Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservices And Munga_bunga


  • Please log in to reply
18 replies to this topic

#1 r3dh3adkid

r3dh3adkid

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 03 December 2007 - 02:13 AM

So i scanned with Spybot S&D and i got these two hits, generally when i remove stuff using that program it wont get deleted so i'm following that up. I dont see it listed in the report but can someone glance over it and see if they notice anything else or notice these two problems.


also, whenever i turned my computer on i got an error that read ""Failed to load control 'SocketXCtl' from socketx.ocx. Your version of socketx.ocx may be outdated. Make sure you are using the version of the control that was provided with your application."

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:44 AM, on 12/3/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SpeechExpert - {65A66125-D6FA-414A-83BA-29BD2D35DF83} - C:\PROGRA~1\SPEECH~1\Spiebar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DSS] C:\Windows\svrlintcp.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA1871] command /c del "C:\Windows\uawin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3789] cmd /c del "C:\Windows\uawin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4412] command /c del "C:\Windows\rsczsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9672] cmd /c del "C:\Windows\rsczsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4133] command /c del "C:\Windows\mfnsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8642] cmd /c del "C:\Windows\mfnsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5178] command /c del "C:\Windows\ffnsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC305] cmd /c del "C:\Windows\ffnsys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1172] command /c del "C:\Windows\assys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC782] cmd /c del "C:\Windows\assys.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1361] command /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5885] cmd /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9688] command /c del "C:\Windows\System32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7556] cmd /c del "C:\Windows\System32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\RunOnce: [SpybotDeletingB8909] command /c del "C:\Windows\uawin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1459] cmd /c del "C:\Windows\uawin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB938] command /c del "C:\Windows\rsczsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5175] cmd /c del "C:\Windows\rsczsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6835] command /c del "C:\Windows\mfnsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2577] cmd /c del "C:\Windows\mfnsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7635] command /c del "C:\Windows\ffnsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8096] cmd /c del "C:\Windows\ffnsys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3431] command /c del "C:\Windows\assys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4860] cmd /c del "C:\Windows\assys.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7955] command /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5789] cmd /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2471] command /c del "C:\Windows\System32\drivers\core.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD418] cmd /c del "C:\Windows\System32\drivers\core.sys"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingB8909] command /c del "C:\Windows\uawin.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingD2577] cmd /c del "C:\Windows\mfnsys.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingB7635] command /c del "C:\Windows\ffnsys.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingD8096] cmd /c del "C:\Windows\ffnsys.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingB3431] command /c del "C:\Windows\assys.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingD4860] cmd /c del "C:\Windows\assys.dll" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingB7955] command /c del "C:\Windows\System32\drivers\core.cache.dsk" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingD5789] cmd /c del "C:\Windows\System32\drivers\core.cache.dsk" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingB2471] command /c del "C:\Windows\System32\drivers\core.sys" (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [SpybotDeletingD418] cmd /c del "C:\Windows\System32\drivers\core.sys" (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read current page with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Current.htm
O8 - Extra context menu item: Read selected with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Selection.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\r3dh3adkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O9 - Extra 'Tools' menuitem: &SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O13 - Gopher Prefix:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 10835 bytes

BC AdBot (Login to Remove)

 


#2 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 03 December 2007 - 09:24 AM

bump

#3 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 December 2007 - 08:14 AM

bump

#4 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 December 2007 - 03:46 PM

bump

#5 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 04 December 2007 - 08:25 PM

I just had about 4 pop ups from windows saying i had severe virus'

Here is a new HJT log, can someone please check this. I think its getting worse

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:23 PM, on 12/4/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\Windows\system32\zqbquvkk.dll (file missing)
O2 - BHO: (no name) - {CF327B2A-122E-43DA-96D9-7356A0CB320D} - C:\Windows\system32\gebbc.dll
O2 - BHO: (no name) - {E8309D75-5C95-4054-A738-97A2A95BA84F} - C:\Windows\system32\gebbc.dll
O3 - Toolbar: SpeechExpert - {65A66125-D6FA-414A-83BA-29BD2D35DF83} - C:\PROGRA~1\SPEECH~1\Spiebar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\Windows\system32\zqbquvkk.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DSS] C:\Windows\svrlintcp.exe
O4 - HKLM\..\Run: [6ea34cf6] rundll32.exe "C:\Windows\system32\htqacjia.dll",b
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read current page with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Current.htm
O8 - Extra context menu item: Read selected with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Selection.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\r3dh3adkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O9 - Extra 'Tools' menuitem: &SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O13 - Gopher Prefix:
O20 - Winlogon Notify: efcdcya - C:\Windows\SYSTEM32\efcdcya.dll
O20 - Winlogon Notify: zqbquvkk - zqbquvkk.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7898 bytes

#6 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 05 December 2007 - 08:54 AM

Ran AVG and told it to remove everything it found, i healed and deleted all the files it found

did a Spybot S&D scan again and got this...

