Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware


  • This topic is locked This topic is locked
40 replies to this topic

#1 Foo Man

Foo Man

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 27 December 2007 - 04:44 PM

My wife downloaded an executable file off of Limewire, which loaded a bad malware/spyware infection. I've tried Smitfraudfix, Vundofix, Stinger, Spybot, Adaware, etc and I still can't get rid of it. I followed the procedure in the Preparation Guide. Here is my HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:20 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\Program Files\Dell\Media Experience\PCMService .exe
C:\Program Files\Comodo\Firewall\CPF .exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaya.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA5514] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8067] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7108] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC827] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys"
O4 - HKCU\..\Run: [_WinStart] C:\WINDOWS\Connection Wizard\Status\services.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Folding@Home 5.03.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Folding@Home 5.03.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\program files\javasoft\jre1.4\1.4.1\bin\npjpi141.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15635 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 28 December 2007 - 05:22 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Foo Man
My name is Richie and i'll be helping you to fix your problems.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player



Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 28 December 2007 - 09:07 PM

SDFix: Version 1.120

Run by Michael on Fri 12/28/2007 at 08:41 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

Path:
system32\drivers\core.sys

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\bkR11\ftCa.log - Deleted
C:\WINDOWS\system32\daSgo05\daSgo051080.exe - Deleted
C:\n.bat - Deleted
C:\x.dat - Deleted
C:\z.dat - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\pac.txt - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder C:\Temp\1cb - Removed
Folder C:\Temp\bkR11 - Removed
Folder C:\WINDOWS\system32\daSgo05 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 20:52:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\windows\\system32\\opsq.exe"="c:\\windows\\system32\\opsq.exe:*:Enabled:opsq.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1143679869\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143679869\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1143679869\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143679869\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1144987677\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1144987677\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1144987677\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1144987677\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1148084160\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1148084160\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1148084160\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1148084160\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1148438588\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1148438588\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1148438588\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1148438588\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.0.8\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe"="C:\\WINDOWS\\SYSTEM32\\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 2 Nov 2007 80 ..SHR --- "C:\WINDOWS\SYSTEM32\5C9DFACD9F.dll"
Wed 25 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 20 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Thu 25 Oct 2007 259 A..H. --- "C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\000BA301\BIT112.tmp"

Finished!


I will post the Combofix log shortly...

#4 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 28 December 2007 - 09:47 PM

ComboFix Log:


ComboFix 07-12-29.3 - Michael 2007-12-28 21:22:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502 [GMT -5:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
C:\Program Files\Brother\ControlCenter3\brctrcen.exe
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\temp\tn3
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\ayadd.ini2
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.exe
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 21:29 . 2007-12-28 21:29 331,776 --a------ C:\WINDOWS\SYSTEM32\ddaya.dll
2007-12-28 21:29 . 2007-12-28 21:33 319 --ahs---- C:\WINDOWS\SYSTEM32\ayadd.ini2
2007-12-28 21:29 . 2007-12-28 21:33 319 --ahs---- C:\WINDOWS\SYSTEM32\ayadd.ini
2007-12-28 20:39 . 2007-12-28 20:40 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-28 08:03 . 2007-12-28 08:03 <DIR> d-------- C:\Program Files\Java
2007-12-28 08:03 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-28 08:02 . 2007-12-28 08:02 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-26 13:25 . 2007-12-27 12:02 <DIR> d-------- C:\VundoFix Backups
2007-12-24 15:22 . 2007-12-24 15:22 3,716 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-24 14:40 . 2004-08-19 07:19 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Sonic
2007-12-24 14:40 . 2004-08-19 07:20 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Jasc Software Inc
2007-12-24 14:40 . 2005-05-20 09:31 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Gtek
2007-12-24 14:40 . 2004-08-19 07:13 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Creative
2007-12-24 14:35 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-24 14:35 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-24 14:35 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-24 14:35 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-24 14:35 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-24 14:35 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-24 11:55 . 2007-12-28 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-24 11:55 . 2007-12-24 11:58 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-24 11:55 . 2007-12-24 11:58 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-24 11:55 . 2007-12-24 11:58 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-21 10:40 . 2007-12-21 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 10:36 . 2007-12-21 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 10:27 . 2007-12-21 10:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-21 10:27 . 2007-12-21 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 23:02 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-20 23:02 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2007-12-20 23:02 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-12-20 23:02 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-12-20 23:02 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-12-20 23:02 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-12-20 23:02 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-12-20 23:02 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-12-20 13:05 . 2007-12-28 20:24 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2007-12-20 11:32 . 2007-12-20 11:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\BLSTOOLBAR
2007-12-20 09:16 . 2007-12-20 12:55 <DIR> d--hs---- C:\WINDOWS\TWljaGFlbA
2007-12-20 09:16 . 2007-12-20 23:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\ripd1
2007-12-20 09:16 . 2007-12-20 12:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\ashell3
2007-12-20 09:16 . 2007-12-28 21:25 <DIR> d-------- C:\Temp
2007-12-19 15:59 . 2007-12-28 12:27 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-19 15:03 . 2007-12-19 15:03 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-12-16 11:29 . 2007-12-16 11:29 23,956 --a------ C:\VETlog.dmp
2007-12-07 10:13 . 2007-12-07 10:23 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\BLSTOOLBAR
2007-12-07 10:13 . 2007-12-07 10:13 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\AT&T

