saap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
C:\WINDOWS\system32\G-VGA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SCardSvr"=3 (0x3)
"iPodService"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 www.babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 www.did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 www.coolwebsearch.com

6796 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-10-21 18:15:28 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 511.48 MiB / 308.46 MiB
Pagefile Memory (total/avail): 2015.34 MiB / 1716.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915.77 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 16.2 GiB total, 1.5 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 34.46 GiB total, 19.7 GiB free.
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 91731U4 - 16.21 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 16.2 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD360GD-00FNA0 - 34.47 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 34.46 GiB - E:

\\.\PHYSICALDRIVE2 - Brother MFC-210C USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gigabyte\\Gigabyte Windows Utility Manager\\ET4\\update.exe"="C:\\Program Files\\Gigabyte\\Gigabyte Windows Utility Manager\\ET4\\update.exe:*:Disabled:ftptest"
"C:\\Program Files\\Music Planet\\Main.exe"="C:\\Program Files\\Music Planet\\Main.exe:*:Disabled:LaunchAnywhere GUI"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"E:\\quake3.exe"="E:\\quake3.exe:*:Enabled:quake3"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"E:\\vietnam\\bfvietnam.exe"="E:\\vietnam\\bfvietnam.exe:*:Disabled:bfvietnam"
"C:\\Program Files\\Gigabyte\\Gigabyte Windows Utility Manager\\bios\\gwf32.exe"="C:\\Program Files\\Gigabyte\\Gigabyte Windows Utility Manager\\bios\\gwf32.exe:*:Enabled:gwflash"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\UT2004Demo\\System\\UT2004.exe"="C:\\UT2004Demo\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Documents and Settings\\mikeser\\Desktop\\ftpwanderer2\\FTPWanderer.exe"="C:\\Documents and Settings\\mikeser\\Desktop\\ftpwanderer2\\FTPWanderer.exe:*:Enabled:FTP Wanderer"
"E:\\UT2004\\System\\UT2004.exe"="E:\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\WINDOWS\\system32\\bthjmdif.exe"="C:\\WINDOWS\\system32\\bth"
"C:\\WINDOWS\\system32\\gkwawfub.exe"="C:\\WINDOWS\\system32\\gkw"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mikeser\Application Data
CLASSPATH=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BLEH-NAIK7VGNFN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mikeser
LOGONSERVER=\\BLEH-NAIK7VGNFN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mikeser\LOCALS~1\Temp
TMP=C:\DOCUME~1\mikeser\LOCALS~1\Temp
USERDOMAIN=BLEH-NAIK7VGNFN
USERNAME=mikeser
USERPROFILE=C:\Documents and Settings\mikeser
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mikeser (admin)
Administrator.BLEH-NAIK7VGNFN (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AceFTP 3 Freeware --> "C:\Program Files\Visicom Media\AceFTP 3 Freeware\uninst-ftp.exe"
AceGain LiveUpdate 1.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\AceGain\LiveUpdate\irunin.ini"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft Media Card Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3580211E-3BB7-42C0-ADC3-9A8C1EFFF2CB}\SETUP.EXE" -l0x9
ArcSoft MediaConverter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5BD1F9C-8BBA-410E-837D-94D523269F8F}\SETUP.EXE" -l0x9
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93F599DF-519B-4706-A3F1-9530DF2590B4}\SETUP.EXE" -l0x9
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Battlefield Vietnam™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x9
BCL easyPDF Printer Driver 4.3 --> MsiExec.exe /I{964361C3-15AB-4233-A6C7-4B277D73C949}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40A6C96D-808E-41DD-8716-617AB6B0F1F1}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CloneCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Elaborate Bytes\CloneCD\Uninst.isu" -c"C:\Program Files\Elaborate Bytes\CloneCD\InstallHelp.dll"
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DV TS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{54266945-8A11-424D-B20F-4F747A714FBA}\Setup.exe"
EasyTune5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\ET5\Uninst.isu" -c"C:\Program Files\Gigabyte\ET5\uninstdrv.dll"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Freecorder Toolbar --> C:\PROGRA~1\FREECO~1\UNWISE.EXE C:\PROGRA~1\FREECO~1\INSTALL.LOG
Freecorder Toolbar 3.0 Application --> "C:\WINDOWS\Freecorder Toolbar\uninstall.exe" "/U:E:\\Uninstall\uninstall.xml"
Fun Morph 3.0 --> "C:\Program Files\Zeallsoft\Fun Morph\unins000.exe"
GIGABYTE V-Tuner --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GigaByte\V-Tuner\Uninst.isu"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hello (remove only) --> "E:\Hello\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{13616DE2-9795-4910-8C93-80D45AF09658} /l1033
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' RogueRemover 1.22 --> "C:\Program Files\RogueRemover FREE\unins000.exe"
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Monitor Asset Manager (remove only) --> C:\Program Files\MonInfo\uninstal.exe
MouseMate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAAE5B6C-7574-44BC-8AB5-AD647635C221}\setup.exe" -l0x9
Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
muvee autoProducer 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E6CF5B58-E775-46C0-BFF2-F39A0014FE4A}\Setup.exe" -l0x9
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA System Utility --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Picasa 2 --> "e:\Program Files\Picasa2\Uninstall.exe"
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
Prime95 --> "e:\Program Files\Prime95\Uninstall.exe" "e:\Program Files\Prime95\install.log"
PunkBuster for Battlefield Vietnam --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.exe" -l0x9
Quake III Team Arena --> C:\WINDOWS\IsUninst.exe -fe:\Q3TA.isu
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Riva FLV Encoder 2.0 --> "C:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
RivaTuner v2.0 RC 15.3 New Year Edition --> "C:\Program Files\RivaTuner v2.0 RC 15.3 New Year Edition\uninstall.exe"
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Unreal Tournament 2004 --> e:\UT2004\System\Setup.exe uninstall "UT2004"
Unreal Tournament G.O.T.Y. Edition --> e:\UnrealTournament\System\Setup.exe uninstall "UnrealTournament"
Uploader! v3.3 --> "C:\Program Files\Uploader!\unins000.exe"
User Profile Hive Cleanup Service --> MsiExec.exe /I{BF755CD9-E185-498A-AAFB-E9F8470AB1CC}
VMN Toolbar --> C:\Program Files\vmntoolbar\uninstall.exe -uninstall -prompt
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
WinMorph™ 3.01 --> "C:\Program Files\Debugmode\WinMorph\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type7730 / Error
Event Submitted/Written: 10/21/2007 06:14:51 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type7727 / Error
Event Submitted/Written: 10/21/2007 05:41:59 PM
Event ID/Source: 1000 / Microsoft IntelliPoint
Event Description:
point32.exe5.2.413.0point32.exe5.2.413.0000042ea

