Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infestation


  • This topic is locked This topic is locked
13 replies to this topic

#1 jjdefan

jjdefan

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 26 October 2007 - 11:35 AM

Please review HJT log: I have run the latest version of AAW and it removed nearly 700 entries, but I know there are more.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:06 AM, on 10/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\lmdsrngk.exe
C:\WINDOWS\System32\shellexpi.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\ISAACSIONA\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=574
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\WINDOWS\System32\trust.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{DC-C3-38-88-ZN}] C:\WINDOWS\SYSTEM32\lmdsrngk.exe CHD003
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexpi.exe en
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: .lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm497KOUS
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c8f7837eb548...ip/RdxIE601.cab
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://9vjyw7.allpornpass.com/images/Aa0003_08.jpg
O24 - Desktop Component 1: (no name) - http://domai.com/pics/big/kristina-016.jpg
O24 - Desktop Component 10: (no name) - http://domai.com/pics/big/natassja-010b.jpg
O24 - Desktop Component 11: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
O24 - Desktop Component 2: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.2340-5r2m.jpg
O24 - Desktop Component 3: (no name) - http://ww3.voyeurweb.com/main/fse34/fs2003...804-43162-0.jpg
O24 - Desktop Component 4: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...1.0820-4dii.jpg
O24 - Desktop Component 5: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...0.1507-3fdm.jpg
O24 - Desktop Component 6: (no name) - http://domai.com/pics/big/Tatya-073.jpg
O24 - Desktop Component 7: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.1241-o5fe.jpg
O24 - Desktop Component 8: (no name) - http://domai.com/pics/big/Dariya-7638.jpg
O24 - Desktop Component 9: (no name) - http://domai.com/pics/big/svetlana-304.jpg

--
End of file - 11610 bytes

BC AdBot (Login to Remove)

 


#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 28 October 2007 - 02:35 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 29 October 2007 - 12:04 AM

Hello jjdefan,

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Step 1
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Step 2
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply along with the Report.txt from SDFix.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step 3
Download Deckard's System Scanner (DSS) to your Desktop.
  • Close all applications and windows.
  • Double-click on DSS.exe to run it, and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)


Step 4
Pleae post the following in your next reply
  • Report.txt
  • SmitFraudFix Log
  • Main.txt
  • Extra.txt


Posted Image


#4 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 29 October 2007 - 06:54 PM

Here are the scans:


SDFix: Version 1.112



Run by ISAACSIONA on Mon 10/29/2007 at 02:22 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\D2KPAX.EXE - Deleted
C:\WINDOWS\SYSTEM32\DLLH8J~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\CTSR3.DLL - Deleted
C:\WINDOWS\SYSTEM32\D2KPAX.DLL - Deleted
C:\WINDOWS\SYSTEM32\JAC.DLL - Deleted
C:\WINDOWS\SYSTEM32\MSXSLAB.DLL - Deleted
C:\WINDOWS\SYSTEM32\SYSTEM32.DLL - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\7.dllb - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\stdrun2.exe - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\stdrun8.exe - Deleted
C:\Documents and Settings\ISAACSIONA\Local Settings\Temp\ma1x1dd1v.game - Deleted
C:\WINDOWS\EKR.exe.tmp - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\Documents and Settings\ISAACSIONA\Application Data\Install.dat - Deleted
C:\WINDOWS\hostctrl.dll - Deleted
C:\WINDOWS\hstsys.dll - Deleted
C:\WINDOWS\nmcuninstall.exe - Deleted
C:\WINDOWS\ntspknlg.dll - Deleted
C:\WINDOWS\optnet.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system\System.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q1.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q2.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q5.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q6.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q7.exe - Deleted
C:\WINDOWS\system32\dllh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\kernelwind32.exe - Deleted
C:\WINDOWS\system32\ldcore.dll - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\max1d11643v.exe - Deleted
C:\WINDOWS\system32\sulimo.dat - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\xlavba3.exe - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted


Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 11 Jun 2004 0 ..SHR --- "C:\mssys.com"
Fri 11 Jun 2004 0 ..SHR --- "C:\q250204.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\soundmx.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\Program Files\q330994.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\cvchost.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\dl.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\dlm.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\msstasks.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\mssys.com"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\mstaskss.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\msxmidi.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\nem216.dll"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\ntldr.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\reg33.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\rocky.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\seksdialer.exe"
Tue 8 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0\aolphx.exe"
Tue 8 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0\aoltray.exe"
Tue 8 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0\RBM.exe"
Tue 8 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0\waol.exe"
Fri 15 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 15 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 15 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 29 Dec 2004 233,554 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Thu 12 Apr 2007 105,246 A..H. --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc70.tmp"
Fri 11 Jun 2004 0 A.SHR --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc72.exe"
Fri 11 Jun 2004 0 A.SHR --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc73.exe"
Fri 11 Jun 2004 0 A.SHR --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc74.exe"
Fri 11 Jun 2004 0 A.SHR --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc75.exe"
Fri 11 Jun 2004 0 A.SHR --- "C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc76.exe"
Fri 11 Jun 2004 0 ..SHR --- "C:\WINDOWS\SYSTEM\wmscrop.exe"
Sun 3 Aug 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Nov 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Mon 6 Dec 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 6 Dec 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Tue 8 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0\COMIT\cswitch.exe"
Sat 22 Jul 2006 92 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti474.tmp"
Tue 8 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sun 3 Aug 2003 4,348 ...H. --- "C:\Documents and Settings\ISAACSIONA\Application Data\Real\Rhapsody\wmlicbackup\drmv1key.bak"
Mon 12 Mar 2007 401 A..H. --- "C:\Documents and Settings\ISAACSIONA\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"
Mon 6 Dec 2004 400 A.SH. --- "C:\Documents and Settings\ISAACSIONA\Application Data\Real\Rhapsody\wmlicbackup\drmv2key.bak"
Mon 2 Aug 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

SmitFraudFix v2.242



Scan done at 18:34:25.04, Mon 10/29/2007
Run from C:\Documents and Settings\ISAACSIONA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\windows\system32\dwdsrngt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ISAACSIONA


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ISAACSIONA\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ISAACS~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://9vjyw7.allpornpass.com/images/Aa0003_08.jpg"
"SubscribedURL"="http://9vjyw7.allpornpass.com/images/Aa0003_08.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://domai.com/pics/big/kristina-016.jpg"
"SubscribedURL"="http://domai.com/pics/big/kristina-016.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://voy.voyeurweb.com/contestRESULTS/20030709/20030708.2340-5r2m/20030708.2340-5r2m.jpg"
"SubscribedURL"="http://voy.voyeurweb.com/contestRESULTS/20030709/20030708.2340-5r2m/20030708.2340-5r2m.jpg"
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS3\Services\Tcpip\..\{F452160D-0E8B-4123-B482-209C1438CFE4}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Deckard's System Scanner v20071014.68


Run by ISAACSIONA on 2007-10-29 18:37:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
72: 2007-10-29 23:37:37 UTC - RP1323 - Deckard's System Scanner Restore Point
71: 2007-10-29 01:28:38 UTC - RP1322 - System Checkpoint
70: 2007-10-28 00:28:38 UTC - RP1321 - System Checkpoint
69: 2007-10-26 23:28:41 UTC - RP1320 - System Checkpoint
68: 2007-10-25 22:49:45 UTC - RP1319 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2007-12-24 14:03:46 UTC - RP1252 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ISAACSIONA.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:50 PM, on 10/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\windows\system32\dwdsrngt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\ISAACSIONA\Desktop\dss.exe
C:\Documents and Settings\ISAACSIONA\Application Data\U3\0000060410005711\LaunchPad.exe
C:\DOCUME~1\ISAACS~1\Desktop\HIJACK~1\ISAACSIONA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=574
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\WINDOWS\System32\trust.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{DC-C3-38-88-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: .lnk = ?
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm497KOUS
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c8f7837eb548...ip/RdxIE601.cab
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://9vjyw7.allpornpass.com/images/Aa0003_08.jpg
O24 - Desktop Component 1: (no name) - http://domai.com/pics/big/kristina-016.jpg
O24 - Desktop Component 10: (no name) - http://domai.com/pics/big/natassja-010b.jpg
O24 - Desktop Component 11: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
O24 - Desktop Component 2: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.2340-5r2m.jpg
O24 - Desktop Component 3: (no name) - http://ww3.voyeurweb.com/main/fse34/fs2003...804-43162-0.jpg
O24 - Desktop Component 4: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...1.0820-4dii.jpg
O24 - Desktop Component 5: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...0.1507-3fdm.jpg
O24 - Desktop Component 6: (no name) - http://domai.com/pics/big/Tatya-073.jpg
O24 - Desktop Component 7: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.1241-o5fe.jpg
O24 - Desktop Component 8: (no name) - http://domai.com/pics/big/Dariya-7638.jpg
O24 - Desktop Component 9: (no name) - http://domai.com/pics/big/svetlana-304.jpg