Posted Image

i am running version 1.5.1.15 with the latest definitions.


here is an updated HJT log after "removing" the problems.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:23 AM, on 12/5/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SpeechExpert - {65A66125-D6FA-414A-83BA-29BD2D35DF83} - C:\PROGRA~1\SPEECH~1\Spiebar.dll
O4 - HKLM\..\Run: [Windows Defender] -
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] -C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] -C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] -"c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] -"C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read current page with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Current.htm
O8 - Extra context menu item: Read selected with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Selection.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O9 - Extra 'Tools' menuitem: &SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6620 bytes

#7 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 07 December 2007 - 08:05 AM

bump

#8 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 08 December 2007 - 08:41 AM

bump

#9 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 08 December 2007 - 04:07 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:29 PM, on 12/8/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {656EE20E-BCD6-4818-BBBD-2AA560B434F3} - C:\Windows\system32\gebbc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B9B1311A-22D3-42E0-9475-A5B0DF31B109} - C:\Windows\system32\gebbc.dll
O4 - HKLM\..\Run: [Windows Defender] -
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] -C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] -C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] -"c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] -"C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 5551 bytes




updated HJT list

#10 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 09 December 2007 - 09:29 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:13 AM, on 12/9/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Windows Defender] -
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] -C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] -C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] -"c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] -"C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 5228 bytes



system is still moving slow and still having alot of pop-ups

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 10 December 2007 - 12:24 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum r3dh3adkid
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late reply,as i'm sure you can appreciate we are snowed under with logs.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#12 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 10 December 2007 - 09:49 PM

While in safe mode i scanned with: Super AntiSpyware, AVG Anti-Virus, ATF-Cleaner, and Spybot S&D

You did not say use AVG or Spybot but i figured while i was still in safe mode it couldnt hurt to try right?



Here are the logs that you requested.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/10/2007 at 06:25 PM

Application Version : 3.9.1008

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 00:30:38


Memory items scanned : 256
Memory threats detected : 1
Registry items scanned : 7565
Registry threats detected : 5
File items scanned : 55976
File threats detected : 3

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\GEBBC.DLL
C:\WINDOWS\SYSTEM32\GEBBC.DLL

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A45DECF4-47C5-421E-98EF-54740BF0AF55}
HKCR\CLSID\{A45DECF4-47C5-421E-98EF-54740BF0AF55}
HKCR\CLSID\{A45DECF4-47C5-421E-98EF-54740BF0AF55}\InprocServer32
HKCR\CLSID\{A45DECF4-47C5-421E-98EF-54740BF0AF55}\InprocServer32#ThreadingModel