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 02:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-29 01:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-29 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 18:27 --------- d-----w C:\Program Files\Folding@Home
2007-12-24 19:42 --------- d-----w C:\Program Files\Dell Support
2007-12-24 17:58 --------- d-----w C:\Program Files\Digital Line Detect
2007-12-24 17:56 --------- d-----w C:\Program Files\Common Files\Command Software
2007-12-24 17:55 --------- d-----w C:\Program Files\blstoolbar
2007-12-24 02:52 --------- d-----w C:\Documents and Settings\Michael\Application Data\AdobeUM
2007-12-21 15:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 20:57 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2007-12-19 20:54 --------- d-----w C:\Program Files\LimeWire
2007-12-19 20:01 --------- d-----w C:\Program Files\Ahead
2007-12-01 12:54 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-11-28 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2007-11-28 14:51 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-27 23:36 --------- d-----w C:\Documents and Settings\Michael\Application Data\blstoolbar
2007-11-27 22:51 --------- d-----w C:\Program Files\AT&T
2007-11-27 22:51 --------- d-----w C:\Documents and Settings\Michael\Application Data\AT&T
2007-11-27 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-11-27 22:42 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-11-27 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Freedom
2007-11-27 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 22:40 --------- d-----w C:\Program Files\Radialpoint
2007-11-27 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Radialpoint
2007-11-27 21:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 00:06 360,580 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-11-05 00:04 --------- d-----w C:\Program Files\KJClipper
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-10-06 00:31 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-09-29 19:59 97,966 ----a-w C:\WINDOWS\Publix Preschool Pals Uninstaller.exe
2005-05-05 04:51 103,358,507 -c--a-w C:\Program Files\DreamweaverMX2004-en.zip
2005-04-28 17:50 21 -c-h--w C:\Documents and Settings\All Users\Application Data\emopts.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AA78EDC-F4C4-4816-84ED-E05DBB8C1A18}]
2007-12-28 21:29 331776 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1438721A-0487-47BB-9347-A41269385D6C}]
C:\Program Files\Internet Explorer\hokenopaC:\WINDOWS\system32\doc4\mmildot83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_WinStart"="C:\WINDOWS\Connection Wizard\Status\services.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"AsioReg"="REGSVR32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\regsvr32.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [2007-12-16 20:10:25]
PowerReg Scheduler .exe [2007-12-28 21:29:47]
PowerReg Scheduler .exe [2007-12-28 21:22:28]
PowerReg Scheduler .exe [2007-12-28 21:22:29]
PowerReg Scheduler .exe [2007-12-28 21:31:19]
PowerReg Scheduler .exe [2007-12-28 21:22:30]
PowerReg Scheduler .exe [2007-12-28 21:22:30]
PowerReg Scheduler .exe [2007-12-28 21:22:31]
PowerReg Scheduler .exe [2007-12-28 21:31:36]
PowerReg Scheduler .exe [2007-12-28 21:22:32]
PowerReg Scheduler .exe [2007-12-28 21:22:32]
PowerReg Scheduler .exe [2007-12-28 21:22:33]
PowerReg Scheduler .exe [2007-12-28 21:29:52]
PowerReg Scheduler .exe [2007-12-28 21:31:41]
PowerReg Scheduler .exe [2007-12-28 21:30:00]
PowerReg Scheduler .exe [2007-12-28 21:32:08]
PowerReg Scheduler .exe [2007-12-28 21:32:26]
PowerReg Scheduler .exe [2007-12-28 21:30:11]
PowerReg Scheduler .exe [2007-12-28 21:30:13]
PowerReg Scheduler .exe [2007-12-28 21:33:32]
PowerReg Scheduler .exe [2007-12-28 21:30:17]
PowerReg Scheduler .exe [2007-12-28 21:30:20]
PowerReg Scheduler .exe [2007-12-28 21:30:22]
PowerReg Scheduler .exe [2007-12-28 21:30:24]
PowerReg Scheduler .exe [2007-12-28 21:30:26]
PowerReg Scheduler .exe [2007-12-28 21:30:28]
PowerReg Scheduler .exe [2007-12-28 21:30:30]
PowerReg Scheduler .exe [2007-12-28 21:30:32]
PowerReg Scheduler .exe [2007-12-28 21:30:34]
PowerReg Scheduler .exe [2007-12-28 21:34:01]
PowerReg Scheduler .exe [2007-12-28 21:30:38]
PowerReg Scheduler .exe [2007-12-28 21:30:40]
PowerReg Scheduler .exe [2007-12-28 21:30:43]
PowerReg Scheduler .exe [2007-12-28 21:30:45]
PowerReg Scheduler .exe [2007-12-28 21:30:47]
PowerReg Scheduler .exe [2007-12-28 21:30:48]
PowerReg Scheduler .exe [2007-12-28 21:30:50]
PowerReg Scheduler .exe [2007-12-28 21:30:51]
PowerReg Scheduler.exe [2007-12-28 21:30:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-06 17:36:36]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-19 07:10:52]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-30 11:07:51]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ddaya.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddaya

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 02:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTsysVol]
2002-10-29 09:18 49152 --a------ C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-28 21:30 335360 --a------ C:\WINDOWS\system32\ddaya.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-23 21:33:25 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 21:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ddaya.exe 335360 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ddaya.dll
.
Completion time: 2007-12-28 21:34:55 - machine was rebooted [Michael]
.
2007-12-13 04:00:08 --- E O F ---




One more thing I should mention is that I think my wife tried to remove the ddaya.exe file using the msconfig utility. I keep getting messages saying that windows cannot find the ddaya.exe file, then the System Configuration Utility window pops up. Should I set it to enable all devices and drivers, or does this not matter?

#5 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 28 December 2007 - 09:50 PM

HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:48 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Folding@Home\FahCore_7b.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaya.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1438721A-0487-47BB-9347-A41269385D6C} - C:\Program Files\Internet Explorer\hokenopaC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
O2 - BHO: (no name) - {14654545-B4BC-4142-ADC7-16E7028AA849} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [_WinStart] C:\WINDOWS\Connection Wizard\Status\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Folding@Home 5.03.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Folding@Home 5.03.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 16886 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 28 December 2007 - 10:02 PM

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\SYSTEM32\ddaya.dll
C:\WINDOWS\SYSTEM32\ayadd.ini2
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\vbzip10.dll
C:\Documents and Settings\All Users\Application Data\emopts.dat
Folder::
C:\WINDOWS\TWljaGFlbA
C:\WINDOWS\SYSTEM32\ripd1
C:\WINDOWS\SYSTEM32\ashell3
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AA78EDC-F4C4-4816-84ED-E05DBB8C1A18}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1438721A-0487-47BB-9347-A41269385D6C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_WinStart"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 28 December 2007 - 10:58 PM

OK, I have run the script. I am still getting popups during startup due to my wife attempting to remove the ddaya.exe application through the msconfig utility. These are the 3 messages I'm getting in order of appearance:

Message 1:
"Windows cannot find c:\windows\system32\ddaya.exe..."

Message 2:
"Could not load or run c;\windows\system32\ddaya.exe..."

Message 3: "You have used system configuration utility to make changes to the way windows starts. The system configuration utility is currently in diagnostic or selective startup mode, causing this message to be displayed and the utility to run every time windows starts. Choose the normal startup mode on the general tab to start windows normally and undo the changes you made using the system configuration utility."

What do I do about this?

Here is the Combofix log:

ComboFix 07-12-29.3 - Michael 2007-12-28 21:22:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502 [GMT -5:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
C:\Program Files\Brother\ControlCenter3\brctrcen.exe
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\temp\tn3
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\SYSTEM32\ayadd.ini
C:\WINDOWS\SYSTEM32\ayadd.ini2
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.exe
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 21:29 . 2007-12-28 21:29 331,776 --a------ C:\WINDOWS\SYSTEM32\ddaya.dll
2007-12-28 21:29 . 2007-12-28 21:33 319 --ahs---- C:\WINDOWS\SYSTEM32\ayadd.ini2
2007-12-28 21:29 . 2007-12-28 21:33 319 --ahs---- C:\WINDOWS\SYSTEM32\ayadd.ini
2007-12-28 20:39 . 2007-12-28 20:40 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-28 08:03 . 2007-12-28 08:03 <DIR> d-------- C:\Program Files\Java
2007-12-28 08:03 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-12-28 08:02 . 2007-12-28 08:02 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-26 13:25 . 2007-12-27 12:02 <DIR> d-------- C:\VundoFix Backups
2007-12-24 15:22 . 2007-12-24 15:22 3,716 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-12-24 14:40 . 2004-08-19 07:19 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Sonic
2007-12-24 14:40 . 2004-08-19 07:20 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Jasc Software Inc
2007-12-24 14:40 . 2005-05-20 09:31 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Gtek
2007-12-24 14:40 . 2004-08-19 07:13 <DIR> d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Creative
2007-12-24 14:35 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-12-24 14:35 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-12-24 14:35 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2007-12-24 14:35 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-12-24 14:35 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-12-24 14:35 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2007-12-24 11:55 . 2007-12-28 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-24 11:55 . 2007-12-24 11:58 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-24 11:55 . 2007-12-24 11:58 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2007-12-24 11:55 . 2007-12-24 11:58 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-21 10:40 . 2007-12-21 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 10:36 . 2007-12-21 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 10:27 . 2007-12-21 10:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-21 10:27 . 2007-12-21 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 23:02 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-12-20 23:02 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2007-12-20 23:02 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-12-20 23:02 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-12-20 23:02 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-12-20 23:02 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-12-20 23:02 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-12-20 23:02 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-12-20 13:05 . 2007-12-28 20:24 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2007-12-20 11:32 . 2007-12-20 11:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\BLSTOOLBAR
2007-12-20 09:16 . 2007-12-20 12:55 <DIR> d--hs---- C:\WINDOWS\TWljaGFlbA
2007-12-20 09:16 . 2007-12-20 23:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\ripd1
2007-12-20 09:16 . 2007-12-20 12:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\ashell3
2007-12-20 09:16 . 2007-12-28 21:25 <DIR> d-------- C:\Temp
2007-12-19 15:59 . 2007-12-28 12:27 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-19 15:03 . 2007-12-19 15:03 147,456 --a------ C:\WINDOWS\SYSTEM32\vbzip10.dll
2007-12-16 11:29 . 2007-12-16 11:29 23,956 --a------ C:\VETlog.dmp
2007-12-07 10:13 . 2007-12-07 10:23 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\BLSTOOLBAR
2007-12-07 10:13 . 2007-12-07 10:13 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\AT&T