--
End of file - 11164 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 crlscsi - c:\windows\system32\drivers\crlscsi.sys <Not Verified; Corel Corporation; Corel TWAIN>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 HCWBT8xx (Hauppauge WinTV 848/9 WDM Video Driver) - c:\windows\system32\drivers\hcwbt8xx.sys <Not Verified; Hauppauge Computer Works; WinTV WDM Driver>

S2 ohbusb (Open Host Controller Miniport USB Driver) - c:\windows\system32\drivers\ohbusb.sys (file missing)
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - d:\ppp\pcampr5.sys (file missing)
S3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - d:\ppp\pcandis5.sys (file missing)
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>

S2 .NET Connection Service (.NET Framework Service) - c:\windows\svchost.exe (file missing)
S2 SvcProc (System Startup Service ) - c:\windows\svcproc.exe (file missing)
S3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-29 18:38:11 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-Owner).job
2007-10-29 18:38:11 502 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-ISAACSIONA).job
2007-10-29 18:36:00 502 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (DOUBLEDOG-ISAACSIONA).job


-- Files created between 2007-09-29 and 2007-10-29 -----------------------------

2007-10-29 18:34:27 2164 --a------ C:\WINDOWS\System32\tmp.reg
2007-10-29 14:20:29 0 d-------- C:\WINDOWS\ERUNT
2007-10-25 19:01:56 384 --ah----- C:\aaw7boot.cmd
2007-10-25 17:50:09 0 d-------- C:\Ad-Aware 2007
2007-10-25 17:49:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 15:14:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 15:13:40 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-25 15:08:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-25 15:06:57 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-10-25 15:06:57 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-10-25 15:06:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-10-24 19:54:30 16384 --a------ C:\WINDOWS\xlavba6.exe
2007-10-24 13:24:11 0 d-------- C:\Program Files\My Sam's Club Digital Photo Center
2007-10-24 13:13:50 0 d--hs---- C:\WINDOWS\System32\wsnpoem
2007-10-24 13:12:31 20992 --a------ C:\WINDOWS\oeimara.exe
2007-10-22 08:51:01 17408 --a------ C:\psapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-22 08:50:08 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-22 08:50:06 0 d-------- C:\Program Files\ISM2
2007-10-22 08:49:55 13824 --a------ C:\WINDOWS\plite731.exe <Not Verified; System Service; System Monitor Service>
2007-10-22 08:49:26 0 d-------- C:\WINDOWS\System32\oTt06e
2007-10-22 08:49:23 294668 --a------ C:\WINDOWS\frexup3.exe
2007-10-22 08:48:39 34304 --a------ C:\WINDOWS\klonos.exe
2007-10-19 19:23:14 0 d-------- C:\My Sam's Club Digital Photo Center
2007-10-19 18:18:17 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\YourPrivacyGuard
2007-10-19 17:49:37 0 d-------- C:\Program Files\Common Files\YourPrivacyGuard
2007-10-19 17:18:29 0 d-------- C:\Program Files\AdwareRemover2007
2007-10-19 09:00:16 120024 --a------ C:\WINDOWS\drkara.exe
2007-10-19 08:56:15 99032 --a------ C:\WINDOWS\System32\trust.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-18 17:23:06 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-10-18 17:22:28 46592 --a------ C:\WINDOWS\System32\drivers\FMTR.sys <Not Verified; LocusSoftware, Inc.; FMTR>
2007-10-18 16:32:26 7432 --a------ C:\WINDOWS\xlavra3.exe
2007-10-18 00:41:33 102400 --a------ C:\Documents and Settings\All Users\Application Data\nknyvmpq.dll
2007-10-18 00:41:32 0 d-------- C:\Program Files\oymmzgbd
2007-10-18 00:28:10 0 --a------ C:\WINDOWS\kwv2.dat
2007-10-16 13:09:24 18944 --a------ C:\WINDOWS\System32\msmapibx32.exe
2007-10-08 12:20:20 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\FunWebProducts
2007-10-06 20:40:04 0 d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-10-06 20:40:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SeekmoSA
2007-10-03 14:26:28 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Move Networks


-- Find3M Report ---------------------------------------------------------------

2007-10-29 18:37:22 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-10-29 14:39:51 0 d-a------ C:\Program Files\Common Files
2007-10-29 14:09:47 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\U3
2007-10-25 19:02:33 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\alta
2007-09-26 15:47:37 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Yahoo!
2007-09-25 19:46:17 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\AVG7
2007-09-19 12:11:41 0 d-------- C:\Program Files\Yahoo!
2007-09-18 20:49:05 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Mozilla
2007-09-18 20:46:08 0 d-------- C:\Program Files\Common Files\xing shared
2007-09-18 20:45:57 0 d-------- C:\Program Files\Common Files\Real
2007-09-18 20:45:14 0 d-------- C:\Program Files\Google
2007-09-18 20:44:49 3424 --a------ C:\WINDOWS\mozver.dat
2007-09-13 14:46:35 28672 --a------ C:\WINDOWS\System32\f3PSSavr.scr <Not Verified; FunWebProducts.com; Popular Screensavers>
2007-08-31 19:21:31 4 --a------ C:\WINDOWS\System32\3EC958
2007-08-29 13:46:13 0 d-------- C:\Program Files\Print Workshop 2005 LE
2007-08-29 13:42:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-14 15:49:41 52764 --a------ C:\WINDOWS\System32\lmdsrngk.exe <Not Verified; ; Browser Driver>
2007-08-14 11:21:51 192584 --a------ C:\WINDOWS\System32\swinnmdt.exe
2007-08-14 11:21:45 52755 --a------ C:\WINDOWS\System32\dwdsrngt.exe <Not Verified; ; Browser Driver>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
C:\Program Files\ISM\BndDrive7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FB5B012-E8CB-46cd-B6D2-ED428FAE9043}]
C:\Program Files\ISM\BndDrive5.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4837DA-938C-4864-3BDA-A47284DFCC71}]
10/19/2007 08:56 AM 99032 --a------ C:\WINDOWS\System32\trust.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{07AA283A-43D7-4CBE-A064-32A21112D94D}"= C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D}]
[HKEY_CLASSES_ROOT\HostIE.Bho.1]
[HKEY_CLASSES_ROOT\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}]
[HKEY_CLASSES_ROOT\HostIE.Bho]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [09/04/2002 10:28 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/15/2003 02:22 PM]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [02/08/2003 05:42 PM]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [02/10/2005 09:32 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [10/18/2007 06:49 PM]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [08/24/2007 04:00 PM]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [04/03/2002 12:01 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/13/2003 10:48 AM]
"WD Button Manager"="WDBtnMgr.exe" [03/20/2006 04:09 PM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/25/2007 06:30 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/18/2007 08:44 PM]
"{DC-C3-38-88-ZN}"="c:\windows\system32\dwdsrngt.exe" [08/14/2007 11:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MyWebSearch Email Plugin"="C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe" [09/13/2007 02:46 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 04:43 PM]
"AVSystemCare"="C:\Program Files\AVSystemCare\pgs.exe" []
"AdwareRemover2007"="C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe" [10/19/2007 05:18 PM]
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" [09/28/2007 08:27 AM]
"ISMPack7"="C:\Program Files\ISM2\ISMPack7.exe" [10/16/2007 10:10 AM]
"ISMModule8"="C:\Program Files\ISM\ISMModule8.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\System32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\11]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ISAACSIONA^Start Menu^Programs^Startup^Download Plus.lnk]
path=C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\Download Plus.lnk
backup=C:\WINDOWS\pss\Download Plus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNUBHO]
C:\WINDOWS\AHNUBHO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccwxsvrcma]
C:\WINDOWS\System32\emkbrwq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
C:\PROGRA~1\CLOCKS~1\Sync.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentService]
C:\WINDOWS\System32\winservn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iotn]
C:\Documents and Settings\ISAACSIONA\Application Data\urod.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jopa]
C:\WINDOWS\System32\sysstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MD IE Plugin]
C:\Program Files\MD\md