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}

Trojan.Downloader-DNSDoor
C:\WINDOWS\SVRLINTCP.EXE

Trojan.Downloader-Gen/TaLDrv
C:\WINDOWS\SYSTEM32\M8\NSTS2DLL1.EXE







Deckard's System Scanner v20071014.68
Run by r3dh3adkid on 2007-12-10 21:43:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as r3dh3adkid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:30 PM, on 12/10/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Users\r3dh3adkid\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\r3dh3adkid.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en-us.start2.mozilla.com/firefox?cl...:en-US:official
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F9C81BD2-EFDC-44BE-8072-8C752A17F68C} - C:\Windows\system32\gebbc.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] -
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] -C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] -"C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] -"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] -C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [amd_dc_opt] -C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] -"c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [WinampAgent] -"C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\Run: [igndlm.exe] -C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 5903 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071204-234507-289 O23 - Service: iPod Service - Unknown owner - -"C:\Program Files\iPod\bin\iPodService.exe" (file missing)
backup-20071204-234507-335 O23 - Service: Apple Mobile Device - Unknown owner - -"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (file missing)
backup-20071204-234507-449 O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
backup-20071204-234507-513 O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
backup-20071204-234507-530 O23 - Service: NBService - Unknown owner - -C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
backup-20071204-234507-559 O4 - HKCU\..\Run: [Sidebar] -C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
backup-20071204-234507-591 O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
backup-20071204-234507-592 O23 - Service: Ventrilo - Unknown owner - -C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
backup-20071204-234507-598 O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
backup-20071204-234507-726 O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\r3dh3adkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
backup-20071204-234507-769 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
backup-20071204-234507-779 O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] -"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
backup-20071204-234507-784 O23 - Service: Steam Client Service - Unknown owner - -C:\Program Files\Common Files\Steam\SteamService.exe (file missing)
backup-20071204-234507-805 O23 - Service: NMIndexingService - Unknown owner - -"C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (file missing)
backup-20071204-234507-844 O13 - Gopher Prefix:
backup-20071204-234507-858 O4 - HKUS\S-1-5-21-388745949-944897467-2303550857-1000\..\RunOnce: [Config] C:\Program Files\Common Files\System\RegServ32.exe (User '?')
backup-20071204-234507-859 O23 - Service: Diskeeper - Unknown owner - -"C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" (file missing)
backup-20071204-234507-862 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\Windows\system32\zqbquvkk.dll (file missing)
backup-20071204-234507-954 O4 - HKCU\..\RunOnce: [Config] C:\Program Files\Common Files\System\RegServ32.exe
backup-20071204-234635-340 O4 - HKLM\..\Run: [DSS] -C:\Windows\svrlintcp.exe
backup-20071204-234635-797 O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
backup-20071204-234635-846 O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