Event Record #/Type7722 / Error
Event Submitted/Written: 10/21/2007 05:22:00 PM
Event ID/Source: 1000 / Microsoft IntelliPoint
Event Description:
point32.exe5.2.413.0point32.dll5.2.413.0000102ca

Event Record #/Type7719 / Error
Event Submitted/Written: 10/21/2007 05:05:36 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.1.15, faulting module spybotsd.exe, version 1.5.1.15, fault address 0x00004a06.
Processing media-specific event for [spybotsd.exe!ws!]

Event Record #/Type7718 / Error
Event Submitted/Written: 10/21/2007 04:55:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.1.15, faulting module unknown, version 0.0.0.0, fault address 0x011f162a.
Processing media-specific event for [spybotsd.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3410 / Error
Event Submitted/Written: 10/21/2007 06:14:32 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type3409 / Error
Event Submitted/Written: 10/21/2007 06:12:23 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type3365 / Error
Event Submitted/Written: 10/21/2007 05:39:31 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the DomainService service to connect.

Event Record #/Type3364 / Error
Event Submitted/Written: 10/21/2007 05:39:31 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The DomainService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type3243 / Error
Event Submitted/Written: 10/21/2007 02:47:21 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip
wpsdrvnt



-- End of Deckard's System Scanner: finished at 2007-10-21 18:15:28 ------------

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 21 October 2007 - 06:11 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\lmkkhqqa.dll
C:\WINDOWS\system32\rqopvoby.dll
C:\WINDOWS\system32\ioermcnp.dll
C:\WINDOWS\system32\krpgecte.dll
C:\WINDOWS\system32\qsfouwtl.exe
C:\WINDOWS\system32\vylqcxqt.exe
C:\WINDOWS\system32\igmfxkjj.dll
C:\WINDOWS\system32\xjnfnwbi.exe
C:\WINDOWS\system32\odynojdd.exe
C:\WINDOWS\system32\ynwujaem.exe
C:\WINDOWS\system32\owsajmfv.exe
C:\WINDOWS\system32\dsibommx.exe
C:\WINDOWS\system32\gucjsgph.dll
C:\WINDOWS\system32\wxdqierb.exe
C:\WINDOWS\system32\krpipivt.exe
C:\WINDOWS\system32\lqrsxrqh.exe
C:\Program Files\Hammer.dll
C:\WINDOWS\system32\oqcesonj.exe
C:\WINDOWS\system32\uvvwa.bak2
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.bak1

Folders to delete:
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\vMW02a
C:\{00004528-0000-0000-0ADF-111613256D73}
C:\{000039B2-0000-0000-B8A2-A432644C5E4F}

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.