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
C:\Program Files\MemoryMeter\MemoryMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
C:\Program Files\nCase\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMGT]
C:\WINDOWS\MSMGT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitUpdate]
C:\Program Files\Orbit\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitView]
C:\Program Files\Orbit\view.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyBlast]
C:\Program Files\SpyBlast\SpyBlast.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQConfigChecker]
C:\Program Files\Sqwire\cc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQUpdatesChecker]
C:\Program Files\Sqwire\uc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
C:\WINDOWS\System32\stcloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\isaacsiona\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uninstal]
regsvr32 /u /s image.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\PROGRA~1\WEATHE~1\Weather.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webassist]
C:\WINDOWS\webassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\PROGRA~1\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCast]
D:\SETUP.EXE -leng

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStart001.EXE]
C:\WINDOWS\System\WinStart001.EXE -b


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3e657b8-639f-11dc-9ed5-00038a000015}]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2007-10-29 18:40:49 ------------

Deckard's System Scanner v20071014.68


Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.53GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 255 MiB / 79.89 MiB
Pagefile Memory (total/avail): 618.3 MiB / 390.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.19 MiB

B: is Removable (No Media)
C: is Fixed (NTFS) - 55.84 GiB total, 31.05 GiB free.
D: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - IC35L060AVV207-0 - 55.87 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 55.84 GiB - C:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 972.69 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 973.43 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
AUState says computer is ready and waiting.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ISAACSIONA\Application Data
CLASSPATH="C\QTJava.zip"
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DOUBLEDOG
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ISAACSIONA
LOGONSERVER=\\DOUBLEDOG
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ISAACS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ISAACS~1\LOCALS~1\Temp
USERDOMAIN=DOUBLEDOG
USERNAME=ISAACSIONA
USERPROFILE=C:\Documents and Settings\ISAACSIONA
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ISAACSIONA (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Uninst.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
American Greetings® Art & More Store --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mindscape\Art & More Store\Uninst.isu"
AncestryView --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MyFamily.Com\AncestryView\Uninst.isu"
AOL Coach Version 1.0(Build:20030807.3) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
Corel Applications --> C:\WINDOWS\COREL\UNINSTAL.EXE
CreataCard Special Edition 2 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\CreataCard\Special Edition\DeIsL1.isu"
Dell AIO Printer A940 --> C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBAUN5C.EXE -dDell AIO Printer A940
Dell Picture Studio - Dell Image Expert --> MsiExec.exe /I{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Disney Print Studio Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C081D6E-A899-11D6-B2FB-0002A5E32BEF}\setup.exe"
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
ebgcInfra --> MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes --> MsiExec.exe /X{5380B111-5047-413D-A6E5-70D69391D08E}
ebgcSDK --> MsiExec.exe /X{13AD768A-9E04-499D-AE80-967A65DCCBA5}
Family Feud --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFB50C42-4905-11D4-8BA5-0050BAAA20E2}\setup.exe"
Family Tree Maker 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2F4C144-7D1A-47C4-9D53-395A57B0CD64}\setup.exe" -l0x9
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GSM TRIAL --> "C:\Program Files\GSM\uninstall\unins000.exe"
Hauppauge English Help Files and Resources --> C:\PROGRA~1\WinTV\UNHLPeng.EXE C:\PROGRA~1\WinTV\WTV2Keng.LOG
Hauppauge WinTV Scheduler --> C:\PROGRA~1\WinTV\SCHEDU~1\UNWISE.EXE C:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV Soft PVR --> C:\PROGRA~1\WinTV\UNSftPVR.EXE C:\PROGRA~1\WinTV\softpvr.LOG
Hauppauge WinTV Source Selector --> C:\PROGRA~1\WinTV\UNtvsel.EXE C:\PROGRA~1\WinTV\WINTVsel.LOG
Hauppauge WinTV2000 --> C:\PROGRA~1\WinTV\UNTV32.EXE C:\PROGRA~1\WinTV\WINTV2K.LOG
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Explorer Q828750 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q828750.inf
McAfee.com SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mghtml.exe mcp://c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\ISAACSIONA\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Musicnotes Player V1.22.3 --> "C:\Program Files\Musicnotes\Player\unins000.exe"
My Web Search --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsbar.dll,O
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
Online Manuals for WinTV (English) --> C:\PROGRA~1\WinTV\UNTVmans.exe C:\PROGRA~1\WinTV\WinTVMan.LOG
Paint Shop Pro 4 Shareware --> C:\PROGRA~1\PAINTS~1\UNWISE.EXE C:\PROGRA~1\PAINTS~1\INSTALL.LOG
PIXELA ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13413C6C-C640-40B8-917E-CA3062826B18}\setup.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Print Workshop 2005 LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26694549-38A6-11D9-AD8E-0050DA87D0EB}\setup.exe" -l0x9
PrintMaster 7.00 --> c:\PROGRA~1\MINDSC~1\PRINTM~1\uninst32.exe /IFirst
Quicken 2002 New User Edition --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Retrospect 6.5 --> MsiExec.exe /I{73B69C5C-87D6-471E-B695-0BD736C4B644}
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Search Basket --> C:\WINDOWS\enhuninstall.exe
Seekmo Browser and Wowpapers Tools --> "C:\Program Files\Seekmo\bin\10.0.341.0\SeekmoUnInstaller.exe" Web
Serif DrawPlus 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp30\DrawPlus_uninst.isu"
SmartDraw 6 --> C:\Media\UNINSTAL.EXE C:\Media\install.log
SmartDraw 7 Trial Edition --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\INSTALL.LOG
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\SETUP.EXE" -l0x9
TDK LabelCreator --> C:\WINDOWS\uninst.exe -f"C:\Program Files\TDK_LabelCreator\DeIsL2.isu" -cC:\PROGRA~1\TDK_LA~1\_ISREG32.DLL
Ulead Drop Spot 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BCC5640-5360-11D4-A44A-0000E86D2305}\setup.exe" -l0x9
Ulead PhotoImpact XL SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CADA6C4C-3EF2-43FC-8E5B-E89E3880A399}\setup.exe" -l0x9
Vantage Point Report Viewer --> MsiExec.exe /X{2CDC06BB-0D32-46EA-8D92-225D9ED79287}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Savings from Ebates --> wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" ls: deletefeature ld: feature=ebateswebsavingsdr1.xml
Win32 BI Application --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\payload.inf, Uninstall
WordPerfect Office 2002 --> C:\WINDOWS\Corel\Uninst32.exe
WordPerfect Office 2002 --> C:\WINDOWS\Corel\uninst32.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2433 / Error
Event Submitted/Written: 10/29/2007 02:16:39 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2432 / Error
Event Submitted/Written: 10/29/2007 02:16:39 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type2421 / Error
Event Submitted/Written: 10/25/2007 07:09:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application xpupdate.exe, version 0.0.0.0, faulting module xpupdate.exe, version 0.0.0.0, fault address 0x00001b23.

Event Record #/Type2417 / Error
Event Submitted/Written: 10/25/2007 06:09:45 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2416 / Error
Event Submitted/Written: 10/25/2007 06:09:45 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4237 / Error
Event Submitted/Written: 10/29/2007 06:06:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The System Startup Service service failed to start due to the following error:
%%2

Event Record #/Type4236 / Error
Event Submitted/Written: 10/29/2007 06:06:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Open Host Controller Miniport USB Driver service failed to start due to the following error:
%%2

Event Record #/Type4235 / Error
Event Submitted/Written: 10/29/2007 06:06:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The .NET Framework Service service failed to start due to the following error:
%%2

Event Record #/Type4232 / Error
Event Submitted/Written: 10/29/2007 02:20:11 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type4231 / Error
Event Submitted/Written: 10/29/2007 02:20:11 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2007-10-29 18:40:49 ------------

#5 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 02 November 2007 - 12:40 AM

Hello again jjdefan,

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step 1
Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Now reboot into normal windows.

