Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups---hjt Log Included


  • This topic is locked This topic is locked
7 replies to this topic

#1 lamouchr

lamouchr

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 14 December 2007 - 08:18 AM

Getting popups on my computer when browsing.

Also, all icons on desktop disappear every once in a while and comes back after some activity on the drive. If I've moved an icon, it comes back, where it originally was prior to the screen going blank...

I've run and cleaned antivirus, Ad aware, Spybot and SUPERAntispyware

Here is the logfile...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:34 AM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Business Internet Security\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aleric\MyIVO\bin\myivodds.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe
C:\Program Files\Bell\Business Internet Security\Rps.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSSComHandler.exe
C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca10.hpwis.com/
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [myivo] C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BBSS.exe] "C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" /AUTORUN
O4 - HKLM\..\Run: [Business Internet Security] "C:\Program Files\Bell\Business Internet Security\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [0451d656] rundll32.exe "C:\WINDOWS\system32\chftnixe.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175713649250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175716663140
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.tristarelectric.ca/Remote/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD1B4085-4875-4C5B-B305-50323700F8CA}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MyIVO - Unknown owner - C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Business Internet Security Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
O23 - Service: Business Internet Security Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Business Internet Security\Fws.exe

--
End of file - 7652 bytes

BC AdBot (Login to Remove)

 


#2 lamouchr

lamouchr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 14 December 2007 - 12:41 PM

OK...Updated...

I was also infected with Virtualmonde...I was able (so it seems) to clear that up, but I am still getting Windows Defender notices of win32/Fotomoto

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:24 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Business Internet Security\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Aleric\MyIVO\bin\myivodds.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe
C:\Program Files\Bell\Business Internet Security\Rps.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSSComHandler.exe
C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\jkwqhcrs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ico.my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca10.hpwis.com/
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [myivo] C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BBSS.exe] "C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" /AUTORUN
O4 - HKLM\..\Run: [Business Internet Security] "C:\Program Files\Bell\Business Internet Security\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [0451d656] rundll32.exe "C:\WINDOWS\system32\qtkidohe.dll",b
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175713649250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175716663140
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.tristarelectric.ca/Remote/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD1B4085-4875-4C5B-B305-50323700F8CA}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jkwqhcrs.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MyIVO - Unknown owner - C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Business Internet Security Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
O23 - Service: Business Internet Security Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Business Internet Security\Fws.exe

--
End of file - 7753 bytes

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:38 PM

Posted 14 December 2007 - 11:45 PM

Hello lamouchr, and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.


One or more of the identified infections is a keylogger. Keyloggers can monitor PCs by taking screenshots, keeping key logs, including chats, e-mails, web sites visited, searches performed, and more.

This allows hackers to steal critical system information.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Change also passwords from other websites you are member in.

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Should you have any questions, please feel free to ask.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with the tools we are going to use for cleaning your computer.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
Step #2

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt).

Step #3

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
In your next post please include the following reports:
  • SDFix report
  • FixWareout report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#4 lamouchr

lamouchr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 December 2007 - 09:29 AM

Thank you Snowwhite...

SD Fix report:


SDFix: Version 1.118

Run by lamouchr on Mon 12/17/2007 at 08:21 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\X.DAT - Deleted
C:\PROGRA~1\MSNGAM~1\XUKAXOQI - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\WINDOWS\system32\daSgo05\daSgo051080.exe - Deleted
C:\n.bat - Deleted
C:\winlogon.exe - Deleted
C:\x.dat - Deleted
C:\z.dat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,938 bytes - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed
Folder C:\WINDOWS\system32\daSgo05 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 08:32:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe"="C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe:*:Enabled:MyIVO"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\interMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\interMute\\SpamSubtract\\SpamSub.exe:*:Enabled:SpamSubtract"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\obfttpxj.exe"="C:\\WINDOWS\\system32\\obf"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qnjfmcau.exe"="C:\\WINDOWS\\system32\\qnj"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Apr 2007 196 A.SHR --- "C:\BOOT.BAK"
Fri 5 Mar 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Mon 19 Jun 2006 4,348 A..H. --- "C:\Documents and Settings\lamouchr\My Documents\My Music\License Backup\drmv1key.bak"
Mon 19 Jun 2006 20 A..H. --- "C:\Documents and Settings\lamouchr\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 1 Mar 2006 312 A.SH. --- "C:\Documents and Settings\lamouchr\My Documents\My Music\License Backup\drmv2key.bak"
Wed 4 Apr 2001 28,738 A..H. --- "C:\Documents and Settings\lamouchr\Desktop\Stuff to keep\Downloaded Programs\OFFXP\MSDE2000\SQLRESLD.DLL"

Finished!