backup-20071204-234837-754 O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
backup-20071204-234837-841 O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
backup-20071208-160618-428 O9 - Extra 'Tools' menuitem: &SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (file missing) (HKCU)
backup-20071208-160618-508 O20 - Winlogon Notify: efcdcya - efcdcya.dll (file missing)
backup-20071208-160618-589 O9 - Extra button: SpeechExpert - {9963BBF2-4056-4899-87FA-ECAA6724C46F} - C:\Program Files\Speech Workshop\speechxp.exe (file missing) (HKCU)
backup-20071208-160618-809 O8 - Extra context menu item: Read selected with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Selection.htm
backup-20071208-160618-892 O8 - Extra context menu item: Read current page with SpeechExpert - C:\Program Files\Speech Workshop\SpeechXP_Current.htm

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-11-10 and 2007-12-10 -----------------------------

2007-12-10 21:38:37 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2007-12-10 16:03:37 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2007-12-10 16:03:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-10 15:29:34 0 d-------- C:\Program Files\Diablo II
2007-12-09 13:38:08 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 13:33:54 0 d-------- C:\Program Files\SpywareGuard
2007-12-08 10:10:07 306688 --a------ C:\Windows\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-12-06 15:19:48 0 d-------- C:\Program Files\Alcohol Soft
2007-12-06 14:06:25 685816 --a------ C:\Windows\system32\drivers\sptd.sys
2007-12-04 21:14:59 0 dr-h----- C:\$VAULT$.AVG
2007-12-04 20:42:00 0 d-------- C:\Users\All Users\Grisoft
2007-12-04 20:42:00 0 d-------- C:\Users\All Users\avg7
2007-12-04 13:38:12 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-12-04 13:36:22 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 13:36:22 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 13:36:14 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 13:36:14 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 13:36:14 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 13:36:14 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 13:35:32 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2007-12-04 08:21:11 0 d-------- C:\Windows\system32\Futuremark
2007-12-03 01:51:08 0 d-------- C:\Program Files\Trend Micro
2007-12-03 00:11:35 7059 --ahs---- C:\Windows\system32\cbbeg.ini2
2007-12-03 00:05:57 0 d-------- C:\Windows\system32\m8
2007-12-03 00:05:57 0 d-------- C:\Windows\system32\j2
2007-12-03 00:05:57 0 d-------- C:\Windows\system32\d1
2007-12-03 00:05:57 0 d-------- C:\Windows\system32\c1
2007-12-03 00:05:47 0 d-------- C:\Windows\system32\rMa14yy
2007-12-03 00:05:47 0 d-------- C:\Temp
2007-12-02 23:39:35 176 --a------ C:\Delme.bat
2007-12-02 23:34:09 0 -rahs---- C:\MSDOS.SYS
2007-12-02 23:34:09 0 -rahs---- C:\IO.SYS
2007-12-02 23:20:21 0 d-------- C:\Program Files\LimeWire
2007-11-29 14:39:51 0 d-------- C:\Users\All Users\OrbNetworks
2007-11-29 14:39:49 0 d-------- C:\Program Files\Winamp Remote
2007-11-29 14:37:56 0 d-------- C:\Program Files\Winamp
2007-11-29 08:13:04 0 d-------- C:\Users\r3dh3adkid\BasicActor
2007-11-28 10:49:36 0 d-------- C:\Program Files\Ventrilo
2007-11-28 01:14:25 0 d-------- C:\Users\All Users\Media Center Programs
2007-11-27 22:42:47 0 d-------- C:\Windows\lhsp
2007-11-21 14:51:50 0 d-------- C:\Program Files\ATI Technologies
2007-11-20 10:10:29 0 d-------- C:\Program Files\Analog Devices
2007-11-18 13:00:12 0 d-------- C:\Windows\system32\appmgmt
2007-11-13 17:01:37 0 d-------- C:\Program Files\Zune
2007-11-12 15:34:42 0 d-------- C:\Users\All Users\SongbirdVLC
2007-11-10 23:33:51 0 d-------- C:\Users\r3dh3adkid\Shared
2007-11-10 23:33:49 0 d-------- C:\Users\r3dh3adkid\Incomplete