Step 2
Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

My Web Search
Seekmo Browser and Wowpapers Tools
Web Savings from Ebates
Win32 BI Application
Search Basket


Step 3
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=574
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50039
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.341.0\HostIE.dll (file missing)
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKLM\..\Run: [{DC-C3-38-88-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm497KOUS
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c8f7837eb548...ip/RdxIE601.cab
O16 - DPF: {645D793B-33E2-4175-A7E1-BA490839358A} (DNL Control) - http://www.huntfly.com/media/MyFIDNL.ocx
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - http://9vjyw7.allpornpass.com/images/Aa0003_08.jpg
O24 - Desktop Component 1: (no name) - http://domai.com/pics/big/kristina-016.jpg
O24 - Desktop Component 10: (no name) - http://domai.com/pics/big/natassja-010b.jpg
O24 - Desktop Component 11: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
O24 - Desktop Component 2: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.2340-5r2m.jpg
O24 - Desktop Component 3: (no name) - http://ww3.voyeurweb.com/main/fse34/fs2003...804-43162-0.jpg
O24 - Desktop Component 4: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...1.0820-4dii.jpg
O24 - Desktop Component 5: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...0.1507-3fdm.jpg
O24 - Desktop Component 6: (no name) - http://domai.com/pics/big/Tatya-073.jpg
O24 - Desktop Component 7: (no name) - http://voy.voyeurweb.com/contestRESULTS/20...8.1241-o5fe.jpg
O24 - Desktop Component 8: (no name) - http://domai.com/pics/big/Dariya-7638.jpg
O24 - Desktop Component 9: (no name) - http://domai.com/pics/big/svetlana-304.jpg


Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 4
Please copy (Ctrl C) and paste (Ctrl V) the following text in the code box to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "System Startup Service" 
sc delete "System Startup Service" 
sc stop ".NET Framework Service"
sc delete ".NET Framework Service"
exit

Double click FixServices.bat. A window will open and close. This is normal.

Step 5
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\svcproc.exe
    C:\Program Files\AVSystemCare
    C:\PROGRA~1\MYWEBS~1
    C:\Program Files\Seekmo
    C:\Program Files\ISM
    C:\Program Files\ISM2
    C:\WINDOWS\xlavba6.exe
    C:\WINDOWS\System32\wsnpoem
    C:\WINDOWS\oeimara.exe
    C:\WINDOWS\plite731_uninstaller_.bat
    C:\WINDOWS\plite731.exe
    C:\WINDOWS\System32\oTt06e
    C:\WINDOWS\frexup3.exe
    C:\WINDOWS\klonos.exe
    C:\WINDOWS\drkara.exe
    C:\WINDOWS\xlavra3.exe
    C:\Program Files\oymmzgbd
    C:\WINDOWS\kwv2.dat
    C:\WINDOWS\System32\msmapibx32.exe
    C:\Documents and Settings\ISAACSIONA\Application Data\FunWebProducts
    C:\Documents and Settings\All Users\Application Data\SeekmoSA
    C:\WINDOWS\System32\f3PSSavr.scr
    C:\WINDOWS\System32\3EC958
    C:\WINDOWS\System32\lmdsrngk.exe
    C:\WINDOWS\System32\swinnmdt.exe
    C:\WINDOWS\System32\dwdsrngt.exe
    C:\Program Files\AdwareRemover2007


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Step 6
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Step 7
Please post the following in your next reply
  • rapport.txt
  • OTMove IT Log
  • New DSS Log
  • ComboFix Log


Posted Image


#6 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 02 November 2007 - 05:01 PM

Glad to see ya back, thought you went MIA on me LOL. Here are the logs from the requested actions. I noticed that a couple of the O24 entries are still there in the HJT portion, which looks like why the desktop is still messed up. I'll run HJT again and select them both for removal.

SmitFraudFix v2.242


Scan done at 4:43:55.60, Fri 11/02/2007
Run from C:\Documents and Settings\ISAACSIONA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS3\Services\Tcpip\..\{F452160D-0E8B-4123-B482-209C1438CFE4}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

OTMoveIT


File/Folder C:\WINDOWS\svcproc.exe not found.
File/Folder C:\Program Files\AVSystemCare not found.
File/Folder C:\PROGRA~1\MYWEBS~1 not found.
File/Folder C:\Program Files\Seekmo not found.
File/Folder C:\Program Files\ISM not found.
C:\Program Files\ISM2 moved successfully.
C:\WINDOWS\xlavba6.exe moved successfully.
C:\WINDOWS\System32\wsnpoem moved successfully.
C:\WINDOWS\oeimara.exe moved successfully.
C:\WINDOWS\plite731_uninstaller_.bat moved successfully.
C:\WINDOWS\plite731.exe moved successfully.
C:\WINDOWS\System32\oTt06e moved successfully.
C:\WINDOWS\frexup3.exe moved successfully.
C:\WINDOWS\klonos.exe moved successfully.
C:\WINDOWS\drkara.exe moved successfully.
C:\WINDOWS\xlavra3.exe moved successfully.
C:\Program Files\oymmzgbd moved successfully.
File/Folder C:\WINDOWS\kwv2.dat not found.
C:\WINDOWS\System32\msmapibx32.exe moved successfully.
File/Folder C:\Documents and Settings\ISAACSIONA\Application Data\FunWebProducts not found.
C:\Documents and Settings\All Users\Application Data\SeekmoSA moved successfully.
File/Folder C:\WINDOWS\System32\f3PSSavr.scr not found.
C:\WINDOWS\System32\3EC958 moved successfully.
C:\WINDOWS\System32\lmdsrngk.exe moved successfully.
C:\WINDOWS\System32\swinnmdt.exe moved successfully.
C:\WINDOWS\System32\dwdsrngt.exe moved successfully.
C:\Program Files\AdwareRemover2007 moved successfully.

Created on 11/02/2007 15:26:31

Deckard's System Scanner v20071014.68

Run by ISAACSIONA on 2007-11-02 15:54:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ISAACSIONA.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:20 PM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\ISAACSIONA\Desktop\dss.exe
C:\DOCUME~1\ISAACS~1\Desktop\HIJACK~1\ISAACS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\WINDOWS\System32\trust.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://domai.com/pics/big/natassja-010b.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7510 bytes

-- Files created between 2007-10-02 and 2007-11-02 -----------------------------

2007-11-02 06:06:18 381012 --a------ C:\Program Files\Uninstall Fun Web Products.dll <Not Verified; MyWebSearch.com; My Web Search Bar for Internet Explorer, FireFox, Netscape, email clients, and messenger clients>
2007-10-29 18:34:27 2164 --a------ C:\WINDOWS\System32\tmp.reg
2007-10-29 14:20:29 0 d-------- C:\WINDOWS\ERUNT
2007-10-25 19:01:56 384 --ah----- C:\aaw7boot.cmd
2007-10-25 17:50:09 0 d-------- C:\Ad-Aware 2007
2007-10-25 17:49:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 15:14:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 15:13:40 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-25 15:08:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-10-25 15:06:57 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-25 15:06:57 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-25 15:06:57 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-10-25 15:06:57 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-10-25 15:06:57 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-25 15:06:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-10-25 15:06:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-10-24 13:24:11 0 d-------- C:\Program Files\My Sam's Club Digital Photo Center
2007-10-22 08:51:01 17408 --a------ C:\psapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-19 19:23:14 0 d-------- C:\My Sam's Club Digital Photo Center
2007-10-19 18:18:17 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\YourPrivacyGuard
2007-10-19 17:49:37 0 d-------- C:\Program Files\Common Files\YourPrivacyGuard
2007-10-19 08:56:15 99032 --a------ C:\WINDOWS\System32\trust.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-10-06 20:40:04 0 d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-10-03 14:26:28 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Move Networks


-- Find3M Report ---------------------------------------------------------------

2007-11-02 15:44:28 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-10-29 18:45:42 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\U3
2007-10-29 14:39:51 0 d-a------ C:\Program Files\Common Files
2007-10-25 19:02:33 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\alta
2007-09-26 15:47:37 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Yahoo!
2007-09-25 19:46:17 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\AVG7
2007-09-19 12:11:41 0 d-------- C:\Program Files\Yahoo!
2007-09-18 20:49:05 0 d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Mozilla
2007-09-18 20:46:08 0 d-------- C:\Program Files\Common Files\xing shared
2007-09-18 20:45:57 0 d-------- C:\Program Files\Common Files\Real
2007-09-18 20:45:14 0 d-------- C:\Program Files\Google
2007-09-18 20:44:49 3424 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4837DA-938C-4864-3BDA-A47284DFCC71}]
10/19/2007 08:56 AM 99032 --a------ C:\WINDOWS\System32\trust.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [09/04/2002 10:28 AM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [05/15/2003 02:22 PM]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [02/08/2003 05:42 PM]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [02/10/2005 09:32 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [10/18/2007 06:49 PM]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [08/24/2007 04:00 PM]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [04/03/2002 12:01 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/13/2003 10:48 AM]
"WD Button Manager"="WDBtnMgr.exe" [03/20/2006 04:09 PM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [12/25/2007 06:30 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/18/2007 08:44 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [04/27/2007 04:17 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 04:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\System32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ISAACSIONA^Start Menu^Programs^Startup^Download Plus.lnk]
path=C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\Download Plus.lnk
backup=C:\WINDOWS\pss\Download Plus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNUBHO]
C:\WINDOWS\AHNUBHO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccwxsvrcma]
C:\WINDOWS\System32\emkbrwq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
C:\PROGRA~1\CLOCKS~1\Sync.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentService]
C:\WINDOWS\System32\winservn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iotn]
C:\Documents and Settings\ISAACSIONA\Application Data\urod.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jopa]
C:\WINDOWS\System32\sysstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MD IE Plugin]
C:\Program Files\MD\md