If the above does'nt work,do the following:
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\lmkkhqqa.dll
C:\WINDOWS\system32\rqopvoby.dll
C:\WINDOWS\system32\ioermcnp.dll
C:\WINDOWS\system32\krpgecte.dll
C:\WINDOWS\system32\qsfouwtl.exe
C:\WINDOWS\system32\vylqcxqt.exe
C:\WINDOWS\system32\igmfxkjj.dll
C:\WINDOWS\system32\xjnfnwbi.exe
C:\WINDOWS\system32\odynojdd.exe
C:\WINDOWS\system32\ynwujaem.exe
C:\WINDOWS\system32\owsajmfv.exe
C:\WINDOWS\system32\dsibommx.exe
C:\WINDOWS\system32\gucjsgph.dll
C:\WINDOWS\system32\wxdqierb.exe
C:\WINDOWS\system32\krpipivt.exe
C:\WINDOWS\system32\lqrsxrqh.exe
C:\Program Files\Hammer.dll
C:\WINDOWS\system32\oqcesonj.exe
C:\WINDOWS\system32\uvvwa.bak2
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\p1
C:\WINDOWS\system32\vMW02a
C:\{00004528-0000-0000-0ADF-111613256D73}
C:\{000039B2-0000-0000-B8A2-A432644C5E4F}

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#15 MikeSessa

MikeSessa
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 October 2007 - 06:32 PM

Avenger result

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ebyyjlea

*******************

Script file located at: \??\C:\WINDOWS\system32\nmsblcba.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\lmkkhqqa.dll deleted successfully.
File C:\WINDOWS\system32\rqopvoby.dll deleted successfully.
File C:\WINDOWS\system32\ioermcnp.dll deleted successfully.


File C:\WINDOWS\system32\krpgecte.dll not found!
Deletion of file C:\WINDOWS\system32\krpgecte.dll failed!

Could not process line:
C:\WINDOWS\system32\krpgecte.dll
Status: 0xc0000034

File C:\WINDOWS\system32\qsfouwtl.exe deleted successfully.
File C:\WINDOWS\system32\vylqcxqt.exe deleted successfully.
File C:\WINDOWS\system32\igmfxkjj.dll deleted successfully.
File C:\WINDOWS\system32\xjnfnwbi.exe deleted successfully.
File C:\WINDOWS\system32\odynojdd.exe deleted successfully.
File C:\WINDOWS\system32\ynwujaem.exe deleted successfully.
File C:\WINDOWS\system32\owsajmfv.exe deleted successfully.
File C:\WINDOWS\system32\dsibommx.exe deleted successfully.
File C:\WINDOWS\system32\gucjsgph.dll deleted successfully.
File C:\WINDOWS\system32\wxdqierb.exe deleted successfully.
File C:\WINDOWS\system32\krpipivt.exe deleted successfully.
File C:\WINDOWS\system32\lqrsxrqh.exe deleted successfully.
File C:\Program Files\Hammer.dll deleted successfully.
File C:\WINDOWS\system32\oqcesonj.exe deleted successfully.
File C:\WINDOWS\system32\uvvwa.bak2 deleted successfully.
File C:\WINDOWS\system32\uvvwa.ini2 deleted successfully.
File C:\WINDOWS\system32\uvvwa.bak1 deleted successfully.
File C:\WINDOWS\system32\awvvu.dll deleted successfully.
File C:\WINDOWS\system32\lmllm.bak2 deleted successfully.
File C:\WINDOWS\system32\lmllm.bak1 deleted successfully.
Folder C:\WINDOWS\system32\p1 deleted successfully.
Folder C:\WINDOWS\system32\vMW02a deleted successfully.
Folder C:\{00004528-0000-0000-0ADF-111613256D73} deleted successfully.
Folder C:\{000039B2-0000-0000-B8A2-A432644C5E4F} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


New Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:13 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\mikeser.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - {410FCCD6-922C-41B5-B7DB-838C03E17C14} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58932813-9280-4878-8631-60004E7F628F} - (no file)
O2 - BHO: (no name) - {689F4CE9-55C6-47AE-BE88-D252631B9C11} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\lmkkhqqa.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rqopvoby.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CEE6C507-8395-4050-84F7-E4E26781FAEA} - (no file)
O2 - BHO: (no name) - {E81240CA-E5D7-473D-AA89-67B2EE533039} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rqopvoby.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jlabqnuk.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Monitor.lnk = E:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - E:\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddccaxx - C:\WINDOWS\
O20 - Winlogon Notify: rqopvoby - rqopvoby.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gkwawfub.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8630 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users