FixWareout Report:

Username "lamouchr" - 12/17/2007 9:08:54 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"myivo"="C:\\Program Files\\Aleric\\MyIVO\\bin\\myivomgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"AtiPTA"="Atiptaxx.exe"
"BBSS.exe"="\"C:\\Program Files\\Bell\\Bell Business Security Servicepoint\\BBSS.exe\" /AUTORUN"
"Business Internet Security"="\"C:\\Program Files\\Bell\\Business Internet Security\\Rps.exe\""
"-FreedomNeedsReboot"="\"C:\\Program Files\\Bell\\Business Internet Security\\ZkRunOnceR.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Motive SmartBridge"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"0451d656"="rundll32.exe \"C:\\WINDOWS\\system32\\xrubfnph.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"=""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"AdobeUpdater"="C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


DSS Main.txt:

Deckard's System Scanner v20071014.68
Run by lamouchr on 2007-12-17 09:17:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
131: 2007-12-17 14:17:51 UTC - RP444 - Deckard's System Scanner Restore Point
130: 2007-12-17 14:16:19 UTC - RP443 - Windows Defender Checkpoint
129: 2007-12-17 13:40:59 UTC - RP442 - Windows Defender Checkpoint
128: 2007-12-17 13:00:55 UTC - RP441 - Windows Defender Checkpoint
127: 2007-12-16 22:08:24 UTC - RP440 - System Checkpoint


-- First Restore Point --
1: 2007-12-12 15:13:36 UTC - RP314 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as lamouchr.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:55 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Business Internet Security\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Aleric\MyIVO\bin\myivodds.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
C:\WINDOWS\system32\qnjfmcau.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\lamouchr\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\lamouchr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-ca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {383A6382-3567-4FEE-B423-9214D1C30A1C} - C:\WINDOWS\system32\awvvs.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Business Internet Security\pkR.dll
O2 - BHO: {a81583a5-5fc1-9c5a-5264-e8770433db74} - {47bd3340-778e-4625-a5c9-1cf55a38518a} - C:\WINDOWS\system32\mmymsdgf.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [myivo] C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BBSS.exe] "C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" /AUTORUN
O4 - HKLM\..\Run: [Business Internet Security] "C:\Program Files\Bell\Business Internet Security\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [0451d656] rundll32.exe "C:\WINDOWS\system32\xrubfnph.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175713649250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175716663140
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.tristarelectric.ca/Remote/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD1B4085-4875-4C5B-B305-50323700F8CA}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebaaxx - gebaaxx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\qnjfmcau.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MyIVO - Unknown owner - C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Business Internet Security Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
O23 - Service: Business Internet Security Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Business Internet Security\Fws.exe

--
End of file - 9032 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScript - shell\open\command - C:\WINDOWS\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 pmxscan (USB Flatbed Scanner Driver) - c:\windows\system32\drivers\usbscan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S3 catchme - c:\docume~1\lamouchr\locals~1\temp\catchme.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys (file missing)
S3 SQTECH905C (Dual Camera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DomainService - c:\windows\system32\qnjfmcau.exe /service <Not Verified; ; DDC>
R2 MyIVO - c:\program files\aleric\myivo\bin\myivosrv.exe -service


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-17 09:13:36 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-12-17 03:00:00 502 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job