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
C:\Program Files\MemoryMeter\MemoryMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
C:\Program Files\nCase\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMGT]
C:\WINDOWS\MSMGT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitUpdate]
C:\Program Files\Orbit\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitView]
C:\Program Files\Orbit\view.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyBlast]
C:\Program Files\SpyBlast\SpyBlast.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQConfigChecker]
C:\Program Files\Sqwire\cc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQUpdatesChecker]
C:\Program Files\Sqwire\uc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
C:\WINDOWS\System32\stcloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\isaacsiona\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uninstal]
regsvr32 /u /s image.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\PROGRA~1\WEATHE~1\Weather.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webassist]
C:\WINDOWS\webassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\PROGRA~1\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCast]
D:\SETUP.EXE -leng

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStart001.EXE]
C:\WINDOWS\System\WinStart001.EXE -b




-- End of Deckard's System Scanner: finished at 2007-11-02 15:55:44 ------------

ComboFix 07-11-01.1** - ISAACSIONA 2007-11-02 15:29:04.1 - NTFSx86


Running from: C:\Documents and Settings\ISAACSIONA\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\nknyvmpq.dll
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\ISAACSIONA\Application Data\install_en[1].exe
C:\Documents and Settings\ISAACSIONA\ResErrors.log
C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\.lnk
C:\Documents and Settings\LocalService\Application Data\Hotbar
C:\Temp\fCOe
C:\WINDOWS\system32\drivers\fmtr.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 15:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 06:06 381,012 --a------ C:\Program Files\Uninstall Fun Web Products.dll
2007-10-29 18:37 <DIR> d-------- C:\Deckard
2007-10-29 18:34 2,164 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-29 14:20 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-25 19:01 384 --ah----- C:\aaw7boot.cmd
2007-10-25 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 15:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 15:13 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-25 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-25 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-25 14:56 19,755,376 --a------ C:\aaw2007.exe
2007-10-24 13:24 <DIR> d-------- C:\Program Files\My Sam's Club Digital Photo Center
2007-10-22 08:51 17,408 --a------ C:\psapi.dll
2007-10-19 19:23 <DIR> d-------- C:\My Sam's Club Digital Photo Center
2007-10-19 18:18 <DIR> d-------- C:\Documents and Settings\ISAACSIONA\Application Data\YourPrivacyGuard
2007-10-19 17:49 <DIR> d-------- C:\Program Files\Common Files\YourPrivacyGuard
2007-10-19 08:56 99,032 --a------ C:\WINDOWS\SYSTEM32\trust.dll
2007-10-18 17:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-10-06 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-10-03 14:26 <DIR> d-------- C:\Documents and Settings\ISAACSIONA\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 20:27 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-02 05:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-29 23:45 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\U3
2007-10-26 00:02 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\alta
2007-09-26 20:47 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\Yahoo!
2007-09-26 00:46 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\AVG7
2007-09-19 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-19 17:11 --------- d-----w C:\Program Files\Yahoo!
2007-09-19 01:46 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-19 01:45 --------- d-----w C:\Program Files\Google
2007-09-19 01:45 --------- d-----w C:\Program Files\Common Files\Real
2007-09-17 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-03-14 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-06-11 18:38 0 --sh--r C:\Program Files\q330994.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\dl.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\dlm.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\msstasks.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\mssys.com
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\nem216.dll
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\ntldr.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\reg33.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\rocky.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-06-11 18:38:16 0 --sh--r C:\WINDOWS\SYSTEM\wmscrop.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4837DA-938C-4864-3BDA-A47284DFCC71}]
2007-10-19 08:56 99032 --a------ C:\WINDOWS\System32\trust.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2002-09-04 10:28]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-05-15 14:22]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 17:42]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 21:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-18 18:49]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-24 16:00]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 00:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-09-13 10:48]
"WD Button Manager"="WDBtnMgr.exe" [2006-03-20 16:09 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-25 06:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-18 20:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\System32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
backup=C:\WINDOWS\pss\winlogin.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ISAACSIONA^Start Menu^Programs^Startup^Download Plus.lnk]
path=C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\Download Plus.lnk
backup=C:\WINDOWS\pss\Download Plus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNUBHO]
C:\WINDOWS\AHNUBHO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccwxsvrcma]
C:\WINDOWS\System32\emkbrwq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
C:\PROGRA~1\CLOCKS~1\Sync.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
"C:\Program Files\Common Files\CMEII\CMESys.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentService]
C:\WINDOWS\System32\winservn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iotn]
C:\Documents and Settings\ISAACSIONA\Application Data\urod.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
C:\Program Files\ISTsvc\istsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jopa]
C:\WINDOWS\System32\sysstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MD IE Plugin]
C:\Program Files\MD\md

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
C:\Program Files\MemoryMeter\MemoryMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
C:\Program Files\nCase\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMGT]
C:\WINDOWS\MSMGT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitUpdate]
C:\Program Files\Orbit\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitView]
C:\Program Files\Orbit\view.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyBlast]
C:\Program Files\SpyBlast\SpyBlast.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQConfigChecker]
C:\Program Files\Sqwire\cc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQUpdatesChecker]
C:\Program Files\Sqwire\uc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
C:\WINDOWS\System32\stcloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
"c:\documents and settings\isaacsiona\local settings\temp\fsg_tmp\ginst_001_1234_4201.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uninstal]
regsvr32 /u /s image.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
C:\Program Files\Common files\updater\wupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
C:\PROGRA~1\WEATHE~1\Weather.exe /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webassist]
C:\WINDOWS\webassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\PROGRA~1\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCast]
D:\SETUP.EXE -leng

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStart001.EXE]
C:\WINDOWS\System\WinStart001.EXE -b

R1 crlscsi;crlscsi;C:\WINDOWS\System32\drivers\crlscsi.sys
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\System32\drivers\HCWBT8XX.sys
S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe
S2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\System32\drivers\ohbusb.sys
S2 SvcProc;System Startup Service ;C:\WINDOWS\svcproc.exe
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 20:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-ISAACSIONA).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-11-02 20:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-11-02 20:44:07 C:\WINDOWS\Tasks\McAfee.com Update Check (DOUBLEDOG-ISAACSIONA).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 15:43:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-02 15:46:55 - machine was rebooted
.
--- E O F ---

#7 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 05 November 2007 - 01:10 AM

Hey jjdefan,

Very sorry about the delay, just have been really busy.

Step 1
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\WINDOWS\System32\trust.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://domai.com/pics/big/natassja-010b.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Step 3
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\nem216.dll
C:\WINDOWS\ntldr.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\SYSTEM\wmscrop.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\Download Plus.lnk
C:\WINDOWS\AHNUBHO.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\emkbrwq.exe
C:\WINDOWS\System32\winservn.exe
C:\Documents and Settings\ISAACSIONA\Application Data\urod.exe
C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\MSMGT.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\webassist.exe
C:\WINDOWS\System\WinStart001.EXE
C:\WINDOWS\pss\winlogin.exe
C:\WINDOWS\pss\Download Plus.lnk

Folder::
C:\Program Files\Common Files\YourPrivacyGuard
C:\PROGRA~1\CLOCKS~1
C:\Program Files\ClearSearch
C:\Program Files\Common Files\CMEII
C:\Program Files\ISTsvc
C:\Program Files\MD
C:\Program Files\MemoryMeter
C:\Program Files\nCase
C:\Program Files\SafeSurfing
C:\Program Files\SpyBlast
C:\Program Files\Sqwire
C:\Program Files\Common files\updater
C:\Program Files\WebSavingsfromEbates
C:\PROGRA~1\WEATHE~1
C:\WINDOWS\privacy_danger
C:\PROGRA~1\Save

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^ISAACSIONA^Start Menu^Programs^Startup^Download Plus.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNUBHO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccwxsvrcma]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ContentService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iotn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jopa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MD IE Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMGT]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyBlast]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQConfigChecker]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQUpdatesChecker]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uninstal]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webassist]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCast]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinStart001.EXE]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Step 4
Open notepad and copy and paste the following code box in it starting with @echo off

@ECHO OFF
dir \image.dll /a h /s > File.txt

Save this as find.bat , choose to save as *all files and place it on your desktop.
It should look like this:Posted Image
Doubleclick find.bat you created previously.
Now post the log that it produces for you. It will be called File.txt and will be located where ever you saved the batch file.