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 02:25 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-29 01:24 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-29 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-27 18:27 --------- d-----w C:\Program Files\Folding@Home
2007-12-24 19:42 --------- d-----w C:\Program Files\Dell Support
2007-12-24 17:58 --------- d-----w C:\Program Files\Digital Line Detect
2007-12-24 17:56 --------- d-----w C:\Program Files\Common Files\Command Software
2007-12-24 17:55 --------- d-----w C:\Program Files\blstoolbar
2007-12-24 02:52 --------- d-----w C:\Documents and Settings\Michael\Application Data\AdobeUM
2007-12-21 15:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 20:57 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2007-12-19 20:54 --------- d-----w C:\Program Files\LimeWire
2007-12-19 20:01 --------- d-----w C:\Program Files\Ahead
2007-12-01 12:54 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-11-28 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
2007-11-28 14:51 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-27 23:36 --------- d-----w C:\Documents and Settings\Michael\Application Data\blstoolbar
2007-11-27 22:51 --------- d-----w C:\Program Files\AT&T
2007-11-27 22:51 --------- d-----w C:\Documents and Settings\Michael\Application Data\AT&T
2007-11-27 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-11-27 22:42 --------- d-----w C:\Program Files\Common Files\PestPatrol
2007-11-27 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Freedom
2007-11-27 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 22:40 --------- d-----w C:\Program Files\Radialpoint
2007-11-27 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Radialpoint
2007-11-27 21:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 00:06 360,580 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-11-05 00:04 --------- d-----w C:\Program Files\KJClipper
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-10-06 00:31 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-09-29 19:59 97,966 ----a-w C:\WINDOWS\Publix Preschool Pals Uninstaller.exe
2005-05-05 04:51 103,358,507 -c--a-w C:\Program Files\DreamweaverMX2004-en.zip
2005-04-28 17:50 21 -c-h--w C:\Documents and Settings\All Users\Application Data\emopts.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AA78EDC-F4C4-4816-84ED-E05DBB8C1A18}]
2007-12-28 21:29 331776 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1438721A-0487-47BB-9347-A41269385D6C}]
C:\Program Files\Internet Explorer\hokenopaC:\WINDOWS\system32\doc4\mmildot83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"_WinStart"="C:\WINDOWS\Connection Wizard\Status\services.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"AsioReg"="REGSVR32.exe" [2004-08-04 02:56 C:\WINDOWS\SYSTEM32\regsvr32.exe]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [2007-12-16 20:10:25]
PowerReg Scheduler .exe [2007-12-28 21:29:47]
PowerReg Scheduler .exe [2007-12-28 21:22:28]
PowerReg Scheduler .exe [2007-12-28 21:22:29]
PowerReg Scheduler .exe [2007-12-28 21:31:19]
PowerReg Scheduler .exe [2007-12-28 21:22:30]
PowerReg Scheduler .exe [2007-12-28 21:22:30]
PowerReg Scheduler .exe [2007-12-28 21:22:31]
PowerReg Scheduler .exe [2007-12-28 21:31:36]
PowerReg Scheduler .exe [2007-12-28 21:22:32]
PowerReg Scheduler .exe [2007-12-28 21:22:32]
PowerReg Scheduler .exe [2007-12-28 21:22:33]
PowerReg Scheduler .exe [2007-12-28 21:29:52]
PowerReg Scheduler .exe [2007-12-28 21:31:41]
PowerReg Scheduler .exe [2007-12-28 21:30:00]
PowerReg Scheduler .exe [2007-12-28 21:32:08]
PowerReg Scheduler .exe [2007-12-28 21:32:26]
PowerReg Scheduler .exe [2007-12-28 21:30:11]
PowerReg Scheduler .exe [2007-12-28 21:30:13]
PowerReg Scheduler .exe [2007-12-28 21:33:32]
PowerReg Scheduler .exe [2007-12-28 21:30:17]
PowerReg Scheduler .exe [2007-12-28 21:30:20]
PowerReg Scheduler .exe [2007-12-28 21:30:22]
PowerReg Scheduler .exe [2007-12-28 21:30:24]
PowerReg Scheduler .exe [2007-12-28 21:30:26]
PowerReg Scheduler .exe [2007-12-28 21:30:28]
PowerReg Scheduler .exe [2007-12-28 21:30:30]
PowerReg Scheduler .exe [2007-12-28 21:30:32]
PowerReg Scheduler .exe [2007-12-28 21:30:34]
PowerReg Scheduler .exe [2007-12-28 21:34:01]
PowerReg Scheduler .exe [2007-12-28 21:30:38]
PowerReg Scheduler .exe [2007-12-28 21:30:40]
PowerReg Scheduler .exe [2007-12-28 21:30:43]
PowerReg Scheduler .exe [2007-12-28 21:30:45]
PowerReg Scheduler .exe [2007-12-28 21:30:47]
PowerReg Scheduler .exe [2007-12-28 21:30:48]
PowerReg Scheduler .exe [2007-12-28 21:30:50]
PowerReg Scheduler .exe [2007-12-28 21:30:51]
PowerReg Scheduler.exe [2007-12-28 21:30:53]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-06 17:36:36]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-08-19 07:10:52]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-30 11:07:51]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ddaya.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddaya

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 02:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTsysVol]
2002-10-29 09:18 49152 --a------ C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-28 21:30 335360 --a------ C:\WINDOWS\system32\ddaya.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]

.
Contents of the 'Scheduled Tasks' folder
"2004-08-23 21:33:25 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 21:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ddaya.exe 335360 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ddaya.dll
.
Completion time: 2007-12-28 21:34:55 - machine was rebooted [Michael]
.
2007-12-13 04:00:08 --- E O F ---

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 December 2007 - 05:20 AM

You’re running msconfig in Auto mode which means that you may have selectively unchecked some items in the past from starting up with Windows.
This can be bad if they’re malware, so please re-enable those startup entries by doing the following:
Click on Start>Run,type msconfig and then press Enter.
When the ‘System Configuration Utility’ opens click on the ‘Startup’ tab,make sure all the boxes are checkmarked.
Then press Apply/Ok to exit the utility.
If it asks you to restart your pc,please don’t,it‘s not necessary at this point.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#9 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 29 December 2007 - 08:43 AM

Main.txt:



Deckard's System Scanner v20071014.68
Run by Michael on 2007-12-29 08:38:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2007-12-29 13:38:38 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2007-12-29 03:44:52 UTC - RP9 - Last known good configuration
8: 2007-12-29 03:44:15 UTC - RP8 - Last known good configuration
7: 2007-12-29 03:44:12 UTC - RP7 - Last known good configuration
6: 2007-12-29 03:44:11 UTC - RP6 - ComboFix created restore point


-- First Restore Point --
1: 2007-12-29 03:44:07 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.62 GiB (less than 15%) free.


-- HijackThis (run as Michael.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:21 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Documents and Settings\Michael\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Michael.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaya.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A2F67317-7191-4805-BE4A-12ACB0793E3E} - C:\WINDOWS\system32\ddaya.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTsysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] SOFTWARE\Microsoft\Windows\CurrentVersion\Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Folding@Home 5.03.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Folding@Home 5.03.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 17836 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

S3 catchme - c:\docume~1\michael\locals~1\temp\catchme.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 dvpapi - "c:\program files\common files\command software\dvpapi.exe" <Not Verified; Command Software Systems, Inc.; Command AntiVirus for Windows>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2004-08-23 16:33:25 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-11-29 and 2007-12-29 -----------------------------