-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 08:20:00 0 d-------- C:\WINDOWS\ERUNT
2007-12-17 08:03:54 85568 --a------ C:\WINDOWS\system32\xrubfnph.dll
2007-12-17 08:00:55 80448 --a------ C:\WINDOWS\system32\mmymsdgf.dll
2007-12-17 07:58:27 74304 --a------ C:\WINDOWS\system32\qnjfmcau.exe <Not Verified; ; DDC>
2007-12-14 13:54:59 0 d-------- C:\WINDOWS\network diagnostic
2007-12-14 10:39:46 0 d-------- C:\Documents and Settings\lamouchr\Application Data\AdwareAlert
2007-12-14 10:15:23 80448 --a------ C:\WINDOWS\system32\mauiuopa.dll
2007-12-13 13:03:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 15:00:25 34686 --a------ C:\WINDOWS\system32\drivers\Capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
2007-12-12 15:00:25 24569 --a------ C:\WINDOWS\system32\drivers\Camd905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
2007-12-12 10:13:25 284604 --ahs---- C:\WINDOWS\system32\svvwa.ini2
2007-12-12 10:13:19 329824 -----n--- C:\WINDOWS\system32\awvvs.dll
2007-12-12 09:58:03 0 d--hs---- C:\WINDOWS\IA
2007-12-12 09:57:59 0 d-------- C:\WINDOWS\system32\pi3
2007-12-12 09:57:59 0 d-------- C:\WINDOWS\system32\eu1
2007-11-27 10:26:12 0 d-------- C:\Program Files\Intelore
2007-11-27 08:54:13 0 d-------- C:\Program Files\Passware


-- Find3M Report ---------------------------------------------------------------

2007-12-17 08:29:30 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-13 12:52:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 10:45:11 0 d-------- C:\Documents and Settings\lamouchr\Application Data\LimeWire
2007-12-13 09:25:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-12 12:01:55 0 d-------- C:\Program Files\Google
2007-12-12 10:00:29 0 d-------- C:\Program Files\Online Services
2007-12-07 09:04:26 0 d-------- C:\Program Files\AppDev ASP.NET Using VB.NET Demo
2007-11-16 13:32:56 0 d-------- C:\Program Files\LimeWire
2007-11-16 10:23:39 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-16 09:50:04 0 d-------- C:\Program Files\Maxtor
2007-11-16 09:33:36 0 d-------- C:\Program Files\Siemens
2007-11-14 07:48:44 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-05 15:55:28 0 d-------- C:\Documents and Settings\lamouchr\Application Data\WinRAR
2007-10-30 14:29:40 0 d-------- C:\Program Files\NetAssistant
2007-10-30 14:27:58 0 d-------- C:\Program Files\Common Files\Motive
2007-10-30 14:27:54 0 d-------- C:\Documents and Settings\lamouchr\Application Data\Motive
2007-10-29 11:23:21 0 d-------- C:\Program Files\Motive
2007-10-29 11:16:45 0 d-------- C:\Program Files\Common Files
2007-10-18 10:14:00 0 d-------- C:\Program Files\AutoCAD R14