Step 5
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Step 6
Please post the following in your next reply
  • ComboFix Log
  • Batch File Results
  • Fresh HJT Log
  • Dr.Web log


Posted Image


#8 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 06 November 2007 - 05:46 AM

Computer seems to be a lot better now. Here are the logs. I'm not sure that the find.bat file is working as there is nothing in the log file.

ComboFix 07-11-01.1** - ISAACSIONA 2007-11-05 21:18:15.2 - NTFSx86

Running from: C:\Documents and Settings\ISAACSIONA\Desktop\ComboFix.exe
Command switches used :: G:\Bell\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Documents and Settings\ISAACSIONA\Application Data\urod.exe
C:\Documents and Settings\ISAACSIONA\Start Menu\Programs\Startup\Download Plus.lnk
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\AHNUBHO.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\MSMGT.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\nem216.dll
C:\WINDOWS\ntldr.exe
C:\WINDOWS\pss\Download Plus.lnk
C:\WINDOWS\pss\winlogin.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System\WinStart001.EXE
C:\WINDOWS\SYSTEM\wmscrop.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\emkbrwq.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\sysstartup.exe
C:\WINDOWS\System32\winservn.exe
C:\WINDOWS\webassist.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\YourPrivacyGuard
C:\Program Files\Common Files\YourPrivacyGuard\mc.exe
C:\Program Files\MD
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\nem216.dll
C:\WINDOWS\ntldr.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\SYSTEM\wmscrop.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-02 15:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 18:37 <DIR> d-------- C:\Deckard
2007-10-29 18:34 2,164 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-29 14:20 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-25 19:01 384 --ah----- C:\aaw7boot.cmd
2007-10-25 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 15:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 15:13 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2007-10-25 15:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-10-25 15:06 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-10-25 14:56 19,755,376 --a------ C:\aaw2007.exe
2007-10-24 13:24 <DIR> d-------- C:\Program Files\My Sam's Club Digital Photo Center
2007-10-22 08:51 17,408 --a------ C:\psapi.dll
2007-10-19 19:23 <DIR> d-------- C:\My Sam's Club Digital Photo Center
2007-10-19 18:18 <DIR> d-------- C:\Documents and Settings\ISAACSIONA\Application Data\YourPrivacyGuard
2007-10-18 17:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-10-06 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 02:15 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-03 05:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-29 23:45 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\U3
2007-10-26 00:02 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\alta
2007-10-03 19:32 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\Move Networks
2007-09-26 20:47 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\Yahoo!
2007-09-26 00:46 --------- d-----w C:\Documents and Settings\ISAACSIONA\Application Data\AVG7
2007-09-19 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-09-19 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-19 17:11 --------- d-----w C:\Program Files\Yahoo!
2007-09-19 01:46 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-19 01:45 --------- d-----w C:\Program Files\Google
2007-09-19 01:45 --------- d-----w C:\Program Files\Common Files\Real
2007-09-17 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-03-14 01:55 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-06-11 18:38 0 --sh--r C:\Program Files\q330994.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_15.45.05.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-02 20:37:38 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2007-11-06 02:05:11 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2007-11-02 20:37:38 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2007-11-06 02:05:11 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2007-11-02 20:37:38 65,536 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2007-11-06 02:05:11 65,536 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2007-11-02 20:28:57 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
+ 2007-11-06 02:17:59 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-05-15 14:22]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 17:42]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 21:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-18 18:49]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-24 16:00]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 00:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-09-13 10:48]
"WD Button Manager"="WDBtnMgr.exe" [2006-03-20 16:09 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-25 06:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-18 20:44]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\WINDOWS\System32\mstask.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitUpdate]
C:\Program Files\Orbit\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrbitView]
C:\Program Files\Orbit\view.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

R1 crlscsi;crlscsi;C:\WINDOWS\System32\drivers\crlscsi.sys
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\System32\drivers\HCWBT8XX.sys
S2 .NET Connection Service;.NET Framework Service;C:\WINDOWS\svchost.exe
S2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\System32\drivers\ohbusb.sys
S2 SvcProc;System Startup Service ;C:\WINDOWS\svcproc.exe
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 02:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-ISAACSIONA).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-11-06 02:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DHJ86V21-Owner).job"
- C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
"2007-11-06 02:26:01 C:\WINDOWS\Tasks\McAfee.com Update Check (DOUBLEDOG-ISAACSIONA).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 21:30:17
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-05 21:32:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 15:46
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:35:07 AM, on 11/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\ISAACSIONA\Desktop\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7031 bytes