-- Find3M Report ---------------------------------------------------------------

2007-12-10 21:43:06 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Xfire
2007-12-10 21:38:47 0 d-------- C:\Program Files\DivX
2007-12-10 21:38:37 0 d-------- C:\Program Files\Common Files
2007-12-10 21:22:32 0 d-------- C:\Program Files\Xfire
2007-12-10 18:46:33 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\AVG7
2007-12-10 16:03:25 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\SUPERAntiSpyware.com
2007-12-10 16:02:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-10 00:19:04 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Azureus
2007-12-09 23:10:13 0 d-------- C:\Program Files\Warcraft III
2007-12-07 21:45:06 0 d-------- C:\Program Files\Azureus
2007-12-06 22:50:59 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-06 22:50:00 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Adobe
2007-12-06 22:44:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-06 21:08:52 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\dvdcss
2007-12-04 09:33:00 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\LimeWire
2007-12-03 01:37:07 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Winamp
2007-12-03 00:05:58 0 d-------- C:\Program Files\Windows Calendar
2007-12-03 00:05:22 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\WinRAR
2007-12-02 23:23:11 0 d-------- C:\Program Files\iTunes
2007-11-29 08:13:00 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\IGN_DLM
2007-11-28 11:30:07 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Ventrilo
2007-11-28 11:13:42 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\CoreFTP
2007-11-28 01:15:05 669184 --a------ C:\Windows\system32\pbsvc.exe
2007-11-22 11:22:14 0 d-------- C:\Program Files\Electronic Arts
2007-11-18 13:00:47 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\InstallShield
2007-11-18 13:00:11 0 d-------- C:\Program Files\VentSrv
2007-11-17 10:37:48 0 d-------- C:\Program Files\Common Files\Steam
2007-11-17 10:37:47 0 d-------- C:\Program Files\Steam
2007-11-16 08:41:23 0 d-------- C:\Program Files\SpeedFan
2007-11-14 00:20:55 0 d-------- C:\Program Files\Windows Mail
2007-11-12 15:34:09 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Songbird1
2007-11-10 14:48:11 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2007-11-07 15:18:58 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\SystemRequirementsLab
2007-11-07 15:18:58 0 d-------- C:\Program Files\SystemRequirementsLab
2007-11-06 19:31:52 805 --a------ C:\Windows\mozver.dat
2007-11-06 14:54:59 0 d-------- C:\Program Files\CoreFTP
2007-11-06 11:53:27 0 d-------- C:\Program Files\Viewpoint
2007-11-05 07:23:07 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-03 19:20:23 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\vlc
2007-11-03 19:18:39 0 d-------- C:\Program Files\VideoLAN
2007-11-03 17:26:57 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Sierra Entertainment
2007-11-03 17:07:09 0 d-------- C:\Program Files\MSN Messenger
2007-11-03 11:28:04 0 d-------- C:\Program Files\AGEIA Technologies
2007-11-01 18:59:43 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Apple Computer
2007-11-01 18:59:16 0 d-------- C:\Program Files\iPod
2007-11-01 18:50:18 0 d-------- C:\Program Files\Apple Software Update
2007-10-29 16:23:54 0 d-------- C:\Program Files\AMD
2007-10-29 14:34:58 0 d-------- C:\Program Files\MSXML 4.0
2007-10-29 07:01:00 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Ahead
2007-10-29 07:00:05 0 d-------- C:\Program Files\Common Files\Ahead
2007-10-29 06:57:25 0 d-------- C:\Program Files\Nero
2007-10-29 05:48:35 0 d-------- C:\Program Files\QuickTime
2007-10-28 21:42:23 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-28 21:40:35 0 d-------- C:\Program Files\Guild Wars
2007-10-28 21:02:56 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-28 18:40:26 0 dr-h----- C:\Users\r3dh3adkid\AppData\Roaming\SecuROM
2007-10-28 03:49:45 0 d-------- C:\Program Files\Java
2007-10-28 03:47:15 0 d-------- C:\Program Files\Common Files\Java
2007-10-27 18:04:05 0 d-------- C:\Program Files\CCleaner
2007-10-27 17:48:54 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Aim
2007-10-27 17:48:54 0 d-------- C:\Program Files\AIM
2007-10-27 17:48:20 0 d-------- C:\Program Files\AOD
2007-10-27 17:37:44 0 d-------- C:\Program Files\Google
2007-10-27 17:27:45 0 d-------- C:\Program Files\Common Files\ComponentOne
2007-10-27 16:58:42 76480 --a------ C:\Windows\War3Unin.dat
2007-10-27 16:40:03 2829 --a------ C:\Windows\War3Unin.pif
2007-10-27 16:40:03 139264 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-10-27 15:41:08 0 d-------- C:\Program Files\Download Manager
2007-10-27 15:19:23 0 d-------- C:\Program Files\ATI
2007-10-27 15:04:13 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\ATI
2007-10-27 15:03:06 174 --ahs---- C:\Program Files\desktop.ini
2007-10-27 14:59:27 0 d-------- C:\Program Files\Windows Defender
2007-10-27 14:56:35 0 --a------ C:\Windows\ativpsrm.bin
2007-10-27 14:49:51 0 --a------ C:\Windows\nsreg.dat
2007-10-27 14:49:49 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Mozilla
2007-10-27 14:37:26 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Macromedia
2007-10-27 14:29:18 0 d-------- C:\Users\r3dh3adkid\AppData\Roaming\Identities
2007-09-11 01:55:46 81920 --a------ C:\Windows\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9C81BD2-EFDC-44BE-8072-8C752A17F68C}]
C:\Windows\system32\gebbc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="-" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="-C:\Program Files\Google\Gmail Notifier\gnotify.exe" []
"SunJavaUpdateSched"="-C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"QuickTime Task"="-C:\Program Files\QuickTime\QTTask.exe" []
"Adobe Reader Speed Launcher"="-C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" []
"NeroFilterCheck"="-C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" []
"amd_dc_opt"="-C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" []
"iTunesHelper"="-C:\Program Files\iTunes\iTunesHelper.exe" []
"Zune Launcher"="-c:\Program Files\Zune\ZuneLauncher.exe" []
"SoundMAXPnP"="-C:\Program Files\Analog Devices\Core\smax4pnp.exe" []
"WinampAgent"="-C:\Program Files\Winamp\winampa.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/04/2007 08:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="-C:\Program Files\Download Manager\DLM.exe" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [07/02/2007 05:29 AM]