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{383A6382-3567-4FEE-B423-9214D1C30A1C}]
12/12/2007 10:13 AM 329824 --------- C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47bd3340-778e-4625-a5c9-1cf55a38518a}]
12/17/2007 08:00 AM 80448 --a------ C:\WINDOWS\system32\mmymsdgf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 09:07 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 10:01 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/10/2003 11:58 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 11:42 PM]
"VTTimer"="VTTimer.exe" []
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 07:11 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 12:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"myivo"="C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe" [01/01/2006 01:03 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM]
"AtiPTA"="Atiptaxx.exe" [10/10/2001 03:59 PM C:\WINDOWS\system32\atiptaxx.exe]
"BBSS.exe"="C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" [05/28/2007 05:11 PM]
"Business Internet Security"="C:\Program Files\Bell\Business Internet Security\Rps.exe" [08/17/2007 11:57 AM]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe" [08/17/2007 11:57 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [05/19/2004 10:24 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"0451d656"="C:\WINDOWS\system32\xrubfnph.dll" [12/17/2007 08:03 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 10:37 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [10/29/2007 11:21:41 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaaxx]
gebaaxx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-17 09:19:41 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3200+
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 511.36 MiB / 207.5 MiB
Pagefile Memory (total/avail): 1250.3 MiB / 996.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.96 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 147.43 GiB total, 122.52 GiB free.
D: is Fixed (FAT32) - 5.22 GiB total, 0.91 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
P: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - Maxtor 6Y160P0 - 152.67 GiB - 2 partitions
\PARTITION0 - Unknown - 5.23 GiB - D:
\PARTITION1 (bootable) - Installable File System - 147.43 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Business Internet Security Firewall v6.0.1 (Bell Small Medium Business) Disabled
AV: Business Internet Security Anti-Virus v6.0.1 (Bell Small Medium Business) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe"="C:\\Program Files\\Aleric\\MyIVO\\bin\\myivosrv.exe:*:Enabled:MyIVO"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\interMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\interMute\\SpamSubtract\\SpamSub.exe:*:Enabled:SpamSubtract"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\obfttpxj.exe"="C:\\WINDOWS\\system32\\obf"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\qnjfmcau.exe"="C:\\WINDOWS\\system32\\qnj"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\lamouchr\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROBERT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\lamouchr
LOGONSERVER=\\ROBERT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\CA\PPRT\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\lamouchr\LOCALS~1\Temp
TMP=C:\DOCUME~1\lamouchr\LOCALS~1\Temp
USERDOMAIN=ROBERT
USERNAME=lamouchr
USERPROFILE=C:\Documents and Settings\lamouchr
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
lamouchr (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\NETASS~1\Uninstall.exe BellCanada
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3830 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cohu\3830\DeIsL1.isu" -c"C:\Program Files\Cohu\3830\_ISREG32.DLL"
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ASP.NET Maker 3.1.1 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\aspnetmkris31.log
ASP.NET Using VB.NET 2003 Module 1 --> MsiExec.exe /X{96ACBD04-FD2B-4060-B504-E20632A9B429}
ASPMaker 5.1 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\aspmkr51is.log
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -inf_class:DISPLAY -clean
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}
AutoCAD R14.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\AutoCAD R14\DeIsL1.isu"
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Bell Business Internet Security Pack --> C:\Program Files\InstallShield Installation Information\{3B389018-B607-4A4C-BF80-E80F3455CC24}\setup.exe -runfromtemp -l0x0009 -removeonly
Bell Business Security Servicepoint 1.5.12 --> "C:\Program Files\Bell\Bell Business Security Servicepoint\unins000.exe"
Brother HL-2040 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{484FBCD7-D8CB-4C44-AE68-286D481B3993}\SETUP.exe" -l0x9 -removeonly /uninst