File.txt

Volume in drive C has no label.
Volume Serial Number is 046D-C388

DrWeb.csv

00055687.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
00059359.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
00063406.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
00084515.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
00092593.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
00499562.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
00502937.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
00636859.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
00640281.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
00662875.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
00982406.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
01073421.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet.80;Deleted.;
01110781.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet.80;Deleted.;
01161343.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
01499234.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.origin;Incurable.Moved.;
01727078.FIL;C:\$VAULT$.AVG;Trojan.Click.4668;Deleted.;
01739500.FIL;C:\$VAULT$.AVG;Trojan.Defer;Deleted.;
01748187.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
01974343.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3451;Deleted.;
03005562.FIL;C:\$VAULT$.AVG;Trojan.Winshow;Deleted.;
03006562.FIL;C:\$VAULT$.AVG;Trojan.Briss;Deleted.;
03006828.FIL;C:\$VAULT$.AVG;Dialer.Xlite;Deleted.;
03006890.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.3072;Deleted.;
03007015.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.162;Deleted.;
03007093.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.161;Deleted.;
03007265.FIL;C:\$VAULT$.AVG;Trojan.KeenValAd;Deleted.;
03007296.FIL;C:\$VAULT$.AVG;Adware.IncrediFind;;
03007453.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.162;Deleted.;
03007578.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.161;Deleted.;
03007687.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.8223;Deleted.;
03007953.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.331;Deleted.;
03008125.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1518;Deleted.;
03008171.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1515;Deleted.;
03008296.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2369;Deleted.;
03008375.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2369;Deleted.;
03008515.FIL;C:\$VAULT$.AVG;Trojan.Stubby.113;Deleted.;
03008578.FIL;C:\$VAULT$.AVG;Trojan.Sinit;Deleted.;
03008656.FIL;C:\$VAULT$.AVG;Dialer.Bias;Deleted.;
03008671.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.372;Deleted.;
03008859.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.682;Deleted.;
03008906.FIL;C:\$VAULT$.AVG;Dialer.Xlite;Deleted.;
03009109.FIL;C:\$VAULT$.AVG;Trojan.Briss;Deleted.;
03009281.FIL;C:\$VAULT$.AVG;Trojan.Spybi;Deleted.;
03009375.FIL;C:\$VAULT$.AVG;Trojan.Chuma;Deleted.;
03009484.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2724;Deleted.;
03009609.FIL;C:\$VAULT$.AVG;Modification of BackDoor.Generic.942;Moved.;
03009687.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.331;Deleted.;
03009875.FIL;C:\$VAULT$.AVG;BackDoor.Ruller;Incurable.Moved.;
03009921.FIL;C:\$VAULT$.AVG;BackDoor.Ruller;Incurable.Moved.;
03010093.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
03010203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03011093.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03011750.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03013187.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03013281.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03013859.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
03014750.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.280;Deleted.;
03015328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.483;Deleted.;
03015515.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
03016468.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
03017093.FIL;C:\$VAULT$.AVG;Dialer.Tibs;Deleted.;
03017234.FIL;C:\$VAULT$.AVG;Trojan.Bispy;Deleted.;
03017531.FIL;C:\$VAULT$.AVG;Trojan.PWS.Krepper;Deleted.;
03018109.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
03018406.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03019062.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03019406.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03019718.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03020562.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03021031.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
03021671.FIL;C:\$VAULT$.AVG;Trojan.Lalus;Deleted.;
03202031.FIL;C:\$VAULT$.AVG;BackDoor.IRC.Rizalof;Deleted.;
03202140.FIL;C:\$VAULT$.AVG;BackDoor.IRC.Rizalof;Deleted.;
03202234.FIL;C:\$VAULT$.AVG;BackDoor.Xbot;Deleted.;
03931704.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.origin;Incurable.Moved.;
03932297.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.357;Deleted.;
03932391.FIL;C:\$VAULT$.AVG;Adware.MyWay;;
03932751.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Deleted.;
03932813.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
04977454.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
04983391.FIL;C:\$VAULT$.AVG;Trojan.Virtumod;Deleted.;
11067767.FIL;C:\$VAULT$.AVG;Trojan.Sectho;Deleted.;
17335156.FIL;C:\$VAULT$.AVG;Adware.Cinmus;;
17336500.FIL;C:\$VAULT$.AVG;Adware.BargainBuddy;;
17337171.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.origin;Incurable.Moved.;
17339203.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.origin;Incurable.Moved.;
17341484.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.357;Deleted.;
17342015.FIL;C:\$VAULT$.AVG;Adware.MyWay;;
17343265.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Deleted.;
17343890.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
17343968.FIL;C:\$VAULT$.AVG;BackDoor.Bulknet;Deleted.;
19570156.FIL;C:\$VAULT$.AVG;DDoS.Rincux;Deleted.;
20968549.FIL;C:\$VAULT$.AVG;BackDoor.IRC.Rizalof;Deleted.;
25115359.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2369;Incurable.Moved.;
29913562.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24714;Incurable.Moved.;
30382078.FIL;C:\$VAULT$.AVG;Trojan.KeenValAd;Incurable.Moved.;
30382140.FIL;C:\$VAULT$.AVG;Trojan.Winshow;Deleted.;
30382187.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30382250.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30382453.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30382656.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30382734.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30383046.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.875;Deleted.;
30383328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.280;Deleted.;
30383406.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.483;Deleted.;
30383484.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
30383609.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
30383781.FIL;C:\$VAULT$.AVG;Trojan.Bispy;Deleted.;
30383953.FIL;C:\$VAULT$.AVG;Trojan.PWS.Krepper;Deleted.;
30384156.FIL;C:\$VAULT$.AVG;Trojan.Dyfuca;Deleted.;
30384328.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384437.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384515.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384656.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384718.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384812.FIL;C:\$VAULT$.AVG;Trojan.Backreg;Deleted.;
30384906.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2369;Deleted.;
30440687.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.2369;Deleted.;
44052844.FIL;C:\$VAULT$.AVG;Trojan.Dissec;Deleted.;
53414468.FIL;C:\$VAULT$.AVG;BackDoor.IRC.Rizalof;Deleted.;
53414531.FIL;C:\$VAULT$.AVG;BackDoor.Xbot;Deleted.;
57556640.FIL;C:\$VAULT$.AVG;Trojan.Dissec;Deleted.;
57806000.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
57806078.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
57806140.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
57806187.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
69063125.FIL;C:\$VAULT$.AVG;Trojan.Briss;Deleted.;
84719875.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84719937.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
84719953.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84720078.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84720703.FIL;C:\$VAULT$.AVG;Adware.CallingHome;;
84720937.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
84721000.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84721218.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84721296.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84721484.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84721640.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84721687.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84721734.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84721765.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
84721796.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
84721890.FIL;C:\$VAULT$.AVG;Trojan.Drpmon;Deleted.;
84721968.FIL;C:\$VAULT$.AVG;Trojan.Stervis;Deleted.;
84722000.FIL;C:\$VAULT$.AVG;Trojan.Nail;Deleted.;
87842734.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24714;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;;
Install1216.exe;C:\Documents and Settings\All Users\Documents;Trojan.Fakealert;Deleted.;
!update.0000;C:\Documents and Settings\ISAACSIONA\Application Data\alta;Probably DLOADER.Trojan;;
backup-20071105-210953-303.dll;C:\Documents and Settings\ISAACSIONA\Desktop\HijackThis\backups;Trojan.Fakealert.357 - read error;Deleted.;
gkqwehhr.exe;C:\Program Files\Internet Explorer;Trojan.Winshow;Deleted.;
lplsxrbw.exe;C:\Program Files\Internet Explorer;Trojan.Winshow;Deleted.;
nyfilyrr.exe;C:\Program Files\Internet Explorer;Trojan.Winshow;Deleted.;
ra.exe;C:\Program Files\Internet Explorer;Trojan.Winshow;Deleted.;
xeqdpetv.exe;C:\Program Files\Internet Explorer;Trojan.Winshow;Deleted.;
C24388E8-388E-4175-BBC5-33D589;C:\Program Files\Microsoft AntiSpyware\Quarantine\1C694270-3F29-46F4-934A-7E3AF8;Adware.AdDestroyer;;
install_en[1].exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\ISAACSIONA\Application Data;Adware.Winfixer;;
Uninstall Fun Web Products.dll.vir;C:\qoobox\Quarantine\C\Program Files;Adware.Websearch;;
mc.exe.vir\data002;C:\qoobox\Quarantine\C\Program Files\Common Files\YourPrivacyGuard\mc.exe.vir;Trojan.DownLoader.origin;;
mc.exe.vir;C:\qoobox\Quarantine\C\Program Files\Common Files\YourPrivacyGuard;Archive contains infected objects;Moved.;
Process.exe;C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc3;Tool.Prockill;;
restart.exe;C:\RECYCLER\S-1-5-21-760678647-755052908-1442502538-1006\Dc3;Tool.ShutDown.11;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A1716760.scr;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716764.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716766.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Trojan.Isbar.438;Deleted.;
A1716768.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Funweb;;
A1716769.SCR;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716771.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716772.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716773.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Trojan.DownLoader.7028;Deleted.;
A1716775.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716778.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.MWS;;
A1716780.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716781.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716785.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.MWS.origin;;
A1716786.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Websearch;;
A1716787.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Websearch;;
A1716788.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.MWS;;
A1716789.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.Msearch;;
A1716790.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1285;Adware.MWS;;
A1762905.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318;Trojan.Fakealert.357 - read error;Deleted.;
A1829940.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318;Trojan.Fakealert;Deleted.;
A1846385.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Win32.HLLW.Medbod;Deleted.;
A1846388.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Adware.Srng;;
A1846394.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Adware.SearchAid.38;;
A1846449.exe\data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846449.exe;Trojan.DownLoader.origin;;
A1846449.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Archive contains infected objects;Moved.;
A1846464.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Adware.Zango;;
A1846545.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319;Adware.Hotbot.origin;;
A1847529.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Popuper.5010;Deleted.;
A1847531.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Click.4697;Deleted.;
A1847535.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847536.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847538.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847540.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Dialer.Maxd;Deleted.;
A1847557.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847558.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847564.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1847566.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Dialer.Maxd;Deleted.;
A1847568.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Popuper.5010;Deleted.;
A1847570.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Click.4697;Deleted.;
A1847573.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322;Trojan.Packed.193;Deleted.;
A1849560.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849562.scr;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849573.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849574.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849575.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Trojan.Isbar.438;Deleted.;
A1849577.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Funweb;;
A1849578.SCR;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849580.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849581.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849582.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Trojan.DownLoader.7028;Deleted.;
A1849584.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849587.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.MWS;;
A1849591.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch;;
A1849592.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Msearch.origin;;
A1849596.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849597.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849598.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849600.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Trojan.MulDrop.4313;Deleted.;
A1849602.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849603.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.Websearch;;
A1849604.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1323;Adware.MWS;;
A1849619.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324;Adware.Winfixer;;
A1850171.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324;Trojan.Fakealert.357 - read error;Deleted.;
A1850185.exe\data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850185.exe;Trojan.DownLoader.origin;;
A1850185.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Archive contains infected objects;Moved.;
A1850186.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Adware.Websearch;;
A1850237.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Fakealert.357 - read error;Deleted.;
A1850238.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Winshow;Deleted.;
A1850239.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Winshow;Deleted.;
A1850240.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Winshow;Deleted.;
A1850241.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Winshow;Deleted.;
A1850242.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325;Trojan.Winshow;Deleted.;
Explor.exe;C:\WINDOWS;Dialer.Invis;Deleted.;
nnbbhv.exe;C:\WINDOWS;Trojan.Spybi;Deleted.;
smfin32.exe;C:\WINDOWS;Probably DLOADER.Trojan;;
vouhbqxbj.exe;C:\WINDOWS;Adware.BetterInternet;;
flash.inf;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.3634;Deleted.;
turbo.inf;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.3634;Deleted.;
flash.inf;C:\WINDOWS\LastGood\Downloaded Program Files;Trojan.DownLoader.3634;Deleted.;
turbo.inf;C:\WINDOWS\LastGood\Downloaded Program Files;Trojan.DownLoader.3634;Deleted.;
btiein.dll;C:\WINDOWS\LastGood\System32;Adware.Websearch;;
ezStub3.exe;C:\WINDOWS\SYSTEM32;Adware.Ezula;;
ISMPack6.exe;C:\_OTMoveIt\MovedFiles\Program Files\ISM2;Adware.SearchAid.38;;
ISMPack7.exe;C:\_OTMoveIt\MovedFiles\Program Files\ISM2;Adware.SearchAid.origin;;
drkara.exe;C:\_OTMoveIt\MovedFiles\WINDOWS;Trojan.Fakealert.357;Deleted.;
klonos.exe;C:\_OTMoveIt\MovedFiles\WINDOWS;Trojan.PWS.Gamania.origin;Incurable.Moved.;
oeimara.exe;C:\_OTMoveIt\MovedFiles\WINDOWS;BackDoor.Bulknet.87;Deleted.;
dwdsrngt.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\System32;Adware.ZenoSearch;;
lmdsrngk.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\System32;Adware.ZenoSearch;;
swinnmdt.exe;C:\_OTMoveIt\MovedFiles\WINDOWS\System32;Adware.Hotbot;;