2007-12-29 08:28:36 335360 --a------ C:\WINDOWS\system32\ddaya.exe
2007-12-28 22:36:19 1077 --ahs---- C:\WINDOWS\system32\ayadd.ini2
2007-12-28 22:35:44 331776 -----n--- C:\WINDOWS\system32\ddaya.dll
2007-12-28 20:39:44 0 d-------- C:\WINDOWS\ERUNT
2007-12-28 15:39:30 0 dr-h----- C:\Documents and Settings\Michael\Recent
2007-12-28 08:03:17 0 d-------- C:\Program Files\Java
2007-12-28 08:02:21 0 d-------- C:\Program Files\Common Files\Java
2007-12-26 13:25:39 0 d-------- C:\VundoFix Backups
2007-12-24 15:22:39 3716 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-24 14:40:53 0 d--h----- C:\Documents and Settings\Administrator.MEANMACHINE\Templates
2007-12-24 14:40:53 0 dr------- C:\Documents and Settings\Administrator.MEANMACHINE\Start Menu
2007-12-24 14:40:53 0 dr-h----- C:\Documents and Settings\Administrator.MEANMACHINE\SendTo
2007-12-24 14:40:53 0 dr-h----- C:\Documents and Settings\Administrator.MEANMACHINE\Recent
2007-12-24 14:40:53 0 d--h----- C:\Documents and Settings\Administrator.MEANMACHINE\PrintHood
2007-12-24 14:40:53 0 d--h----- C:\Documents and Settings\Administrator.MEANMACHINE\NetHood
2007-12-24 14:40:53 0 dr------- C:\Documents and Settings\Administrator.MEANMACHINE\My Documents
2007-12-24 14:40:53 0 d--h----- C:\Documents and Settings\Administrator.MEANMACHINE\Local Settings
2007-12-24 14:40:53 0 dr------- C:\Documents and Settings\Administrator.MEANMACHINE\Favorites
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Desktop
2007-12-24 14:40:53 0 d--hs---- C:\Documents and Settings\Administrator.MEANMACHINE\Cookies
2007-12-24 14:40:53 0 dr-h----- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Sun
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Sonic
2007-12-24 14:40:53 0 d---s---- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Microsoft
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Jasc Software Inc
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Identities
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Gtek
2007-12-24 14:40:53 0 d-------- C:\Documents and Settings\Administrator.MEANMACHINE\Application Data\Creative
2007-12-24 14:40:52 1048576 --ah----- C:\Documents and Settings\Administrator.MEANMACHINE\NTUSER.DAT
2007-12-24 14:35:52 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-24 14:35:52 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-24 14:35:52 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-24 14:35:52 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-24 14:35:52 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2007-12-24 14:35:52 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-24 11:55:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-21 10:40:11 0 d-------- C:\Program Files\Trend Micro
2007-12-21 10:36:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 10:27:09 0 d-------- C:\Program Files\Lavasoft
2007-12-21 10:27:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 11:32:12 0 d-------- C:\Documents and Settings\LocalService\Application Data\BLSTOOLBAR
2007-12-20 09:16:21 0 d-------- C:\Temp
2007-12-07 10:13:35 0 d-------- C:\Documents and Settings\Ken\Application Data\BLSTOOLBAR
2007-12-07 10:13:27 0 d-------- C:\Documents and Settings\Ken\Application Data\AT&T


-- Find3M Report ---------------------------------------------------------------

2007-12-29 01:20:02 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000000-00001102-00000004-10031102}.dat
2007-12-29 01:20:02 288 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000000-00001102-00000004-10031102}.dat
2007-12-28 21:25:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-28 08:02:21 0 d-------- C:\Program Files\Common Files
2007-12-27 13:27:29 0 d-------- C:\Program Files\Folding@Home
2007-12-24 14:42:06 0 d-------- C:\Program Files\Dell Support
2007-12-24 12:58:40 0 d-------- C:\Program Files\Digital Line Detect
2007-12-24 12:56:31 0 d-------- C:\Program Files\Common Files\Command Software
2007-12-24 12:55:50 0 d-------- C:\Program Files\blstoolbar
2007-12-23 21:52:07 0 d-------- C:\Documents and Settings\Michael\Application Data\AdobeUM
2007-12-21 10:26:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 15:57:19 0 d-------- C:\Program Files\Yahoo SiteBuilder
2007-12-19 15:54:11 0 d-------- C:\Program Files\LimeWire
2007-12-19 15:01:42 0 d-------- C:\Program Files\Ahead
2007-12-01 07:54:48 0 d-------- C:\Program Files\EarthLink TotalAccess
2007-11-28 09:51:58 0 d-------- C:\Program Files\Common Files\Motive
2007-11-27 18:36:38 0 d-------- C:\Documents and Settings\Michael\Application Data\blstoolbar
2007-11-27 17:51:14 0 d-------- C:\Documents and Settings\Michael\Application Data\AT&T
2007-11-27 17:51:12 0 d-------- C:\Program Files\AT&T
2007-11-27 17:42:28 0 d-------- C:\Program Files\Common Files\PestPatrol
2007-11-27 17:40:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-27 17:40:37 0 d-------- C:\Program Files\Radialpoint
2007-11-04 19:06:41 360580 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2007-11-04 19:04:58 0 d-------- C:\Program Files\KJClipper
2007-11-02 10:37:33 80 -r-hs---- C:\WINDOWS\system32\5C9DFACD9F.dll
2007-09-29 14:59:55 97966 --a------ C:\WINDOWS\Publix Preschool Pals Uninstaller.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2F67317-7191-4805-BE4A-12ACB0793E3E}]
12/28/2007 10:35 PM 331776 --------- C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"AsioReg"="REGSVR32.exe" [08/04/2004 02:56 AM C:\WINDOWS\SYSTEM32\regsvr32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/27/2007 06:28 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"CTsysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [10/29/2002 09:18 AM]
"CTDVDDet"="SOFTWARE\Microsoft\Windows\CurrentVersion\Run" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [12/16/2007 8:10:25 PM]
PowerReg Scheduler .exe [12/29/2007 8:29:50 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:37 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:38 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:39 AM]
PowerReg Scheduler .exe [12/29/2007 8:30:06 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:41 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:42 AM]
PowerReg Scheduler .exe [12/29/2007 8:32:32 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:44 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:46 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:47 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:49 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:49 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:50 AM]
PowerReg Scheduler .exe [12/29/2007 8:30:51 AM]
PowerReg Scheduler .exe [12/29/2007 8:32:06 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:54 AM]
PowerReg Scheduler .exe [12/29/2007 8:33:58 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:58 AM]
PowerReg Scheduler .exe [12/29/2007 8:27:59 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:00 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:01 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:03 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:04 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:05 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:07 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:09 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:10 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:12 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:14 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:16 AM]
PowerReg Scheduler .exe [12/29/2007 8:31:47 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:19 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:21 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:22 AM]
PowerReg Scheduler .exe [12/29/2007 8:32:05 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:25 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:27 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:29 AM]
PowerReg Scheduler .exe [12/29/2007 8:31:32 AM]
PowerReg Scheduler .exe [12/29/2007 8:28:32 AM]
PowerReg Scheduler.exe [12/29/2007 8:28:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/6/2007 5:36:36 PM]
DESKTOP.INI [9/3/2002 9:00:00 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/19/2004 7:10:52 AM]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [12/30/2006 11:07:51 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaya

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-12-29 08:41:29 ------------




Extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1022.07 MiB / 621.3 MiB
Pagefile Memory (total/avail): 2926.15 MiB / 2591.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.69 GiB total, 2.62 GiB free.
D: is CDROM (No Media)
E: is CDROM (Unformatted)
G: is Fixed (FAT32) - 232.83 GiB total, 139.79 GiB free.
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400JD-75HKA1 - 37.25 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 33.69 GiB - C:
\PARTITION2 - Unknown - 3.5 GiB

\\.\PHYSICALDRIVE2 - Brother MFC-240C USB Device

\\.\PHYSICALDRIVE1 - WD 2500JB External USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Unknown - 232.88 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: COMODO Firewall Pro v2.3.035 (COMODO) Disabled
AV: avast! antivirus 4.7.1098 [VPS 071228-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michael\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MEANMACHINE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michael
LOGONSERVER=\\MEANMACHINE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Michael\LOCALS~1\Temp
TMP=C:\DOCUME~1\Michael\LOCALS~1\Temp
USERDOMAIN=MEANMACHINE
USERNAME=Michael
USERPROFILE=C:\Documents and Settings\Michael
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Michael (admin)
Ken
Kristin (admin)
Administrator.MEANMACHINE (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2\Program\Ctzapxx.EXE" /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
AT&T Internet Security Wizard 1.5.11 --> "C:\Program Files\AT&T\Internet Security Wizard\unins000.exe"
AT&T Toolbar --> C:\Program Files\blstoolbar\uninstall.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BellSouth® Scan and Clean Tool --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{2FFA13E8-7E10-4CA2-A004-9582DFE20E32}
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}\Setup.exe" -l0x9 Brunin03.dll -removeonly
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
e-Watch Camera Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{88EFC79A-2079-41B5-9FB7-EB0CA7463936}" -l0x9
EarthLink Setup Files --> MsiExec.exe /X{9B2CFE3B-7F55-4786-A20D-BB244914F6D8}
Folding@Home --> C:\WINDOWS\system32\GKSUI18.EXE C:\Program Files\Folding@Home\UninstallCC64.DAT
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Huffyuv AVI lossless video codec (Remove Only) --> rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\HUFFYUV.INF
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iriver plus 3 (remove only) --> "C:\Program Files\iriver\iriver plus 3\uninstall.exe"
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Mega Codec Pack 1.53 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
KJClipper 1.12 --> "C:\Program Files\KJClipper\unins000.exe"
KoolMoves 5.2.2 --> "C:\Program Files\KoolMoves\unins000.exe"
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Magic Swf2Gif 1.34 --> "C:\Program Files\Magic Swf2Gif\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{91170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities 4.13 --> MsiExec.exe /I{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton Spyware Scan provided by Yahoo! --> C:\PROGRA~1\Yahoo!\common\unynss.exe
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PaperPort --> MsiExec.exe /I{71C97545-E547-4A8B-B0C8-61FF853270AC}
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PictureProject In Touch Downloader 1.0 --> C:\Program Files\PictureProject In Touch Downloader\uninst.exe
Poker Superstars Deluxe (remove only) --> "C:\Program Files\Yahoo! Games\Poker Superstars Deluxe\Uninstall.exe"
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
Publix Preschool Pals --> C:\WINDOWS\Publix Preschool Pals Uninstaller.exe
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rosetta Stone 2.1.5.1A --> "C:\Program Files\Rosetta Stone\RS2.1.5.1A_Support\Uninstall_Rosetta Stone 2.1.5.1A\Uninstall Rosetta Stone 2.1.5.1A.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
setup (Remove only) --> C:\WINDOWS\rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\setup.inf,DefaultUninstall
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E82BF103-904F-49C0-B77F-6EC110B71E87}\setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Visual Link Spanish™ - CD-ROM --> MsiExec.exe /I{B42417BD-A1DF-4F2B-BE6F-C53E8A5C01D1}
Visual Link Spanish™ - Pronunciation --> MsiExec.exe /I{7232B3D6-A079-4CCB-B4E9-D697F07D13E4}
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WNW Five Language Dictionary v1.9 --> C:\Program Files\Accent\WNWFLD\Uninstal.exe
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type14653 / Error
Event Submitted/Written: 12/29/2007 08:40:48 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type14652 / Error
Event Submitted/Written: 12/29/2007 08:40:48 AM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type14651 / Error
Event Submitted/Written: 12/29/2007 08:40:48 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type14650 / Error
Event Submitted/Written: 12/29/2007 08:40:48 AM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type14649 / Error
Event Submitted/Written: 12/29/2007 08:40:48 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type100169 / Error
Event Submitted/Written: 12/28/2007 10:32:19 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type100168 / Error
Event Submitted/Written: 12/28/2007 10:32:19 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type100153 / Error
Event Submitted/Written: 12/28/2007 09:41:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The IMAPI CD-Burning COM Service service failed to start due to the following error:
%%1053