CodeBaby Player (Remove Only) 1.0.2.15 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\codebaby.1.0.2.15.inf,DefaultUninstall,5
Easy Graphic Converter 1.2 --> "C:\Program Files\Easy Graphic Converter\unins000.exe"
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
FlatBed Scanner --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\PmxScan.INF,DefaultUnInstall.USB.NTX86
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Software Update --> MsiExec.exe /X{CC0A24CB-87C9-4F1C-A1F2-F87D8D4DDCAF}
IcoFX 1.5.01 --> "C:\Program Files\IcoFX 1.5\unins000.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Ipswitch WS_FTP Home 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11DE2361-9F73-47B3-B638-2F267927E307}\setup.exe" -l0x9 -removeonly
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
LOGO!Soft Comfort V3.1 --> "C:\Program Files\Siemens\LOGOSoft_V3\UninstallerData\Uninstall.exe"
MaxBlast 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\setup.exe"
Microsoft Exchange Troubleshooting Assistant --> MsiExec.exe /X{1FA7DC9D-847B-4C81-82CA-85EF5365778F}
Microsoft MSDN 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express Edition - ENU\install.exe
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Visual Basic 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\VB98\Setup\1033\Setup.exe"
Microsoft Visual Web Developer 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Web Developer 2005 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2005 Express Edition - ENU --> MsiExec.exe /X{221125DC-6A40-4900-B844-591F5E1195B0}
Microsoft Visual Web Developer 2005 Express Edition - ENU Service Pack 1 (KB926751) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {D07A13F7-D30C-47DD-AD95-7D0105811327} /package {221125DC-6A40-4900-B844-591F5E1195B0}
Microsoft Visual Web Developer 2005 Express Edition: Build a Web Site Now! --> MsiExec.exe /I{8D0810C1-5D50-48A3-8DA2-F1133A7B7AF2}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Multimedia Card Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{145CACAF-9B34-41FC-BE49-7D510A253E78}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MyIVO --> MsiExec.exe /I{4C7BCDEA-173C-468F-AB16-293DC88F1FE1}
NetAssistant --> C:\WINDOWS\Motive\BellCanada\MCCUninst.exe
NVIDIA Ethernet Driver --> C:\WINDOWS\System32\nvuenet.exe Uninstall C:\WINDOWS\System32\Nvenet.nvu,NVIDIA Ethernet Driver
NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PPSDKRedistributables --> MsiExec.exe /I{C869F4FF-E5FF-4FBB-9A31-33C23605E170}
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Radialpoint Security Services --> MsiExec.exe /X{5DFDEAAA-E050-482E-A5B6-138CAE53F7BF}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
RPS Ad Blocker --> MsiExec.exe /I{19F906F7-E01C-4158-ADDE-37E7F576169A}
RPS AntiFraud --> MsiExec.exe /I{72E1DCA9-6A52-45F6-B4F0-EFEF023FC48E}
RPS AntiSpyware --> MsiExec.exe /I{42B1C24F-5B85-45A3-9F64-D7BFCD448E53}
RPS AntiVirus --> MsiExec.exe /I{04D752F3-11EA-4B23-AD88-3517D5AE384D}
RPS App Detector --> MsiExec.exe /I{3EE6907D-AE8C-4446-B266-EB6D767DE0E5}
RPS AsRealtime --> MsiExec.exe /I{3DA7F2E8-8946-437A-B5ED-3CFF62D57992}
RPS Backup --> MsiExec.exe /I{3EDF8BCB-2DD8-4A47-8DAB-B2FA6AA5B71A}
RPS Burn --> MsiExec.exe /I{7DA59659-2F29-47CB-BA58-9813FBB3D1D8}
RPS Diagnostic Utility --> MsiExec.exe /I{AFA3F5AE-722F-4EA6-A357-6D8A968B6AA2}
RPS Firewall --> MsiExec.exe /I{1AFAC993-A790-46C7-B856-E868758F32C3}
RPS ParentalControl --> MsiExec.exe /I{BD12F72F-FE7C-436A-98AE-C19D6FDC9F3D}
RPS Performance Tool --> MsiExec.exe /I{0AE45984-6DFF-4491-9985-B3C399B664EF}
RPS PopupBlocker --> MsiExec.exe /I{75B88A8D-8288-4258-853D-BCD8DCABA7A0}
RPS Privacy Manager --> MsiExec.exe /I{94979669-D0DD-4643-8DDD-4F05C654E7C7}
RPS RpsCore --> MsiExec.exe /I{C4C227F3-2AB8-4087-AB1E-D9DB926C6A94}
RPS Security Cleanup --> MsiExec.exe /I{2B8BDDB6-2659-4383-A5CA-847D52FF5310}
RPS Zip --> MsiExec.exe /I{3C3CBC06-D9AA-40DB-8892-E31F09DAF7FF}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5539 / Warning
Event Submitted/Written: 12/17/2007 09:09:16 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5532 / Warning
Event Submitted/Written: 12/17/2007 08:15:24 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5518 / Warning
Event Submitted/Written: 12/14/2007 05:05:28 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5507 / Warning
Event Submitted/Written: 12/14/2007 01:34:55 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5505 / Error
Event Submitted/Written: 12/14/2007 01:26:15 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16306 / Warning
Event Submitted/Written: 12/17/2007 09:19:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%ROBERT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ROBERT27 can't undo changes that you allow.