#9 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 06 November 2007 - 09:31 PM

Hello,

Step 1
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient


Posted Image


#10 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 08 November 2007 - 05:46 PM

F-Secure scan complete. Below is the log and another HJT. I notice that the one entry continues to reappear.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:42:16 PM, on 11/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\ISAACSIONA\Desktop\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7222 bytes


F-Secure Online Scanner 3.1.5 - Scanning Report - Wednesday, November 07, 2007 18:26:19

Scanning Report
Wednesday, November 07, 2007 16:14:55 - 18:26:18
Computer name: DOUBLEDOG
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



Result: 42 malware found
Backdoor.Win32.Sheldor.c (virus)
C:\WINDOWS\SYSTEM32\SHELLEXPI.EXE (Renamed & Submitted)
Keenval.F.dropper (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846453.EXE
(Submitted)
Malware.BBNV (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847571.EXE
(Submitted)
Trojan-Downloader.Win32.QDown.ad (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850258.DLL
(Renamed & Submitted)
Trojan-Downloader.Win32.Wixud.c (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\XLAVRA3.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Wixud.g (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\XLAVBA6.EXE (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.chq (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850248.EXE
(Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ISAACSIONA\DOCTORWEB\QUARANTINE\KLONOS.EXE (Renamed
& Submitted)
Trojan.Win32.Agent.bxc (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1306\A1743905.EXE
(Renamed & Submitted)
Trojan.Win32.Agent.cgk (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846456.OCX
(Renamed & Submitted)
Trojan.Win32.Inject.iq (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850249.EXE
(Renamed & Submitted)
W32/Agent.CVJU.dropper (virus)
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\ISM2\CRINGUPD.EXE (Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1822942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1823945.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1824945.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1826941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1829941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1830941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1831941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1834943.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1835942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1837940.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1838942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1839943.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1840942.EXE
(Submitted)
W32/Buddy.F (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850244.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850257.EXE
(Submitted)
W32/DLoader.BCTO (virus)
C:\WINDOWS\SYSTEM32\SURFSCAN.EXE (Submitted)
W32/Dialer (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850243.EXE
(Submitted)
W32/Malware (virus)
C:\PROGRAM FILES\DANTZ\RETROSPECT\WESTERN DIGITAL\BUTTONMANAGER\WDBMINST.EXE
(Submitted)
W32/Malware.BCLK (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\MSMAPIBX32.EXE (Submitted)
W32/Tibs.AYIW (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847533.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847555.EXE
(Submitted)
W32/Zlob.ARDM (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846455.EXE
(Submitted)
Zango (spyware)
System (Disinfected)
Zlob.gen94 (virus)
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\OYMMZGBD\XGODBMZM.DLL (Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324\A1849621.DLL
(Submitted)
not-virus:Hoax.Win32.Renos.mz (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847534.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847543.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847556.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847578.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1834941.EXE
(Submitted)



Statistics
Scanned:
Files: 43738
System: 5054
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 9
Deleted: 0
None: 32
Submitted: 41
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT



Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-06
F-Secure AVP: 7.0.171, 2007-11-07
F-Secure Orion: 1.2.37, 2007-11-07
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics



Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

#11 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 09 November 2007 - 12:57 AM

Hi,

Make sure you select Automatic cleaning and re run the scan please.


Posted Image


#12 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:09:52 AM

Posted 09 November 2007 - 04:11 PM

Here is the new F-Secure log.

F-Secure Online Scanner 3.1.5 - Scanning Report - Friday, November 09, 2007 15:37:44Scanning
Report
Friday, November 09, 2007 06:10:07 - 15:37:44
Computer name: DOUBLEDOG
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\



Result: 30 malware found
Backdoor.Win32.Sheldor.c (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1851237.EXE
(Renamed & Submitted)
Keenval.F.dropper (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846453.EXE
(Submitted)
Malware.BBNV (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1322\A1847571.EXE
(Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
Trojan-Spy.Win32.BZub.bub (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850247.EXE
(Renamed & Submitted)
W32/Agent.CVJU.dropper (virus)
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\ISM2\CRINGUPD.EXE (Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1822942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1823945.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1824945.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1826941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1829941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1830941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1831941.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1834943.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1835942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1837940.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1838942.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1839943.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1318\A1840942.EXE
(Submitted)
W32/Buddy.F (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850244.EXE
(Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850257.EXE
(Submitted)
W32/DLoader.BCTO (virus)
C:\WINDOWS\SYSTEM32\SURFSCAN.EXE (Submitted)
W32/Dialer (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1325\A1850243.EXE
(Submitted)
W32/Malware (virus)
C:\PROGRAM FILES\DANTZ\RETROSPECT\WESTERN DIGITAL\BUTTONMANAGER\WDBMINST.EXE
(Submitted)
W32/Malware.BCLK (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\MSMAPIBX32.EXE (Submitted)
W32/Zlob.ARDM (virus)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1319\A1846455.EXE
(Submitted)
Zlob.gen94 (virus)
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\OYMMZGBD\XGODBMZM.DLL (Submitted)
C:\SYSTEM VOLUME
INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1324\A1849621.DLL
(Submitted)



Statistics
Scanned:
Files: 59644
System: 5154
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 27
Submitted: 27
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{8814784A-554E-4EE0-B7D5-18FF928C5216}.BIN




Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-11-09
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-30
F-Secure Libra: 2.4.2, 2007-11-06
F-Secure Orion: 1.2.37, 2007-11-09
F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics



Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the
material you make available may be published in the F-Secure World Wide Pages
or hard-copy publications. You will reach F-Secure public web site by clicking
on underlined links. While doing this, your access will be logged to our
private access statistics with your domain name.This information will not be
given to any third party. You agree not to take action against us in relation
to material that you submit. Unless you have clearly stated otherwise, by
submitting material you warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications without liability.

#13 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 12 November 2007 - 04:16 PM

Hello again,

Step 1
Please copy (Ctrl C) and paste (Ctrl V) the following text in the code box to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc delete ".NET Connection Service" 
sc delete SvcProc 
DEL fixservices.bat

Double click fixservices.bat. A window will open and close. This is normal.

Step 2
Firewall A firewall is definitely a must have to protect your computer from hackers. You don't have a third party one installed on your system. Therefore I recommend Comodo, Zone Alarm, or Outpost.
**Tutorial on Firewalls can be found HERE**

Step 3
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a fresh HJT log.


Posted Image


#14 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:02:52 PM

Posted 04 December 2007 - 06:59 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users