C:\Users\r3dh3adkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [12/4/2007 9:25:52 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 12/04/2007 08:42 PM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\gebbc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7630 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-10 21:45:15 ------------









Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Architecture: X86; Language: English

Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2045.88 MiB / 1526.83 MiB
Pagefile Memory (total/avail): 4311.8 MiB / 3695.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 73.2 GiB free.
D: is CDROM (No Media)



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.503 v7.5.503 (Grisoft)
AS: Spybot - Search and Destroy v1.0.0.4 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\r3dh3adkid\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=R3DH3ADKID-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\r3dh3adkid
LOCALAPPDATA=C:\Users\r3dh3adkid\AppData\Local
LOGONSERVER=\\R3DH3ADKID-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\R3DH3A~1\AppData\Local\Temp
TMP=C:\Users\R3DH3A~1\AppData\Local\Temp
USERDOMAIN=r3dh3adkid-PC
USERNAME=r3dh3adkid
USERPROFILE=C:\Users\r3dh3adkid
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

r3dh3adkid (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Core FTP LE 2.0 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
Counter-Strike: Source --> "C:\Program Files\Steam\steam.exe" steam://uninstall/240
CryEngine®2 Sandbox™2 --> MsiExec.exe /I{7E4B7FD9-4ECE-4298-A910-3160B7918059}
Crysis® --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Manager 2.3.6 --> C:\Program Files\Download Manager\uninst.exe
Dual-Core Optimizer --> MsiExec.exe /X{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire PRO 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SAPI 5.0 Engine --> MsiExec.exe /I{61BFF3E6-B0D6-4A9E-9BA7-1FCDC2091966}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 7 Premium --> MsiExec.exe /X{847CAE64-4CD2-4B2D-AF00-978FF5431033}
PunkBuster Services --> C:\Windows\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
SoundMAX --> C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0009 -removeonly
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warcraft III --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Warcraft III: All Products --> C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Zune --> MsiExec.exe /X{FE0256DB-509C-40AC-B888-2543AD4298E6}
Zune Language Pack (ES) --> MsiExec.exe /I{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /I{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type39191 / Success
Event Submitted/Written: 12/10/2007 09:22:51 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type39189 / Error
Event Submitted/Written: 12/10/2007 09:22:50 PM
Event ID/Source: 3 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus, AntiSpyware and Firewall.

Event Record #/Type39188 / Success
Event Submitted/Written: 12/10/2007 09:22:50 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type39183 / Success
Event Submitted/Written: 12/10/2007 09:21:56 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type39173 / Warning
Event Submitted/Written: 12/10/2007 07:14:36 PM
Event ID/Source: 6000 / Wlclntfy
Event Description:
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27319 / Error
Event Submitted/Written: 12/10/2007 09:37:05 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Network List Service%%1450

Event Record #/Type27317 / Error
Event Submitted/Written: 12/10/2007 09:36:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Network List Service%%1450

Event Record #/Type27315 / Error
Event Submitted/Written: 12/10/2007 09:35:59 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Network List Service%%1450

Event Record #/Type27313 / Error
Event Submitted/Written: 12/10/2007 09:35:26 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Network List Service%%1450

Event Record #/Type27311 / Error
Event Submitted/Written: 12/10/2007 09:34:53 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
Network List Service%%1450



-- End of Deckard's System Scanner: finished at 2007-12-10 21:45:15 ------------


I dunno why this is not showing that i have Vista but, i do.



Also, these lists were not generated in safe mode. I logged back in and generated the lists, dunno if thats ok or not?


Lookin good? or we still need work?




TYVM for the help so far, you have no idea!

Edited by r3dh3adkid, 10 December 2007 - 09:54 PM.


#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 11 December 2007 - 05:13 AM

Make sure the following programs are temporarily disabled or they'll interfere:
SpywareGuard
Windows Defender
Temporarily_Disable_Real_Time_Monitoring_Programs:
link


Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\Windows\system32\cbbeg.ini2
C:\Windows\system32\m8
C:\Windows\system32\j2
C:\Windows\system32\d1
C:\Windows\system32\c1
C:\Windows\system32\rMa14yy
C:\Program Files\Viewpoint

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9C81BD2-EFDC-44BE-8072-8C752A17F68C}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0


Also post a new Hijackthis log.
Posted Image
Posted Image

#14 r3dh3adkid

r3dh3adkid
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 11 December 2007 - 01:52 PM

C:\Windows\system32\cbbeg.ini2 moved successfully.
C:\Windows\system32\m8 moved successfully.
C:\Windows\system32\j2 moved successfully.
C:\Windows\system32\d1 moved successfully.
C:\Windows\system32\c1 moved successfully.
C:\Windows\system32\rMa14yy moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9Plus moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9 moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Components moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player moved successfully.
C:\Program Files\Viewpoint\Common moved successfully.
C:\Program Files\Viewpoint moved successfully.

Created on 12112007_134631



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:16 PM, on 12/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en-us.start2.mozilla.com/firefox?cl...:en-US:official
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F9C81BD2-EFDC-44BE-8072-8C752A17F68C} - C:\Windows\system32\gebbc.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] -
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] -C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] -"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [amd_dc_opt] -C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-388745949-944897467-2303550857-1000 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User '?')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Unknown owner - -C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 4775 bytes



I wasn't suppose to do any of that in safe mode correct?

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 11 December 2007 - 05:04 PM

I wasn't suppose to do any of that in safe mode correct?

Thats correct :thumbsup:

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F9C81BD2-EFDC-44BE-8072-8C752A17F68C} - C:\Windows\system32\gebbc.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] -


Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Turn off Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished,restart the computer.

Turn on Windows Vista System Restore:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users