Event Record #/Type100152 / Error
Event Submitted/Written: 12/28/2007 09:41:01 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

Event Record #/Type100122 / Error
Event Submitted/Written: 12/28/2007 09:25:49 PM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.



-- End of Deckard's System Scanner: finished at 2007-12-29 08:41:29 ------------

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 December 2007 - 10:12 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\ddaya.exe
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ddaya.dll
C:\VundoFix Backups


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


I now need you to do the following if you will:
First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\5C9DFACD9F.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\5C9DFACD9F.dll
Then click on 'Send File'.
Post the results into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#11 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 29 December 2007 - 10:33 AM

I accidentally rebooted before copying and pasting the log, so I did it again after the restart:

C:\WINDOWS\system32\ddaya.exe moved successfully.
C:\WINDOWS\system32\ayadd.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ddaya.dll scheduled to be moved on reboot.
File/Folder C:\VundoFix Backups not found.

Created on 12292007_103211


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 December 2007 - 10:50 AM

Post the Jotti/VirusTotal file scan results please.
Posted Image
Posted Image

#13 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 29 December 2007 - 10:59 AM

I don't know if I posted this correctly, but here is the results of the VirusTotal scan:

Antivirus Version Last Update Result
AhnLab-V3 2007.12.29.11 2007.12.29 -
AntiVir 7.6.0.46 2007.12.28 -
Authentium 4.93.8 2007.12.29 -
Avast 4.7.1098.0 2007.12.28 -
AVG 7.5.0.516 2007.12.29 -
BitDefender 7.2 2007.12.29 -
CAT-QuickHeal 9.00 2007.12.29 -
ClamAV 0.91.2 2007.12.29 -
DrWeb 4.44.0.09170 2007.12.29 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5410 2007.12.29 -
Ewido 4.0 2007.12.29 -
FileAdvisor 1 2007.12.29 -
Fortinet 3.14.0.0 2007.12.29 -
F-Prot 4.4.2.54 2007.12.28 -
F-Secure 6.70.13030.0 2007.12.28 -
Ikarus T3.1.1.15 2007.12.29 -
Kaspersky 7.0.0.125 2007.12.29 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.29 -
NOD32v2 2755 2007.12.29 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.29 -
Prevx1 V2 2007.12.29 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.29 -
Sunbelt 2.2.907.0 2007.12.28 -
Symantec 10 2007.12.29 -
TheHacker 6.2.9.174 2007.12.28 -
VBA32 3.12.2.5 2007.12.29 -
VirusBuster 4.3.26:9 2007.12.29 -
Additional information
File size: 80 bytes
MD5: cbbf9d488ffd358fd83d084723a2444d
SHA1: e425c12304ee5c6216e38048cc6f8ee0b4f23c88
PEiD: -

#14 Foo Man

Foo Man
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 29 December 2007 - 11:01 AM

HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:09 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_7b.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn3\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddaya.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {96A3EF0E-74B6-47B0-B173-8968837390C9} - C:\WINDOWS\system32\ddaya.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTsysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] SOFTWARE\Microsoft\Windows\CurrentVersion\Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Folding@Home 5.03.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Folding@Home 5.03.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 18645 bytes

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 December 2007 - 11:33 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\ddaya.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler .exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler .exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler .exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm082YYUS
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users