For more information please see the following:
%ROBERT275

Scan ID: {7F589405-DC1C-425B-8497-F9B01EEA22EB}

User: ROBERT\lamouchr

Name: %ROBERT271

ID: %ROBERT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ROBERT276

Alert Type: %ROBERT278

Detection Type: 1.1.1593.02

Event Record #/Type16305 / Warning
Event Submitted/Written: 12/17/2007 09:19:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%ROBERT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ROBERT27 can't undo changes that you allow.

For more information please see the following:
%ROBERT275

Scan ID: {27FBD384-5D3D-4DB7-B67F-B08EDB6C4795}

User: ROBERT\lamouchr

Name: %ROBERT271

ID: %ROBERT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ROBERT276

Alert Type: %ROBERT278

Detection Type: 1.1.1593.02

Event Record #/Type16304 / Warning
Event Submitted/Written: 12/17/2007 09:19:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%ROBERT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ROBERT27 can't undo changes that you allow.

For more information please see the following:
%ROBERT275

Scan ID: {33DA0572-ABB9-441D-BA9B-934871F1CA0B}

User: ROBERT\lamouchr

Name: %ROBERT271

ID: %ROBERT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ROBERT276

Alert Type: %ROBERT278

Detection Type: 1.1.1593.02

Event Record #/Type16303 / Warning
Event Submitted/Written: 12/17/2007 09:19:04 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%ROBERT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ROBERT27 can't undo changes that you allow.

For more information please see the following:
%ROBERT275

Scan ID: {19FA2733-9F59-4D5B-82F7-31A44E06C7D4}

User: ROBERT\lamouchr

Name: %ROBERT271

ID: %ROBERT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ROBERT276

Alert Type: %ROBERT278

Detection Type: 1.1.1593.02

Event Record #/Type16302 / Warning
Event Submitted/Written: 12/17/2007 09:19:04 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%ROBERT27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ROBERT27 can't undo changes that you allow.

For more information please see the following:
%ROBERT275

Scan ID: {96628358-FCF3-4A85-AC75-4A2E0767CF2E}

User: ROBERT\lamouchr

Name: %ROBERT271

ID: %ROBERT272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ROBERT276

Alert Type: %ROBERT278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-12-17 09:19:41 ------------

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:38 PM

Posted 17 December 2007 - 09:50 AM

Hello lamouchr,

Please follow the steps below exactly in the order they are written:
1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Post back with Combofix report and new HijackThis log, let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#6 lamouchr

lamouchr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 17 December 2007 - 02:41 PM

OK....

Combofix Log:

ComboFix 07-12-17.1 - lamouchr 2007-12-17 14:28:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.187 [GMT -5:00]
Running from: C:\Documents and Settings\lamouchr\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\IA
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-17 10:27 . 2007-12-17 10:56 <DIR> d-------- C:\VundoFix Backups
2007-12-17 10:10 . 2007-12-17 10:17 3,864 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-17 10:08 . 2007-12-17 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-17 10:03 . 2007-12-17 10:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-17 10:03 . 2007-12-17 10:03 <DIR> d-------- C:\Program Files\CCleaner
2007-12-17 09:52 . 2007-12-17 09:52 <DIR> d-------- C:\Documents and Settings\lamouchr\Application Data\Grisoft
2007-12-17 09:52 . 2007-12-17 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-17 09:52 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-17 09:46 . 2007-12-17 09:46 <DIR> d-------- C:\Documents and Settings\lamouchr\.housecall6.6
2007-12-17 09:17 . 2007-12-17 09:17 <DIR> d-------- C:\Deckard
2007-12-17 08:20 . 2007-12-17 08:20 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-17 08:03 . 2007-12-17 10:21 834 ---hs---- C:\WINDOWS\system32\hpnfburx.ini
2007-12-14 14:01 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-14 14:01 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-14 14:01 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-14 14:01 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-14 14:01 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-14 14:01 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-14 14:01 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-14 14:01 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-14 14:01 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-14 13:54 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-14 13:30 . 2007-12-14 13:30 95 --a------ C:\WINDOWS\wininit.ini
2007-12-14 10:39 . 2007-12-14 10:44 <DIR> d-------- C:\Documents and Settings\lamouchr\Application Data\AdwareAlert
2007-12-14 10:18 . 2007-12-17 07:58 534 ---hs---- C:\WINDOWS\system32\ehodiktq.ini
2007-12-13 13:03 . 2007-12-14 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 10:15 . 2007-12-13 12:54 934,278 ---hs---- C:\WINDOWS\system32\exintfhc.ini
2007-12-12 15:00 . 2006-01-26 13:21 34,686 --a------ C:\WINDOWS\system32\drivers\Capt905c.sys
2007-12-12 15:00 . 2006-01-26 13:21 24,569 --a------ C:\WINDOWS\system32\drivers\Camd905c.sys
2007-12-12 09:57 . 2007-12-13 12:47 <DIR> d-------- C:\WINDOWS\system32\pi3
2007-12-12 09:57 . 2007-12-12 17:50 <DIR> d-------- C:\WINDOWS\system32\eu1
2007-12-12 09:16 . 2007-12-12 15:25 37 --a------ C:\WINDOWS\marscam.ini
2007-11-27 10:26 . 2007-12-13 09:26 <DIR> d-------- C:\Program Files\Intelore
2007-11-27 08:54 . 2007-11-27 08:54 <DIR> d-------- C:\Program Files\Passware
2007-11-27 08:52 . 2007-11-27 08:52 32 --a------ C:\WINDOWS\pwcud.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 13:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-13 17:52 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-13 15:45 --------- d-----w C:\Documents and Settings\lamouchr\Application Data\LimeWire
2007-12-13 15:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-13 14:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-12 17:01 --------- d-----w C:\Program Files\Google
2007-12-07 14:04 --------- d-----w C:\Program Files\AppDev ASP.NET Using VB.NET Demo
2007-11-16 18:32 --------- d-----w C:\Program Files\LimeWire
2007-11-16 15:23 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2007-11-16 14:50 --------- d-----w C:\Program Files\Maxtor
2007-11-16 14:33 --------- d-----w C:\Program Files\Siemens
2007-11-14 12:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 19:29 --------- d-----w C:\Program Files\NetAssistant
2007-10-30 19:27 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-30 19:27 --------- d-----w C:\Documents and Settings\lamouchr\Application Data\Motive
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 16:23 --------- d-----w C:\Program Files\Motive
2007-10-29 16:18 155,995 ----a-w C:\WINDOWS\Java\Packages\GPNZ375N.ZIP
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 15:14 --------- d-----w C:\Program Files\AutoCAD R14
2007-08-03 20:00 58,640 ----a-w C:\Documents and Settings\lamouchr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47bd3340-778e-4625-a5c9-1cf55a38518a}]
C:\WINDOWS\system32\mmymsdgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CAC917C-1E4D-4DCA-8511-64E40332DA1D}]
C:\WINDOWS\system32\awvvs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 09:07]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 23:58]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42]
"VTTimer"="VTTimer.exe" []
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"myivo"="C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe" [2006-01-01 13:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"AtiPTA"="Atiptaxx.exe" [2001-10-10 15:59 C:\WINDOWS\system32\atiptaxx.exe]
"BBSS.exe"="C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" [2007-05-28 17:11]
"Business Internet Security"="C:\Program Files\Bell\Business Internet Security\Rps.exe" [2007-08-17 11:57]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe" [2007-08-17 11:57]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-05-19 10:24]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"0451d656"="C:\WINDOWS\system32\xrubfnph.dll" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2007-10-29 11:21:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaaxx]
gebaaxx.dll

R2 MyIVO;MyIVO;C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe -service []
R3 ati2mpad;ati2mpad;C:\WINDOWS\system32\DRIVERS\ati2mpad.sys [2001-12-21 11:10]
R3 pmxscan;USB Flatbed Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [1999-10-13 15:19]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 04:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 04:15]
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys []
S3 Radialpoint Security Services;Bell Business Internet Security Pack;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-12-17 19:28:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 14:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 14:33:10 - machine was rebooted
.
2007-12-15 22:01:15 --- E O F ---


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:47 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Business Internet Security\Fws.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Aleric\MyIVO\bin\myivodds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Bell\Bell Business Security Servicepoint\BBSSComHandler.exe
C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.my.msn.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Business Internet Security\pkR.dll
O2 - BHO: (no name) - {47bd3340-778e-4625-a5c9-1cf55a38518a} - C:\WINDOWS\system32\mmymsdgf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9CAC917C-1E4D-4DCA-8511-64E40332DA1D} - C:\WINDOWS\system32\awvvs.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [myivo] C:\Program Files\Aleric\MyIVO\bin\myivomgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BBSS.exe] "C:\Program Files\Bell\Bell Business Security Servicepoint\BBSS.exe" /AUTORUN
O4 - HKLM\..\Run: [Business Internet Security] "C:\Program Files\Bell\Business Internet Security\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Business Internet Security\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [0451d656] rundll32.exe "C:\WINDOWS\system32\xrubfnph.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1175713649250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175716663140
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.tristarelectric.ca/Remote/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD1B4085-4875-4C5B-B305-50323700F8CA}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebaaxx - gebaaxx.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: MyIVO - Unknown owner - C:\Program Files\Aleric\MyIVO\bin\myivosrv.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Business Internet Security Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Business Internet Security\rpsupdaterR.exe
O23 - Service: Business Internet Security Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Business Internet Security\Fws.exe

--
End of file - 9196 bytes


Issues now....

When system restarts, get the following error message:

1)
Smartbridge Alert: MotiveSB.exe
Procedure Entry Pojnt: GetProcessImageFilenameW from PSAPI.DLL

2)
RunDLL: Error loading c:\windows\system32\xrubfnp4.dll

I beileive the 2nd message id related to a Virtualmonde process. that is possibly no longer there???

Thanks

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:38 PM

Posted 19 December 2007 - 04:03 AM

Hello lamouchr,

RunDLL: Error loading c:\windows\system32\xrubfnp4.dll

I beileive the 2nd message id related to a Virtualmonde process. that is possibly no longer there???


Yes that one is related to vundo infection you have. I am not sure why you are getting the first error message though, we will see..

Have you by any chance installed password recovery tools:

http://www.lostpassword.com/
http://intelore.com/

I would like to know if you installed them by your self, because they can be harmful if installed without your knowledge. Someone else could get all your passwords from accounts, also gain access to your data on the computer.

Also your dns is pointing to Freedom Networks, which is sometimes used by infections like wareout. Please let me know if you set this so we can fix it, if you haven't done that.


Please follow the steps below exactly in the order they are written:

Step #1


Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\hpnfburx.ini
C:\WINDOWS\system32\ehodiktq.ini
C:\WINDOWS\system32\exintfhc.ini
C:\WINDOWS\system32\xrubfnph.dll
C:\WINDOWS\ALCXMNTR.EXE

Folder::
C:\WINDOWS\system32\pi3
C:\WINDOWS\system32\eu1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47bd3340-778e-4625-a5c9-1cf55a38518a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CAC917C-1E4D-4DCA-8511-64E40332DA1D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
"0451d656"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebaaxx]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\obfttpxj.exe"=-
"C:\\WINDOWS\\system32\\qnjfmcau.exe"=-
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    • J2SE Runtime Environment 5.0 Update 3
      Java 2 Runtime Environment, SE v1.4.2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
You also have some leftovers by Symantec, remove them from Add/Remove programs:

LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Common Files\Symantec Shared <--
C:\Program Files\Symantec <--

Close Windows Explorer and empty Recycle Bin.

See this link for more instructions about removing Norton.


Step #3

I see you have installed AVG Anti-Spyware. I suppose you already run a scan with it?

Lets try this scanner also:

Open the extracted SDFix folder (C:\SDFix) and double click RunThis.bat to start the script.

Posted Image
  • Type 1 to Download/Run a-squared from EMSI Software.
  • When the main scanning screen is displayed type 1 to Update
  • When it returns to the main options menu type 2 to run a Full scan
  • Please be patient as this scan may take some time
  • When the scan has finished post back the asquared_Report.txt from the SDFix folder

Posted Image

Posted Image

Posted Image

Please post back with Combofix report, the contents of asquared_Report.txt, new HijackThis log and let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:38 PM

Posted 04 January 2008 - 08:30 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users